Data transfer outside the EUA
Lawful Basis For Transfering Data to US
MyPhotoApp is committed to providing a high standard of service and Data protection and privacy are important and industry standard measures are in place to protect the data transferred and stored on the MyPhotoApp server.
There are two clear lawful basis for continuing to provide services using MyPhotoApp:
1. Necessary For The Performance of A Contract
When you provide apps to your clients you are covered under the Article 49 derogation "necessary for the performance of a contract"
When you supply clients with photo apps as part of the service they have paid you for you have a contract with them.
2. Explicit Consent
Alternatively, if you prefer you can choose to use explicit consent as your lawful basis. To do this you should add a clause in your contract or order form to cover the use of a US based third party service provider and the data transfer to the US when clients choose or receive a photo app as part of their package. Clients will then be providing clear evidence of their consent for the data transfer when they sign the contract or order form.
How Do I Make Sure My Business is GDPR Compliant?
If you are based in the EU or you have EU customers you need to be aware of GDPR and the measures you need to ensure you put in place to ensure your business has a GDPR compliant Data Protection Policy. If you already have a fairly robust data protection policy it will mean adding insome extra mesaures and updating your processes and information.
As a first step, I recommend downloading the easy to understand FREE GDPR checklist below to help you work out what you actually need to do to get all your ducks in a row. I found this one provided by the UK lawyer Suzanne Dibble, really useful and it's the one I used. You can download your FREE copy of it by clicking the link below:
When you do you will also receive information about Suzanne's Facebook group which I also highly recommend and the GDPR document pack for businesses that she also sells if you want a stress free solution and can't be bothered to do the research and writing yourself. I didn't invest in this as I had already done the work by the time I discovered it, but those who did have commented that they believe it saved them a lot of stress and weeks of research and work.
There is a lot of FREE information for businesses and individuals available on the ICO (Information Commissioner's Office) website about the new measures GDPR requires from businesses who control or process Personal Identifiable Information, which of course also includes photographs.
Click here to visit the site and find out more:
Other sources of information and documentation that may help for those located primarily in the UK are:
The Federation of Small Businesses - have a FREE legal helpline for members and vast resources of legal documentation and guides for all aspects of business, including GDPR plus some GDPR webinars.
Click below to find out more about joining the FSB
There is a lot of conflicting information out there and a lot of scaremongering about the GDPR and it makes it impossible to carry on business as usual but it is ONLY data protection and to be honest it's about treating peoples information with respect and due care and diligence which after all how we all want our personal Identifiable information to be treated by the businesses we deal with. So do not panic, but equally, do not ignore it!
How Do I Inform My Clients?
Here are some examples of the sort of information you could add:
How we share your information
"In order to provide outstanding products and services for our clients, YOUR BUSINESS NAME may share data about customers with carefully selected suppliers and service providers who assist us in operating our website, conducting our business and serving our clients, so long as those parties agree to keep this information confidential. Third party Service providers are only authorized to use personal information necessary to complete the services requested."
"We constantly seek to provide the best products and services we can for our clients and this may include using selected suppliers who operate outside the EUA."
Data Transfer & Storage
"Some products and services we offer, such as custommized Photo Apps, may involve the transfer of personal information to service providers based outside the EU. For example, if you have selected a Photo App, you acknowledge and agree that your information will be normally be received by or transferred to servers located within the United States and processed by our selected third party service provider. We only work with selected companies who provide a high level of service and have a data protection policy that is GDPR compliant."
What About From Data?
If you are based in the EU and use Apps for your business that include contact forms, application forms or marketing sales funnels and lead magnets you should now make sure that they meet GDPR guidelines when collecting personal information.
MyPhotoApp has lots of tools to help you make great GDPR compliant Apps:
eForm section - it's easy to add a checkbox to a form to provide a clear opt-in
Pop-up Section - allows you to easily deliver a simple privacy notice or other info and or collect information
Hero section - allows you to provide text and a button with an image background
Welcome Section - Unlike the pop-up and hero section, this will restrict access to the rest of the app if the button is not pressed. Allows you to add a privacy notice, message, footer and collect data if wished or just provide a button to click to agree to the statement.
Document, text & markdown sections - easily add privacy notices and terms & conditions, text links and footers to your apps.
Menu & Menu+ - Add navigation to relevant documents & information.
Buttons - You can use any of the button sections to easily link to your documentation.
If you are collecting leads to add to a marketing mail list you should ensure that the form allows for a clear opt-in. This means that if you have included a tick box it should not be pre-ticked as people should make an affirmative opt-in to be added to a marketing list.
It's a good idea to add a brief privacy statement to reassure people that their data is safe with you.
Here is an example of a statement added to a portfolio model application form that also included an opt-in tick box:
This is a belt & braces approach as it's now widely accepted that the tick box is probably not actually needed as pressing the submit form button is an affirmative action.
One of the other requirements now when building mailing lists for marketing is that you must be able to demonstrate how and when people opted in to be added to a marketing email list as well as exactly what they opted in to. MyPhotoApp can help you capture this essential information for your records in several ways.
1. You can link any form you create to a MailChimp list. Even if you do not use MailChimp to send emails it's a great way to collate information. You can create a new list for each specific campaign and you then have a clear record of who signed up and what they signed up to as the list is linked to that particular lead generation campaign.
2. You will receive an email record of the form submission that you can keep as a record.
3. Form Data You can download the CSV data from your form submissions to have a permanent record of the data. Form Data is saved on the MyPhotoApp server for 180 days and then deleted.
4. Forms and any section that has a data collection element included can now automatically be linked to the new CRM module. The source of the client entries added is the name of the App, so you can do a query using the app name to filter client records added to the Rolodex from that App. You could then export the client data as a CSV file. You can also add keywords and notes.
Here is a great resource that talks about how to make GDPR compliant emails and lead magnets:
What About Websites created with MyPhotoApp?