JB ORION has always made security and privacy among its highest priorities. That's why we've committed not only to provide tools to facilitate your compliance with the GDPR, but to educate you on your responsibilities as a business owner. As the GDPR's scope is broad, and the potential penalties for noncompliance are large, we've ensured that our compliance tools are available to all of our customers, at no additional cost.
This page will outline some of the key GDPR principles and terms and present how they apply to your use of BONOBO. Please review this carefully and share it with your privacy team with the legal documents listed below.
Disclaimer: This guide is not and should not be considered legal advice. Please consult a legal professional for details on how the GDPR may impact your business, and what you need for compliance.
The GDPR is a unified regulation that supersedes and universalizes previous privacy laws in Europe, offering citizens and residents of the European Union (EU) greater transparency and controls over how their personal data is used by others. The GDPR requires the compliance of businesses which transact in Europe, or which facilitate transaction in Europe.
There are two key roles defined in the GDPR with respect to personal data: Controller and Processor. The Controller is the business -- you using the BONOBO service. As a customer of JB ORION, you operate as the Controller when using our software and business services. You have the responsibility for ensuring that the personal data you collect is being processed in a lawful manner pursuant to the GDPR and that you are using processors, such as BONOBO, that are committed to handling the data in a compliant manner.
BONOBO is considered a Processor of data. We act on the instructions of the Controller (you), which come in the form of requests within the JB ORION platforms or external (API) requests. Like Controllers, Processors have an obligation to explain what they do with personal data. However, as a Processor, we rely on you, the Controller of the data and our customer, to ensure that there is a lawful basis for processing any data on your behalf.
Processors may, in the performance of their service, use third-parties in the processing of personal data. These entities are known as sub-processors. For example, JB ORION leverages cloud infrastructure providers like Amazon Web Services, Rackspace, as well as other services like SendGrid or Twilio.
These documents are in effect since May 25, 2018.
Under the GDPR, in order for JB ORION or any Processor to process personal data, there must be a lawful basis for processing. There are several methods to establish a lawful basis for GDPR compliance, but most likely you will rely on one of the following mechanisms when communicating with your own attendees (and registrants):
Consent – Much of the GDPR revolves around the concept that your attendees or registrants have consented to you collecting or using (i.e. “processing”) their personal data or to receiving communications. According to the ICO, the following criteria must be met to show valid consent:
Consent must be freely given. This means giving people genuine, ongoing choice and control over how you use their data.
Consent should be obvious and generally require positive action to opt in. Consent requests must be prominent and unbundled from other terms and conditions. Consent requests should be concise, user-friendly, and easy to understand. I.e. you can’t bury your consent request, or hide it in a bunch of legal jargon.
Consent must specifically cover the data Controller’s name, the purposes of the processing, and the types of processing activity.
Explicit consent must be expressly confirmed in words, rather than by any other positive action. But in some limited cases consent can be inferred for certain purposes.
There is no set time limit for consent. How long it lasts will depend on the context. You should review and refresh consent as appropriate.
Consent can be revoked by the person who gave it.
In short, under the GDPR (and it's a good idea in general), consent must be obtained by a “clear affirmative act”. In contrast to ‘clear affirmative acts’ pre-checked boxes are inadequate to establish consent. Implied consent can be relied on only in limited circumstances or should be tightly associated with affirmative consent.
If you are relying on consent as the lawful basis for processing data, the GDPR requires recorded evidence that consent has been given. You thus need the ability to record proper consent for each attendee, registrant, customer, and lead in your business.
Note: JB ORION cannot control what you do with registrants or attendees in an automated, API environment. When BONOBO is acting as a sub-processor, you will need to determine that your main data processor is fully compliant to ensure you are compliant with the GDPR. If your main processor is not GDPR compliant, that could be quite difficult. (i.e. using a GDPR-compliant Subprocessor to process data for a noncompliant Processor will not satisfy your compliance requirements as a Controller under the GDPR).
Contract – In addition to consent, another lawful basis for processing data is if the processing of personal data is necessary for performing obligations under a contract. Password reset, billing notifications, and onboarding communication would likely fall under this lawful basis. In other words, if your customer, lead, registrant, or attendee transacts with you and wants to receive service (such as to attend your webinar), there are certain processing tasks that must be undertaken for you (or BONOBO) to provide the service. In our case, they must be done by JB ORION to provide services to you and for us to operate lawfully and securely, and protect your privacy. Thus, to provide service to you, JB ORION has to perform certain processing.
BONOBO is committed to full transparency in the handling and processing of personal data that you control on behalf of your attendees, registrants, customers, and leads.
The User Data JB ORION collects include: Name, Email, Phone Number, Address, Country, IP, and Username (if not a user, it's automatically generated). Depending on the services you have requested, we also collect your Facebook ID, YouTube channel information, or Twilio account details. For Attendees, JB ORION collects a first name and email address, and optionally, a last name, and a mobile phone number (e.g., for SMS notifications and reminders).
JB ORION tracks multiple events throughout the webinar process: visits to the registration page, registration to the webinar event itself, engagement with notification emails (sends, opens, clicks), and attendance at both live events and in replay rooms. JB ORION also tracks attendees’ duration of stay, engagement in surveys and/or polls, and responses to calls to action or offers (offer button clicks, transactions, etc).
Data is stored and/or deleted at the Controllers' request. When a Controller ceases to be an active JB ORION customer, their accumulated data is retired to a storage cluster of servers with no front-facing access. After an arbitrary period of time, the data is deleted.
Under the GDPR, EU data subjects have certain rights regarding their data.
BONOBO offers tools to let you answer customer queries about what data you have collected through JB ORION and what's been done with it. Keep in mind, if you have collected personal data outside of JB ORION, JB ORION has no knowledge or ability to answer queries regarding such data.
Have a lead or customer who wants their personal data out of your database? No problem! You can remove that contact from any list or sequence -- or even delete them entirely. However, transactional records will remain intact for bookkeeping purposes (though personal data will be redacted (e.g. ‘blacked out’ from view).
Unless otherwise required by law, in the event that JB ORION receives any type of request from a data subject, we will engage the respective customer within seven days to respond to the data subject request.
Does the GDPR impact businesses outside of the EU?
In many cases, yes. Even businesses that are not based in the EU are considered to be subject to the GDPR if they are collecting personal data on EU residents. Enforcement of the GDPR outside of the EU will be by EU authorities and it remains to be seen how aggressive they will be. Consult your own legal counsel but it is widely accepted that companies that collect personal data from EU residents will be subject to the requirements of the GDPR.
Does the GDPR require data to be stored in the EU?
The GDPR does not require that data processing (including storage of data) be limited to the EU. The EU-US Privacy Shield is one of several valid lawful mechanisms to transfer data between the EU and the US.
Yes! It contains information on our policies and efforts to comply with all applicable regulations and to guarantee the privacy of your data. It can be found here.
Feel free to reach out to us by emailing us at email@example.com with any questions you may have.