Everything you need to know about FunnelBud and GDPR
Note: In October 2022, US entered into law changes that has in December allowed the European Commission to move forward with a resolution that will allow EU companies to store data in US without violating GDPR. Read more about it here: https://ec.europa.eu/commission/presscorner/detail/sv/ip_22_7631
Disclaimer: This does not constitude legal advice, it is simply our own and our lawyers' intepretation of what GDPR means for FunnelBud customers.
Questions related to your agreement or cooperation with FunnelBud
Where does the FunnelBud Marketing and CRM software store data?
We store data in Amazon servers in the US. The US is considered a "third country" since the Privacy Shield no longer applies, and according to GDPR regulations, in order to store the data of EU citizens in a third country, so called "SCCs" (Standard Contractual Clauses) need to be signed, which agree to follow the equivalent standards as are set in the GDPR regulation.
The GDPR law does not state that you are prohibited from storing data in third countries, only that in order to do so, you need to sign and adhere to the SCCs, which we do with our customers.
Note: FunnelBud also provides another powerful Marketing Automation-platform hosted in the EU (no data ever leaves the EU). Please read more about FunnelBud Flex if that is of interest.
What should I do if I want to have a full EU-hosted marketing automation software?
Many of our customers have migrated to the fully EU-hosted, powerful marketing automation software FunnelBud Flex, and are satisfied with the results. FunnelBud handles 100% of the migration and sets everything up for you in a painless way. The system has capabilities matching your current software, and some additional ones. It is based on the popular Open Source software Mautic, used by over 200,000 organizations worldwide, including large banks and financial institutes due to its strong functionality, security, extendability, and data security/ownership.
Please book a meeting to learn more about it.
Are we allowed to work with you if you or your sub processors store data outside of the EU?
Yes. This is allowed if our agreement with you allows us to do this as long as any subprocessors we may use follow GDPR standards. This is the case if we have have EU’s so called “Standard Contractual Clauses” (SCCs) in our agreements with our subprocessors.
SharpSpring stores its data in the US, and therefore complies with GDPR requirements by signing Standard Contractual Clauses with its EU-based customers. Please read more on FunnelBud’s GDPR help article.
(Note for FunnelBud Flex customers: FunnelBud Flex doesn't store any data outside EU.)
Are SCCs sufficient to be able to store data in the US?
Per the Schrems II judgement, while the Privacy Shield is no longer valid, SCCs still are and they are not affected by the decision.
By signing and adhering SCCs, the protection data subjects enjoy are on par with the requirements of the GDPR, and thus you can use these as a basis for transferring and storing data in the U.S.
Read our full analysis here: Are SCCs enough for you to transfer data to US with FunnelBud?
(Note for FunnelBud Go customers: FunnelBud Go doesn't store any data outside EU.)
Are US-based support personnel supporting FunnelBud allowed to access EU data?
Yes, if we and our sub processors follow GDPR rules for how data should be processed.
How do you ensure an adequate level of security for the data that is stored or transported?
Data is transpored in encrypted format. It is then stored on secure Amazon servers, and in line with the information security standards Amazon applies to their customers' data storage. For details around information security, please read our Information Security page.
Pseudonymisation as a means of increasing data security is not applicable for a Marketing Automation software vendor who needs to provide support to their customers, because the data needs to be accessible in order for the support function to be able to support the customers.
In addition, pseudonymisation is not relevant in the context of hiding data subjects' identities from a processor for GDPR purposes, if it is the processor itself who pseudonimizes the data, because then the data processor has already processed the data in non-pseudonymized format, and they have the keys to identify the data subjects. Pseudonymisation can only be effective for this purpose if it is pseodonymized before it is sent to the data processor.
Please read more about pseudonymization and GDPR here: European Union Agency for Cybersecurity Recommendations
Note: Based on discussions with lawyers from our Government-sector customers, we have been informed that it is not the location nor the method of the storage that is important - but whether the company is owned by an American entity. As long as a company is owned by an American entity, the American government can conceivably request the data - regardless of how or where data is stored or security standards. This is the reason for the invalidation of Privacy Shield in 2020, and why SCCs became the standard method for storing data in the US. However, even with SCCs in place, the American government can request the data, and there is no possibility to stop this unless the company is not governed by US laws. This makes almost all popular Marketing Automation software on the market incompliant. If this is a concern for you, please discuss with us switching to our FunnelBud Flex Makreting Automation software, which has the same power and ease of use as SharpSpring, but is fully hosted in the EU. Contact your project manager to learn more about it.
Is it enough that we sign an agreement with you or do we need to sign also with your sub processors?
Since you are buying the software from us, it is enough that you sign with us as long as our agreement covers under which circumstances we can sign agreements with our sub-processors.
When a contact is deleted in FunnelBud, is it according to GDPR regulations?
Yes, once a contact is deleted from FunnelBud no personally identifiable information remains.
Questions related to GDPR best practices
What do I need to do with my forms?
According to our interpretation (see In what circumstances can we collect data for marketing purposes?), a simple form notice is enough to fulfill GDPR requirements.
Our understanding is that you don't need explicit opt-in tickboxes (see the reasoning in the above link). But you can if you want to (see next section for screenshots on that).
Below are example form notice texts you can put under each of your forms (ask FuB for help to do that).
LONG VERSION (English): “By clicking on the link you agree to receive emails from us with tips, advice, event invitations and promotions that can help you get more value from your [SOLUTION] solutions. You can withdraw your consent at any time by clicking the unsubscribe link at the bottom of every email. Read more about our GDPR policy here.”
LONG VERSION (Swedish): “Genom att klicka på länken samtycker du till att ta emot mailutskick från oss; med tips, råd, inbjudningar till evenemang och erbjudanden som kan hjälpa dig få mer värde från era lösningar. Du kan när som helst ta tillbaka ditt samtycke genom att klicka på den länk som finns i ditt mailutskick. Läs mer om vår GDPR-policy här.”
SHORT VERSION (English): “By filling out the form, I agree to receive emails with tips, invitations, and promotions that can help me get more value from my [SOLUTION] solutions. Read more about our GDPR policy here.”
SHORT VERSION (Swedish): “Ja, genom att fylla i formuläret samtycker jag till att ta emot mailutskick med tips, inbjudningar och erbjudanden som kan hjälpa mig att få mer värde ur era lösningar. Läs vår GDPR-policy här.”
In which circumstances can we collect data for marketing and sales purposes?
To simplify, as a FunnelBud user, this is basically it:
1) if the subject has given consent
2) if the subject is someone who’s data you need to fulfill your contract with them
3) that the collection of the data is in our “legitimate interests”.
For the last point - what counts as a “legitimate interest” - this is a bit complicated, but in essence: If the subject can reasonably expect that their data will be collected for the purpose of direct marketing.
To read what the law actually says about what constitudes a legal basis for collecting data, read the details here: In which circumstances can we collect data for marketing purposes?