Iterable is committed to partnering with customers and users to help them understand and meet the General Data Protection Regulation (GDPR) requirements.
The GDPR is an European Union (EU) law on data privacy protection, that supersedes the 1995 EU Data Protection Directive. At its core, the GDPR aims to strengthen the security and protection of Personal Data in the EU.
The GDPR defines and applies to two types of entities: a Data Controller and Data Processor. A Data Controller is an organization that determines the purpose and means of processing Personal Data. A Data Processor is an organization that processes Personal Data on behalf of the Data Controller.
Customers of the Iterable services are the Data Controller and Iterable is the Data Processor. In line with the GDPR requirements, Iterable will process EU Personal Data at the direction of its customers, ensuring appropriate technical and organizational measures to safeguard EU Personal Data. Iterable is also a Data Controller, as it may collect EU Personal Data from the Iterable website or through our marketing programs for its own business purposes.
Iterable allows customers to create omni-channel relevance at scale, by leveraging customer Data for personalization. Personal Data such as user (Data Subject) behaviors and preferences are used by the customer to send messages across email, SMS, rich push, in-app messaging, web push, direct mail and social media through the Iterable platform.
Customers utilize Iterable services to deliver seamless, personalized experiences that drive engagement and Data Subject development. Under the GDPR requirements, customers may only make use of EU Personal Data for the explicit purpose and length of time, the Data Subject consents to. By receiving the required consent, customers will be able to leverage Iterable’s dynamic segmentation and workflows, to create highly relevant experiences by diving deeper into preferences and values, throughout the Data Subject lifecycle.
How does Iterable assist customers with Data Subject requests for rectification, erasure, or access to EU Personal Data?
Iterable understands the importance of Data Subject control over EU Personal Data, and is committed to providing customers with assistance in responding to Data Subject requests. Through the use of Iterable, customers are provided the necessary API calls to accommodate Data Subject requests for rectification, erasure, or exportation of EU Personal Data. A full overview of Iterable’s API functionality can be found at Iterable’s Support Center.
Can customers utilize Iterable to track Data Subject explicit consent and withdrawal?
As Data Controllers, customers will determine the audience and content of personalized messages. Iterable’s segmentation tool allows customers the ability to segment across all EU Data Subjects and create dynamic or suppression lists. These lists will not only accommodate EU Data Subject requests under the GDPR, but deliver highly relevant marketing messages. To learn more about Iterable’s segmentation tool visit Iterable’s Support Center.
How does Iterable safeguard Personal Data?
Iterable maintains appropriate technical and organizational measures to protect the security, confidentiality, and integrity of EU Personal Data. In line with the GDPR requirements, Iterable regularly monitors these measures. For more information regarding Iterable’s safeguards, visit the Security and Compliance Overview.
Safeguarding Personal Data outside of the EU
To comply with EU data protection laws around international data transfer mechanisms, we adhere to the EU-U.S. Privacy Shield principles of notice, choice, onward transfer, security, data integrity, access, and enforcement for any Personal Data submitted to Iterable, in participating European countries through the services. This framework was developed to establish a way for companies to comply with data protection requirements, when transferring Personal Data from the EU to the United States.
In addition, we offer European Union Model Clauses, also known as Standard Contractual Clauses, to meet adequacy and security requirements for our customers who operate in the EU.
Iterable may utilize third party service providers (sub-processors), for program delivery to customers. As such, Iterable regularly conducts due diligence on each sub-processor, to ensure their Personal Data protection processes meet the necessary requirements, as required by the GDPR. A full list of Iterable’s third party service providers can be found on Iterable’s Sub-Processors page.
Fulfilling our privacy and data security commitments is important to us. Iterable will help customers and users stay informed of any and all changes to the GDPR. This page will be revised to reflect any revisions as they become available.
For questions or concerns related to the GDPR, please reach out to firstname.lastname@example.org.