The GDPR, or General Data Protection Regulation, is a European privacy law that took effect on May 25, 2018. The GDPR governs how individuals and businesses gather, use, and store personal data, and it has an impact on Zenfolio and the sites that operate on our platform. The GDPR and its rules are referred to in the context of the United Kingdom (UK).
This guide covers what you should know as a Zenfolio user if you have visitors or clients from the European Economic Area (EEA), the United Kingdom, or Switzerland. On their initial visit to a Zenfolio website, visitors can use the Cookie Policy pop-up to decide which cookies Zenfolio will employ. Zenfolio cookies can be deleted at any moment by deleting the visitor's browser cache.
Note: This guide is provided for informational purposes only and should not be considered or relied upon as legal advice. According to our Terms of Service, Zenfolio does not provide legal advice or suggestions for your site or business. |
Who is affected by the General Data Protection Regulation (GDPR)?
While the GDPR is a European Union/United Kingdom rule, it also applies to enterprises in other countries who provide services to EU/UK residents. As a result, it has an impact on:
- Organizations based in the EU, the UK, and Switzerland.
- Organizations from outside the EU, the UK, and Switzerland that sell or monitor goods or services to EU, UK, or Swiss individuals.
Given the worldwide nature of the Internet, if you utilize Zenfolio products, you should assess your procedures to see if you come under the GDPR's scope.
What’s considered personal data?
Personal data, as defined by the GDPR, is any information that may be used to fairly identify a living person, either alone or in combination with other information. This broad definition encompasses both traditional personal data—such as dates of birth, names, physical addresses, and email addresses—as well as location data, biometric data, financial data, and other types of data.
Please consult the information sites of the European Commission for further information on what is considered personal data in the EU and the United Kingdom: European Commission, Data Protection Commission of Ireland, and Information Commissioner's Office.
What did Zenfolio undertake to ensure compliance prior to the GDPR?
We worked across the organization in the months preceding up to May 2018 to successfully prepare for the GDPR. This included an examination of how we store and use data about and for our consumers.
In particular:
- We updated our Terms of Service and Privacy Policy to make our data usage and treatment more transparent.
- To address how we process data on your behalf, we published a Data Processing Addendum, or DPA.
- Vendors who process personal data on our behalf have signed acceptable data processing agreements.
- We've updated our processes to take into account the GDPR's new data subject rights.
Is it necessary for me to sign a DPA with Zenfolio?
When you signed up for Zenfolio, you agreed to our Terms of Service, which included our DPA. You don't need to request or sign any more paperwork. Review our Privacy Policy and DPA.
Cookies and similar technologies
A cookie (or related technology) is a text file that stores small bits of information on your computer or mobile device (also known as "terminal equipment"). Websites can, for example, employ such technology to:
- Recognize visitors
- Allow the website to work properly.
- Permit online behavioral target advertising by personalizing content
Pixels, tags, local storage, and device fingerprinting are all examples of similar technology.
The E-Privacy Directive governs cookie legislation in the EU at the moment. Cookie laws in the EU require website owners to take specific steps before allowing non-essential cookies to be placed on EU users' computers. Non-essential cookie-dropping websites must take the following basic steps:
- Provide clear and complete information about the cookie usage on the website.
- Make sure that information is prominently displayed so that visitors can readily find it.
- Obtain the website visitor's permission to remove non-essential cookies.
The GDPR revolutionized the concept of visitor consent. Prior to the GDPR, websites relied on implied consent, with ongoing use deemed sufficient consent to drop non-essential cookies. Unambiguous consent is now required, which means the visitor must consent to the use of non-essential cookies through "clear affirmative action consent." Before placing non-essential cookies on visitors' devices, you must seek affirmative agreement. The visitor must also be able to manage their cookie options on the website.
For more information about cookies and other similar technologies, see the UK’s Information Commissioner’s Office recent and detailed guidance on cookies and similar technologies.
How do I get rid of my personal information from Zenfolio?
