On May 25, 2018, the European Union (the “EU”) implemented a new data privacy and protection regulation, called the General Data Protection Regulation (the “GDPR”). This new regulation aims to standardize data protection laws across the EU and also lay down standards to be observed worldwide while processing of personal data originating in the EU; The GDPR also has a strong emphasis on affording individuals stronger, more consistent rights to access and control their personal information.
At Blazeclan, we take compliance of data privacy and security regulations very seriously. For the GDPR, we are working diligently to ensure that we are compliant with the rules laid out by the law and provide product functionality and mould our services to enable us to remain compliant. In the following sections, we have outlined our approach to comply with the GDPR.
Blazeclan GDPR Compliance
Blazeclan group is a provider of cloud based services which include advisory services, cloud migration and deployment solutions, cloud native applications, data analytics and other cloud based products. Blazeclan has a global presence having its offices at Pune, Mumbai, Singapore, Malaysia, Europe, USA, Australia and Canada.
Our website is used and explored by our clients (existing and prospective), and through the same we at Blazeclan process certain amount of personal data of our clients (existing and prospective) in the capacity of a Data Controller. While providing our solutions and services we assume the role of a Data Processor for our clients, who provide us personal information for the purposes of our offerings.
We have performed a company-wide information discovery exercise to identify and assess what personal information we hold, where it comes from, how and why it is processed, and to whom it is disclosed.
Data Subject Consent
As a Data Controller, Blazeclan has updated its Privacy Policies, Cookies Policy and Disclaimer for the usage of the Cookies in as per the requirements of GDPR on its website www.blazeclan.com.
As a Data Processor, we execute contracts required under the GDPR with our clients (who are the Data Controllers) and process the personal information as per their directions and in accordance with the GDPR where applicable. Additionally, we implement technical and organizational security measures to ensure compliances.
Transfer of Data Outside EU
Blazeclan has in place an article 28 GDPR-compliant data processing addendum including the EU Model Clauses to ensure an appropriate legal basis for data transfers outside the EU.
Data Retention & Erasure
We have formulated a data retention policy and schedule to ensure that we comply with the ‘data minimization’ and ‘storage limitation’ principles and that personal information is stored, archived, and destroyed in accordance with the GDPR.
Record Keeping as per the GDPR
According to Article 30 of the GDPR, each processor and controller’s representative needs to maintain a record of all activities pertaining to the processing of personal information in such an organization. Blazeclan maintains a controller processing record as required under Article 30(1) of the GDPR as well as processor processing record as required under Article 30(2) of the GDPR.
Data Breach and Mitigation Process
The GDPR has stipulated measures and notifications that must be made upon discovery of a data security breach. Blazeclan has put in place internal measures to minimize the risk of any data security breach happening. However, in the unlikely event of any such breach happening, Blazeclan intends to honour its responsibilities as laid down under the GDPR, which includes notifying in a timely manner, its customers, and the supervisory authorities (if Blazeclan is the Data Controller).
We have a team of leaders who head our GDPR compliance initiative and ensures that the processes flow down to each individual within the organization who handles data governed by the GDPR; should you require any clarification on any aspect of Blazeclan’s compliance efforts please contact our team at email@example.com.
Blazeclan Promise on GDPR
At Blazeclan, maintaining the security, integrity, safety and confidentiality of personal data in our business is one of the highest priorities. Blazeclan has already taken adequate measures to ensure that we fulfil our promise of being fully compliant with GDPR! In case you have any queries, please feel free to reach us at firstname.lastname@example.org.
How can Blazeclan refine its EU customer/ prospect database and reduce the risk of violating the GDPR?
For refining the customer database, and on establishing contact with prospects, the following tips may be useful –
- Screening the contact details of the prospect– The contact details of the prospects should be screened against do not call registries/ do not email registries / telephone preference service etc. of the European country where such person works. For example, if person A works in the UK, his contact details should be verified against the telephone preference service of the UK. There is no single pan-European service however, each country may have a similar list for its own territory. If the prospect’s contact details are present on any such list, then such contact details should be removed from Blazeclan’s list of prospects/ contact persons of a company.
