Legal

GDPR Information

The General Data Protection Regulation took effect on May 25, 2018. Here’s what you need to know.

Disclaimer: The contents of this web page do not constitute legal advice. This page is for informational purposes only, and we strongly encourage you to seek independent legal counsel to understand how your organization needs to comply with the GDPR.

GDPR Overview

What is GPDR?

The EU General Data Protection Regulation (GDPR) is European legislation designed to increase protections around the processing of personal data of data subjects in the European Union.

When did the GDPR take effect?

The GDPR took effect on May 25, 2018.

Who does the GDPR apply to?

Subject to certain exceptions, the GDPR applies to any organization with an establishment in the European Union that is processing personal data. It also applies to any organization that processes the personal data of EU data subjects, regardless of whether the organization has a presence in the European Union or whether the processing is conducted within the European Union.

If you have a presence in the EU, or collect, store, manage, analyze, or otherwise process personal data of EU residents, including email addresses, the GDPR’s requirement may apply to you.

What did the GDPR change?

Note: This section covers many of the changes of the GDPR, but it is not intended to be exhaustive. We highly recommend seeking independent legal counsel to determine how GDPR affects your business.

The GDPR lays out a range of requirements related to consent, individual rights, and data processing. The below overview is a non-exhaustive summary of some of the significant requirements of the GDPR.

Consent

Consent, initially defined in Article 4 and further clarified under Article 7, is addressed throughout the text of the GDPR. In general, the GDPR institutes a more rigid standard of consent when compared to the Data Protection Directive, the predecessor to the GDPR.

Consent under the GDPR needs to be informed, freely-given, and affirmative. Organizations have an obligation to present information about processing “in a concise, transparent, intelligible and easily accessible form, using clear and plain language” (Article 12). in order to make sure any consent is “informed.” Where data processing is based on consent, organizations will need affirmative consent from individuals—and they should be able to prove that individuals have given consent.

When organizations collect personal data, they are required to divulge certain information in accordance with Article 13.

Individual Rights

Articles 12-23 discuss the individual rights covered by the GDPR. In general, the GDPR expands individual rights as they relate to personal data.

Right of access

Covered by Article 15, the right of access is the right of individuals to request information from a Controller about how their data is being used as well as a copy of the data itself.

Right to rectification

According to Article 16, individuals are allowed to contact a Controller to correct inaccurate personal data.

Right to be forgotten

According to Article 17, individuals can request that their data be erased under certain specific circumstances. These circumstances include, but are not limited to:

  • When the data no longer needs to be processed for the original reason it was collected
  • When the individual withdraws consent (if consent was the basis for processing)
  • When the data was processed unlawfully
Right to restriction of processing

According to Article 18, individuals have the right to restrict how their data is processed in certain circumstances.

Right to data portability

According to Article 20, individuals have a right to receive their personal data for the purpose of using it somewhere else.

Right to object

Article 21 states that people have the right to object to the processing of their data in certain circumstances, "unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims."

Data Processing

The GDPR specifies a variety of requirements surrounding the processing of personal data. This section will explore some of the data processing requirements and provide links to relevant sections of the text of the GDPR.

Controllers and Processors

A Data Controller is the organization that determines the “purposes and means” of data processing (i.e., how personal data will be used). A Data Processor is the organization that processes personal data on behalf and on the instructions of the Controller.

In most cases, ActiveCampaign acts a Data Processor with respect to customer contact data and ActiveCampaign customers are Data Controllers with respect to contact data. Note that it is possible for a single organization to be both a Processor and Controller.

Data processing agreements

Article 28 lays out some of the primary obligations on Data Processors, including the requirements Data Controllers should impose on Data Processor. Article 28 requires that Data Controllers must have clearly documented contracts with Processors that define the scope of processing. These contracts must be “in writing, including in electronic form.” Requirements for processing contracts can be found in the remainder of Article 28.

Data protection officers

According to Article 37, some organizations will be required to appoint a data protection officer. The specific responsibilities of a data protection officer are covered in Article 39. In general, the data protection officer is responsible for compliance with the GDPR.

Transfer of personal data to third countries or international organizations

Articles 44-50 of the GDPR cover the specific requirements for transferring personal data to third parties or international organizations. The GDPR does not require that personal data of EU residents remain exclusively in the EU, but it does impose additional requirements for such transfers. In particular, transfers of EU personal data to countries that the EU does not consider to adequately protect the rights of freedoms of EU data subjects must be justified by one of several data transfer mechanisms. For more information on the data transfer mechanisms you can use with ActiveCampaign, please see the ActiveCampaign and Privacy Shield page.