Contact us at support@zenfolio.com to request that we remove data from our system, either your own or visitor/customer data that we hold on your behalf.
Using Zenfolio with third-party services
The GDPR impacts not only how Zenfolio products handle personal data, but also how third-party services handle data on your behalf. Built-in connections can be used to connect Zenfolio products to third-party services, as well as alternative techniques for connecting new services, such as:
Third-party services typically accept data from your site, BookMe, or other Zenfolio products, or embed content into them, with Zenfolio acting as a pass-through for the data or displaying the content. These services may have different terms of service, privacy policies, and other policies than we do. It's critical to read the policies of any services connected to your Zenfolio products carefully.
How does Zenfolio send customer and visitor information outside of the European Union?
When transferring personal data from outside the European Economic Area, the United Kingdom, or Switzerland to "third countries," which include the United States, the GDPR mandates particular protections. We're dedicated to protecting personal data from the European Economic Area, the United Kingdom, and Switzerland (as well as personal data from other parts of the world) in a secure and privacy-first manner, and to processing it in accordance with the European Commission Standard Contractual Clauses.
European Commission Standard Contractual Clauses
For transferring personal data to foreign countries, including the United States, we use Standard Contractual Clauses (also known as Model Contractual Clauses).
On June 4, 2021, the European Commission amended the Standard Contractual Clauses to reflect modern data processing practices, GDPR obligations, proposals from the European Data Protection Board, and the Court of Justice of the European Union's Schrems II judgement. As a result, on October 27, 2021, we revised our Data Processing Addendum to conform with the new Standard Contractual Clauses.
Privacy Shield principles
The EU-US Privacy Shield was declared unconstitutional by the European Union's Court of Justice on July 16, 2020. The Privacy Shield Frameworks are no longer used as the legal basis for transferring personal data to the United States. However, we will continue to use these principles as a safeguard.
Other transfer requirements
Articles 45 to 50 of the GDPR outline the various standards for authorized personal data transfers to foreign countries or international organizations that offer an acceptable degree of protection. These are some of them:
Adequacy
If the EU Commission determines that third nations, specific sectors within third countries, or international organizations provide a sufficient degree of data protection, they are considered adequate.
In the absence of an adequacy decision, the GDPR permits a transfer if the controller or processor has adopted "appropriate protections," such as:
- Binding Corporate Rules
- Approved Codes of Conduct or Approved Certification Mechanisms
- Contractual Standard Clauses
Exceptions for specific situations
Exceptions allow transfers in certain circumstances, such as when consent is obtained or when:
- For the completion or fulfillment of a contract
- For the purpose of pursuing legal claims
- Where the data subject is unable to give consent or when the public interest requires it, the data subject's vital interests are protected.
Visit the European Data Protection Board's advice page for additional details.
Additional transfer procedures may be used to maintain proper data protection, and if other transfer mechanisms are used for authorized transfers of personal data to third countries, we will give extra information as needed.
GDPR best practices for Zenfolio
While we cannot provide legal advice, we can provide you with some best practices to assist you get started with GDPR compliance.
Personal data audit
Examine your website, scheduler, and other Zenfolio products for areas where personal data is collected, keeping in mind the GDPR's revised definition of "personal data."
Consider the following questions:
- Do you use third-party services to acquire personal data through Zenfolio products? You should familiarize yourself with the privacy rules of those services.
- Do you use another method to download or export data from your Zenfolio products?
- Do you mix the personal information you acquire with information from other sources?
- Are you collecting information that you don't require?
Where can I get more information about the GDPR?
The GDPR and Cookies are addressed by regulators in the EU and the United Kingdom. Their documentation is available here:
- The European Data Protection Board (EDPB)
- Official EU GDPR website
- Bundesministerium des Innern (Germany)
- Commission Nationale de l’Informatique et des Libertés (France)
- Data Protection Commission (Ireland)
- Information Commissioner’s Office (UK)
- Agencia Española de Protección de Datos (Spain)
- Full text of the GDPR