Personalize User Content With GDPR Compliant Solution
Recombee made sure to be prepared!
How Recombee secures customer data and our GDPR compliance.
1 What is the GDPR?
The European Union has strengthened data protection safeguards regarding personal information by adopting the General Data Privacy Regulation (“GDPR”). This regulation applies to all individuals and companies that deal with such information in any way. In Recombee’s case, when providing our services, we act as a so-called processor of personal data, which means that we receive data from “data controllers” (our clients) and analyse the data on our servers using a unique algorithm.
2 Does Recombee process personal data?
Yes, however, the data we process, have been pseudonymised. Pseudonymisation is process that effectively blocks us from identifying data subjects. Any identifiable elements of the individual bits of personal information are unreadable for us. The process of pseudonymisation is done on our clients’ side, so we can never learn who, in fact, is behind the pseudonymised data. This means that the database we work with is virtually free of personal information.
3 How does Recombee comply with the GDPR?
Even though we do not process personal information, we have to comply with the GDPR in general. Although our database is pseudonymised, we have implemented safeguards and security that protect the integrity of the data subjects’ information we analyse for our clients. Our servers have both physical and software security measures that minimise the risk of unauthorised persons intercepting, deleting, reading or modifying the data we store. We also perform routine penetration tests. Our policy stands on the principle that only essential, well-selected and trained personnel are allowed to interact with the database; furthermore, those interactions are monitored and logged. When interacting with our clients, all communication is done using secure measures. We recognise that all data are precious and should be kept as confidential as possible. Our servers that contain the data we process are located in the European Union, which is considered as a secure destination.
4 Can an individual invoke his or her rights, such as the right to opt-out from being processed?
Since we don’t know whose personal information we analyse, individuals can execute their right to opt-out from processing only with the data controller (our clients).
5 Does Recombee send any information from the database to third parties?
No, the database of our clients’ information is the most important commodity we have. With our clients we typically sign a data protection agreement that specifies all rules and safeguards in order to comply with the GDPR.
6 How should I, as a controller, address my customers when I want to use Recombee’s services?
Based on your business model, you might have to obtain consent to use your clients’ personal information. Each business is very specific, so in some cases your existing consent is sufficient, in other cases you may need to them to update their consent. Some business models might fall under a different processing category (i.e. legitimate interests pursued by the controller). You may also be obliged to inform your data subjects of Recombee’s role in the data processing. If you are not sure how to resolve this matter, we suggest seeking professional legal advice.