Tips to prepare

Get ready to collect GDPR-friendly consent

GDPR must be both informed and explicit. We created a guide to GDPR-friendly consent to help you understand the requirements and prepare accordingly. Learn more about explicit consent, and find suggestions for using ActiveCampaign to collect consent from new contacts, ask existing contacts to re-consent, and record and track proof of consent.

Read our guide to explicit consent.

Learn how to set up opt-in confirmation

Enabling double opt-in is a best practice that may help you comply with the affirmative consent requirements of the GDPR. When double opt-in is enabled, contacts will need to confirm their email address before receiving further communications.

You can learn how to enable double opt-in in this help center document.

Familiarize yourself with how to edit and delete contacts

Under the GDPR, contacts have the right to request correction or deletion of their data. Familiarizing yourself with how to edit and delete contact information may help you comply with such requests once the GDPR takes effect.

You can use our help docs to learn how to manage contact information and delete contacts.

Familiarize yourself with how to export contact data

The right to data portability and right of access enable contacts to request their personal data. Exporting contact data can help you comply with these requests.

You can learn how to export contact data in this help center document.

Learn how to add personal data usage statements to your opt-in forms

The GDPR requires that you tell people how you will be using their personal data when you collect it. This is part of the new affirmative consent requirements.

Although the exact statements you need to include depend on how you use the data, you can include any statements you like by using an HTML block in your ActiveCampaign forms.

Additionally, you can use custom fields to add an additional check box that indicates explicit consent. Learn how to add custom fields in this help center document.

Obtain proof of consent from existing contacts

The GDPR requires you to be able to demonstrate proof of explicit, affirmative consent from data subjects. Significantly, the regulation also applies to contacts from whom you have already collected personal data.

If you are not currently able to demonstrate proof of affirmative consent for your contacts, you may need to reach out to existing contacts to obtain consent before the GDPR takes effect.

Delete contacts and lists you no longer need

The GDPR is intended to protect the privacy of data subjects, which includes minimizing the risk that data can be misused. It may make sense to delete unsubscribed contacts and lists you no longer use, to reduce risk.

You can learn the differences between contact statuses, and how to delete contacts, in our help center documentation.

Consult a legal professional

The contents of this page are informational, and do not constitute legal advice. To fully understand the effects of the GDPR on your organization, we strongly recommend you seek counsel from a qualified legal professional.

ActiveCampaign’s Plan

What ActiveCampaign did to prepare

GDPR took effect May 25, 2018, and ActiveCampaign has made a number of updates to better align with the applicable requirements under the regulation.

We implemented both product and non-product-related updates for the GDPR. Below is the list of relevant updates we made:

Product Updates

  • (Completed) Improved site tracking to complement your website’s compliance needs.
  • (Completed) Updated our WordPress plugin with GDPR site tracking code.
  • (Completed) Integrated the ‘Accepts Marketing’ field from Shopify and BigCommerce to help you better manage marketing consent.
  • (Completed) Revised cookies and relevant notice and consent functionality for www.activecampaign.com via site updates.
  • (Completed) Improved contact deletion capabilities to comply with right to be forgotten requests.

Non-Product Updates

  • (Completed) For your GDPR preparation, we updated our Data Processing Addendum.
    • You can view the latest version of our Data Processing Addendum here.
  • (Completed) Updated our Privacy Policy to reflect GDPR-related notice.
  • (Completed) Created new education & training content that relates to how users can use ActiveCampaign to assist in their compliance with GDPR obligations..

Note: In accordance with GDPR, as our customer, you can exercise your data subject rights through this form.

While the purpose of these updates is to help our customers better understand how they can use ActiveCampaign to align their practices with GDPR requirements compliant without sacrificing usability of the platform, we suggest that customers consult an attorney if they have any questions about how the GDPR will impact their business.

Going forward, we will develop the product with the GDPR in mind—this means an emphasis on flexibility in regards to data. We will announce GDPR-related changes on a rolling basis, so check back here or on the GDPR Overview tab for updates.

ActiveCampaign and Privacy Framework

What’s the Main Takeaway?

ActiveCampaign customers can continue to confidently use our platform in the knowledge that we have rolled out a new Data Processing Addendum (the “DPA”) to the ActiveCampaign Terms of Service that takes the invalidation of the Privacy Shield by the Court of Justice of the European Union (the “CJEU”) into account.

In addition, ActiveCampaign’s DPA now uses the new Standard Contractual Clauses (the “New SCCs”). The New SCCs are approved for international data transfers by the European Commission under the GDPR. We are pleased to also offer the new International Data Transfer Addendum issued by the UK Information Commissioner (the “UK Addendum”) to our customers who need it. Customers can access and sign ActiveCampaign’s DPA which incorporates the New SCCs and the UK Addendum by following the links within the settings of their ActiveCampaign accounts.

