GDPR COMPLIANCE FAQ FOR URBAN AIRSHIP

September 20, 2017

The European Commission approved and adopted the new General Data Protection Regulation (GDPR) in 2016, and the GDPR will become enforceable on May 25, 2018. The GDPR strengthens the requirements for the protection, security and privacy of personal data in the European Union (EU) and is intended to harmonize EU data protection laws by applying a single data protection law that is binding to the member states. The GDPR will replace the existing EU Data Protection Directive, also known as Directive 95/46/EC, as well as all local laws relating to it.

Urban Airship welcomes the GDPR as an opportunity to reaffirm our commitment to the privacy and security of our customer’s data. As part of that commitment, we confirm that the Urban Airship Digital Growth Platform (Service) will comply with the GDPR when it becomes enforceable on May 25, 2018.

Compliance with the GDPR relies on a partnership between Urban Airship and our customers in their use of the Urban Airship Digital Growth Platform.  In order to provide transparency to our customers, this document provides relevant information regarding how Urban Airship will comply with the GDPR as a data processor.

Who and what does the GDPR apply to?

The GDPR applies to all organizations operating in the EU and processing “personal data” of EU residents. The definition of "personal data" under the GDPR covers any information relating to an identified or identifiable natural person; where identifiable natural person is one who can be identified, direct or indirectly, in particular by reference to an identifier such as name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

What personal data does Urban Airship process as part of the Service?

Urban Airship processes anonymous data and pseudonymous data by default as the result of our customers’ use of the Urban Airship Digital Growth Platform.  A current list of data collected in the default settings of the Urban Airship Digital Growth Platform is available to customers upon request.  Anonymous data is not “personal data” and falls outside the scope of the GDPR. 

Customers have the option to configure and use their account on the Urban Airship Digital Growth Platform to process personal data, such as names, location data, email addresses and other online identifiers and related analytics data.  Urban Airship processes personal data via the Urban Airship Digital Growth Platform only as instructed by customers based on each customer’s configuration, access and use of the Urban Airship Digital Growth Platform, or otherwise as instructed in writing.

Urban Airship prohibits processing any sensitive personal data or “special classes of data” as defined in the GDPR as well as any individual financial data, credit or debit card numbers, government issued identification numbers, or data relating to criminal history.  

Where is data held and accessed from? What protections are in place to ensure that transfers out of the EEA to the US are adequate from an EU data protection perspective?

The Urban Airship Digital Growth Platform is operated from and the data is stored in cloud data centres located in the United States.  For transfers of personal data out of the EEA to the US, Urban Airship enters into the Urban Airship Data Processing Addendum which incorporates the EU Standard Contractual Clauses. 

What security protections are in place over the data?

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Urban Airship shall maintain appropriate technical and organizational measures for the Urban Airship Digital Growth Platform to ensure a level of security appropriate to that risk, including these Security Measures.

Does Urban Airship use subcontractors for Urban Airship Digital Growth Platform?

Urban Airship uses sub-processors for certain aspects of the operation of the Urban Airship Digital Growth Platform.  Prior to onboarding subprocessors, Urban Airship conducts an audit of the security and privacy practices of each subprocessor to ensure such subprocessor provide a level of security and privacy appropriate to their access to data and the scope of the services they are engaged to provide. Subprocessors are re-authorized upon contract renewal or on an annual basis. The Security Measures document provides a current list of subprocessors. 

How will Urban Airship help if a data subject wants to exercise any of its rights in relation to personal data?

Urban Airship is committed to provide all necessary co-operation and assistance under the GDPR to our customers, as data controllers, to respond appropriately to data subjects exercising their rights in relation to their personal data, including:

  • Right to be told about how their personal data will be processed
  • Right of access to and correction of personal data
  • Right of data portability
  • Right to be forgotten
  • Right to object to processing of personal data for certain purposes

How does Urban Airship meet obligations around "privacy by design" and "privacy by default"?

Urban Airship’s privacy by design committee meets on a regular basis to review, discuss and implement privacy principles in the design and development of the features, functionalities and operations of the Urban Airship Digital Growth Platform.  Urban Airship’s privacy by design committee includes manager level employees from Urban Airship’s R&D, product, engineering and operations organizations together with Urban Airship’s privacy and security teams, and has executive level support.

How does Urban Airship help meet data minimisation requirements?

At default settings, the Urban Airship Digital Growth Platform processes anonymous data, such as time-zone, browser version and type, SDK version; and pseudonymous data, including tokenized ID specific to each separate installation of customer’s mobile application.  In addition, Urban Airship supports processing of anonymous data triggered by activity or tags, and pseudonymous data such as hashed IDs that may tie back to additional personal data in customer’s systems.  A current list of data collected in the default settings of the Urban Airship Digital Growth Platform is available to customers upon request.  Processing of any additional data by Urban Airship is controlled by customers and is automated pursuant to each customer’s configuration and use of the Urban Airship Digital Growth Platform.

Urban Airship also supports an analytics opt-out feature from the Urban Airship SDK. For customers that implement such an opt-out feature, analytics data from data subjects that select such an opt-out are not sent to Urban Airship.

Does Urban Airship use metadata?

Urban Airship aggregates anonymous usage data derived from our customers’ use of the Urban Airship Digital Growth Platform for Urban Airship’s own business purposes such as providing operational support and planning, R&D, and sales and marketing of Urban Airship’s services.  Such usage data does not include any personal data.

Is a Privacy Impact Assessment required for use of the Urban Airship Digital Growth Platform?

Under the GDPR, Privacy Impact Assessments are needed where personal data processing, particularly processing using new technologies, would likely result in high risk to the rights and freedoms of data subjects. As Urban Airship prohibits processing via the Urban Airship Digital Growth Platform any sensitive personal data or “special classes of data” as defined in the GDPR as well as any individual financial data, credit or debit card numbers, government issued identification numbers, or data relating to criminal history, use of the Urban Airship Digital Growth Platform would not likely result in high risk to the rights and freedoms of data subjects.

As a data processor, Urban Airship relies on our customers’ decision on whether to conduct a Privacy Impact Assessment for their current and intended use of the Urban Airship Digital Growth Platform, and Urban Airship commits to supporting our customers in that process.

How long is data held for?

Urban Airship holds data for our customers during the term of the contract as described in the Urban Airship Data Retention Schedule. For data not listed on that schedule, Urban Airship holds the data during the term of the contract, including any renewals.  After 90 days from any termination of the contract, Urban Airship will delete all customer data in the production systems of the Urban Airship Digital Growth Platform. 

Is consent needed to send notifications using the Urban Airship Digital Growth Platform?

The Urban Airship Digital Growth Platform supports opt-in consents for mobile application push notifications and web notifications.  Each customer must implement its use of the Urban Airship Digital Growth Platform with the legally appropriate level of consent enabled to ensure that customer has obtained the required consent from each data subject