Mailjet and GDPR compliance: Answers to your most frequent questions
The new general data protection regulation (EU GDPR) has a direct impact on marketing practices, including email marketing. With GDPR effective date coming on 25 May 2018, all marketers concerned with GDPR need to change rapidly how they seek, obtain and save consent. Mailjet being an Email Marketing actor, we gathered precious information for you to create this GDPR toolkit. Let our guide help you to understand, prepare and comply to the European regulation before the due date, and even after.
Is Mailjet GDPR compliant?
We are proud to announce our complete implementation of all GDPR’s rigid requirements as of December 2017. Due to our efforts, we have obtained the AFAQ certification from AFNOR Certification. See our press release for more information and also our compliance road map on the steps we took over the 2017 year.
What specific steps were taken to ensure this GDPR compliance?
Here is a snap-shot of the steps that Mailjet took on its GDPR compliance journey.
How is data handled at Mailjet? Do you have an online policy?
We classified the policy in six parts :
Personal data collected
Third party data
Data retention periods
Location of data storage and transfers
We also provide specific Data Protection Agreements to our clients who would be the Data Controllers. You can contact us on email@example.com should you wish to obtain this DPA.
How does Mailjet handle data protection requests (for example a Data Subject Access Request (DSAR) or a Portability request)?
We respect the rights to information, to modification, to data portability and the right to be forgotten and can treat these requests in a quick manner.
Our client or the data subject can open a support ticket through our website or can send an email request to us at firstname.lastname@example.org. We respond directly to the request and will inform our clients if they are concerned.
How do you ensure your third party providers respect the data protection obligations?
It is important to us that all the actors involved in the data flow, including our third party providers, respect data privacy and we vet these providers closely.
We have in place contractual clauses ensuring the proper technical and organisational measures are in place with all our sub processors and also if necessary EU Model Clauses. We also send out third party questionnaires and include a right to audit in our contracts so that we can ensure their compliance with these obligations.
Here is a snap-shot of the steps we took in our vetting process:
Allowing your contacts to easily subscribe and unsubscribe are equally important in achieving compliance with EU GDPR.
Does Mailjet have in place a personal data breach notification process?
We have specific data breach notification procedures in place when Mailjet is a controller and when Mailjet is a processor of the personal data and respect the deadlines of the GDPR in communicating any breach.
Does Mailjet have an Incident management process in place?
If an issue is detected on Mailjet monitoring or by the others teams working on the platform, it is directly reported to Mailjet IT team. The Incident Response Plan includes C-Level action in addition to real time messaging to define the issues and measures on the platform. Thanks to that, we can ensure a communication plan for our clients.
Mailjet reports any incidents to http://status.mailjet.com/ (email and SMS notification also available upon specific request). The client will be contacted if the incident has affected their data.