IPnoid GDPR Data Processing Addendum
The GDPR Data Processing Addendum ("DPA") is an essential component of the following documents:
- Terms of Service - https://www.ipnoid.com/tos.htm
In this context, EU Data Protection Legislation encompasses the following European Directives and Regulations:
a. Directive 95/46/EC adopted in 1995
b. Directive 2009/136/EC (amending 2002/58/EC directive) as of 25 November 2009
c. General Data Protection Regulation (Regulation (EU) 2016/279)) as of 27 April 2016, repealing Directive 95/46/EC
If a IPnoid Customer is not a party to a service order or master agreement as per the data processor TOS, this DPA is invalid and not legally binding. The Customer (data controller) must always adhere to Data Protection Legislation concerning personal data provided to IPnoid under the Agreement. Data processing persists until the Customer's SaaS services agreement term expires or is terminated due to a TOS violation.
Document Definitions and Terminology
Data Controller (Customer) - an individual or company utilizing IPnoid data processor service
Data Processor - IPnoid, SaaS (software as a data processor service)
Data Subject (natural person) - an individual whose sensitive data is acquired and processed by a data controller and data processor
Personal Data / Sensitive Data - information related to an identified or identifiable natural person. An identifiable natural person can be identified by name, ID number, precise location data, online identifier, or other specific factors.
Pseudonymous Data (as defined by GDPR) - pseudonymization masks personally identifiable information within data records to prevent re-identification without additional information.
General Data Protection Regulation (GDPR)
GDPR replaces Data Protection 95/46/EC Directive and impacts all businesses/individuals worldwide collecting personal data of European Union residents. It empowers individuals to control their data and ensures adequate protection in data transfers by US companies.
GDPR applies to both data controllers (e.g., companies) and data processors (e.g., cloud software vendors).
GDPR and IPnoid Customer (Data Controller)
As a data processor, IPnoid has adjusted its data processing policy and SaaS implementation to enable data controllers to comply with GDPR directives. IPnoid is GDPR compliant only when configured accordingly, ensuring no personally identifiable information is transmitted via API, URL variables, or other data transmission methods. As a data controller using IPnoid services to track a website visitor's browsing activity (data subject), you must adhere to these GDPR key points:
- Data Acquisition Consent. Visitors must be informed about data collected, its processing, and storage, and provide explicit consent. Children under 16 require parental consent. Consent should be specific, informed, and revocable.
IPnoid's data processing services offer tools for visitor tracking. If you collect sensitive data per GDPR definitions, you must obtain explicit visitor consent through GDPR-compliant methods.
a. Allow visitors to choose data collection settings.
b. Use consent forms with checkboxes or signatures.
c. Document consent clearly.
- Right of Access by the Data Subject (Art. 15 GDPR)
Data subjects can request confirmation of personal data processing and access to their data.
- Right to Erasure ('Right to Be Forgotten', Art. 17 GDPR)
Data subjects can request erasure of personal data if certain conditions apply.
- Notification of Data Breaches
Data controllers must notify data subjects within 72 hours of a personal data breach if it can be linked back to the data subject.
- Data Storage Compliance
Data controllers may not store personal data beyond its intended use. Sensitive data like names, addresses, etc., must be removed from URLs before being logged by IPnoid.
GDPR and IPnoid (Data Processor)
As a data processor, IPnoid shall or may:
- Process personal data as per data controller instructions (defined by DPA and TOS). If processing is for any other purpose, IPnoid may suspend or terminate service.
- Notify Customer if processing instructions may violate Data Protection Legislation before starting.
- Maintain security measures to protect data against unauthorized access, destruction, or disclosure.
- Provide employee training on data security and policies.
- Assist Customer with rectification, access, and erasure of personal data.
- Destroy all personal data upon service term end and customer request.
- Notify Customer of any accidental, unauthorized, or unlawful data processing, access, or loss (an "Incident").
IPnoid's Role in Data Acquisition and Processing
IPnoid as a data processor complies with Data Protection Legislation and Customer instructions. Customers can adjust service scope and data capture, affecting data processor utilization.
The default personal data variables available for capture through data processor services, as instructed by Customer, include: Browsing Navigation Data:
- Landing page with URL variables
- Referring page with URL variables
- Search engine and search result keywords
- Referring domain (excluding variables)
- Campaign URL with URL variables (UTM)
- Browser type and version
- OS type and version
- Device type
- Screen dimensions
Geo-location data is based on IP address blocks and doesn't pinpoint individual visitors but ISPs' IP ranges.
- Visit dates and times
- Visit frequency
- Pages visited and time spent on each
- IP addresses
- ISP name
- Organization name
- Network hostname
Data collected doesn't allow direct identification of individuals by default. Exceptions require legal warrants, ISP cooperation, visitor consent, or online forms for personal identification data.
Primary Changes to End-User Accounts for GDPR Compliance
- Implementation of data pseudonymization/anonymization tools to comply with GDPR:
- IP address anonymization (last octet of IPv4 and last 80 bits of IPv6 set to zeros)
- Computer ID anonymization (last two characters set to 0)
- Disabling cookies for visitor tracking across projects
- Disabling cross-domain IP tracking or using non-personal data in contact books
- Disabling widgets displaying full visitor data
- Complete tracking disablement for EU residents
- Authentication for public stats access URLs if non-anonymous stats are requested
- Tools for data management, export, and selective visitor data deletion
- Compliance with browser "Do Not Track" headers
- Opt-out page for visitor tracking
- Global SSL data access points
IPnoid may adjust these changes to maintain GDPR compliance.