[NEW] On July 10, 2023, the European Commission adopted its adequacy decision for the EU-US Data Privacy Framework. More details about ActiveCampaign’s response are set out below.    

What Happened to the EU-US Privacy Shield and What is the EU-US Data Privacy Framework?

On July 16, 2020, Europe’s highest court, the CJEU, invalidated the EU-US Privacy Shield as an appropriate mechanism for transferring EU personal data to the United States, which ActiveCampaign had previously been relying on.

On July 10, 2023, the European Commission adopted its adequacy decision for the EU-US Data Privacy Framework, which enters into force on July 11, 2023. This adequacy decision concludes that the United States ensures an adequate level of protection for personal data transferred from the EU to US companies participating in the EU-US Data Privacy Framework. The EU-US Data Privacy Framework effectively replaces the EU-US Privacy Shield.

What Steps Has ActiveCampaign Taken?

In an effort to provide customers with an alternative mechanism to transfer EU personal data to the United States, ActiveCampaign has updated its Data Processing Addendum (the “DPA”) and has made available to customers the Standard Contractual Clauses (the “SCCs”), which were generally upheld by the CJEU, for execution. We have also included some “supplemental measures” to the SCCs following the guidance provided by the CJEU opinion.

Furthermore, following the launch of the EU-US Data Privacy Framework, ActiveCampaign has certified its compliance with the EU-US Data Privacy Framework Principles (see our Privacy Policy). The European Commission’s adoption of the adequacy decision for the EU-US Data Privacy Framework means that personal data can be transferred from the EU to ActiveCampaign without any other data transfer mechanisms (such as the SCCs).

What are the New SCCs?

On June 4, 2021, the European Commission adopted a new set of SCCs for international data transfers (the “New SCCs”). The New SCCs will replace the SCCs which were adopted under the GDPR’s predecessor, the Data Protection Directive (the “Old SCCs”) and are intended to align with the new requirements in the GDPR and the CJEU’s decision, as discussed above.

EU customers who have already executed the Old SCCs with ActiveCampaign will have 18 months to migrate to the New SCCs and can accordingly continue to use the Old SCCs until December 27, 2022.

What is the UK Addendum?

On March 21, 2022, the UK’s new International Data Transfer Addendum came into force (the “UK Addendum”). This document, issued by the UK Information Commissioner, is an additional data transfer mechanism that organizations can use to provide appropriate safeguards required under the UK GDPR for personal data when it is transferred from the UK to the United States. The UK Addendum is designed to be used in conjunction with the New SCCs approved by the European Commission (see above), in other words an “add-on” to the New SCCs.

Accordingly, if the UK Addendum is required, customers must execute both the UK Addendum and the New SCCs. UK customers who have already executed the Old SCCs with ActiveCampaign will have until March 21, 2024 to switch to the UK Addendum.

How Can Customers Access the New Documents?

Customers can access and sign the updated DPA and, as applicable, the New SCCs and the UK Addendum by following the links within the settings of their ActiveCampaign accounts.

If you executed a DPA with ActiveCampaign prior to the CJEU’s decision or the adoption of the New SCCs or the UK Addendum, you can execute the new DPA which will supersede and replace the prior DPA, effective as of the date of execution, as noted in the DPA.

If your business is unaffected by the CJEU’s determination, or if you do not need a DPA, the New SCCs or the UK Addendum, then you do not need to take additional action.

If you are a current or prospective customer and wish to review the terms of the DPA, the New SCCs or the UK Addendum, you can view templates of each document here: DPANew SCCs and UK Addendum.

Please note, if you are an ActiveCampaign reseller, affiliate, or agency partner, please contact ActiveCampaign support for a partner specific DPA.

Legal Disclaimer Language

ActiveCampaign’s services are used by thousands of customers, in hundreds of industries all over the world, and we recognize that each customer’s legal considerations will be unique. As a result, only your lawyer can provide tailored legal advice to you, and if you require special interpretation of these regulatory changes for your own business, we recommend that you consult with your legal counsel. Similarly, we are not in a position to know whether the DPA, SCCs and UK Addendum will meet your specific legal requirements, but we encourage you to discuss the form documents with your legal counsel. Please note that this page contains legal and regulatory information, but it is not legal advice.

Ready to take ActiveCampaign for a spin?

Try it free for 14 days.

Free 14-day trial with email sign-up
Join over 180k customers. No credit card needed. Instant setup.