The GDPR (General Data Protection Regulation) is an important piece of legislation that is designed to strengthen and unify data protection laws for all individuals within the European Union. The regulation became effective and enforceable on the 25th May 2018.
We are glad to report that we achieved compliance with the GDPR prior to the effective date of the regulation, and we are committed to stay GDPR compliant.
What is SessionLab doing about GDPR?
Below you can find a list of the main activities we worked on to achieve compliance before the GDPR regulations came into effect:
- Implemented regular internal data handling audit process
- Reviewed and improved internal policies related to handling user data
- Moved data centers to European territory - all user created content is stored within the territory of the European Union
- Implemented a unified email preferences center for all communication we send to customers
- Improved our data erasure policies to fulfill data deletion requests
- Reviewed all our vendors, obtained Data Protection Agreements and implemented an annual review process to ensure we work with GDPR compliant parties
- Implemented functionality to record consent provided by users
Do you provide a Data Processing Agreement?
As per the GDPR regulation, SessionLab is a Data Controller in relation to the data you create in the application, since SessionLab is not designed with the purpose to process personal data. I.e. we store information about your session plans, but there is no personal information processing functionality (e.g. to handle a list of your contacts), so we only store your own personal data that you input in the application, such as your own email address.
However, whenever we share your own personal data with our service providers (for sending emails, storing data, analytics and reporting), we make sure that we only work with audited and compliant Data Processors as third-party services.
SessionLab as the Data Controller
There are primarily two type of data we collect and process:
- Your own profile information (such as name, email address, profile picture, IP address, browser and device information)
- The content you create in the application (such as the sessions, library blocks you create and the files you upload)
Your own profile information
SessionLab acts as the data controller for the personal data we collect about you, the user of our website and web application. We collect and process your data with the following legal bases:
- First and foremost, we process data that is necessary for us to perform our contract with you (GDPR Article 6(1)(b)).
- Secondly, we process data to meet our obligations under the law (GDPR Article 6(1)(c)) — this primarily involves financial data and information that we need to meet our accountability obligations under the GDPR.
- Thirdly, we process your personal data for our legitimate interests in line with GDPR Article 6(1)(f).
What are these legitimate interests we talk about?
- Improving the app to help you reach new levels of productivity.
- Making sure that your data and SessionLab’s systems are safe and secure.
- Responsible marketing of our product and its features.
Whenever the three legal bases listed above do not justify us collecting and processing your personal data, we ask your consent as appropriate. For example, we may send you additional content digest emails or newsletters with your consent. If you have consented to our use of information about you for a specific purpose, you have the right to change your mind at any time.
Your responsibility for notifying your customers
By design, SessionLab is not intended to be used to host personal data in the sessions you create, as there is no designated feature that serves as an input area for information that may be considered as personal data.
In case you still decide to upload or input data in your sessions that qualify as personal data, you are responsible for providing notice to your customers concerning the purpose for which you collect their personal data and that this personal data is processed in our service as part of your content.