- Non-personal email ids/ phone numbers– The GDPR deals with processing of personal information. Information regarding a company is not regulated under the GDPR. Thus, sending mails to a general email id/ alias such as email@example.com or firstname.lastname@example.org would be safer. The Blazeclan executive may write to the common company email id (such as email@example.com) and ask to be directed to the person in charge of appointing service providers/ vendors or the relevant department. The Blazeclan executive may even call the company’s front desk number, state the offerings of Blazeclan, state how the services of Blazeclan may benefit the company and ask to be connected to the relevant person in the company. The measures listed in this sub-section need not be adopted if Blazeclan has received the consent of the prospect or the customer to be contacted.
- Minimal data to be collected/ retained– Only such data as is required for the activity for which the data was originally collected and consent (if any) was given should be retained, and the rest should be deleted. As stated earlier in this note, one of the principles of the GDPR is that excessive data should not be collected. Thus, where a prospect’s income or his home number might not be required, it should not be collected. We understand that Blazeclan typically only collects the name, email, contact number, job function, company name and type, for marketing activities, it is advisable that in the event any additional data is collected, the same be deleted.
- Targeted connection– A person who expects to be contacted with regard to a certain matter is less likely to object if he receives communication with regard to that matter. For example- a person in charge of appointing vendors for his company would not object to receiving mails/ calls from a vendor looking to market his offerings. Thus, for marketing purposes, Blazeclan may wish to focus on a person who works in a particular field (related to the Offerings of Blazeclan) or focus on a person who heads the department which would be interested in the Offerings of Blazeclan. LinkedIn and other sources may be used to confirm if the person being approached would be interested in the offerings of Blazeclan. Blazeclan’s communication to such person, should state how the offerings of Blazeclan can help such prospect’s business, rather than sending a general spam mail, listing all the Offerings of Blazeclan.
- Soft-push – exploring common interests– Professional interests of the prospect may be taken as a starting point to establish first contact. The first connect need not necessarily be a push for marketing. Once a connect is established, it may be worked into the conversation that Blazeclan could help in a particular way or has expertise in respect of what is being discussed. Then the person may be requested a time to be contacted. This is a preferred way since, it relies on obtaining the consent of the prospect prior to sending the marketing email or making the marketing call.
Is direct marketing possible with GDPR?
Yes it is, if there is a legal basis for processing (as stated in section 2.2) or if the prospect to be contacted fits within the description stated in section 2.2.4, and if the principles of processing listed in section 2 are adhered to. Above all, in any marketing email there should be an opt-out/ unsubscribe option.
- Unsolicited calls and emails- Compliance with GDPR aside, there is a risk in sending unsolicited marketing emails and calls since the same may be prohibited by the local laws of EU countries (based on the E-Privacy Directive). We understand that Blazeclan does send cold emails and make cold calls. It is advisable to not make any automated cold calls since local laws of almost all European countries prohibit such calls being made for marketing purposes. The local laws of a few of the EU countries allow unsolicited marketing calls to be made by a natural person provided, the prospect is allowed to opt-out of receiving such calls and provided the prospect has not registered his/ her number on a do not call registry (by whatever name) in that particular country. Our research has revealed that Article 13 of the E-Privacy Directive prohibits sending of unsolicited direct marketing by automated calling, fax or email unless: the prior consent of the prospect has been obtained; or
- the prospect is or was a customer, in which case such person may only be contacted about similar goods or services.
- The E-Privacy Directive further requires that marketing emails should disclose the identity of the sender. The emails should also have a valid address of the sender where an opt out message may be sent. Thus, all marketing emails should clearly state that they are being sent on behalf of Blazeclan and include an unsubscribe/ opt-out option and an email id where the prospect may contact Blazeclan about data privacy concerns.
- The E-Privacy Directive has been adopted by EU countries as part of their local laws and this poses an impediment to sending out unsolicited mail. Thus, from a practical stand-point, if the prospect does not respond even after a follow up call or email, the prospect’s contact details should be deleted at the earliest.
Can Blazeclan still market its Offerings to its existing customers in the EU?
Yes, provided the Offerings being marketed are related/ similar to the ones provided to the customer in the past AND the customer has at no point in time, unsubscribed or stated that he/ she does not wish to receive such mails.
Should Blazeclan acquire leads/ contacts details of prospects from third-party vendors?
We understand that Blazeclan uses lead generation tools and may purchase lists of leads/ prospects from third party vendors. It is not advisable to use third-party vendors for contact lists/ leads (for prospects in the EU), since these lists cannot always be trusted for a number of reasons; some of the reasons are listed here-
- it is often unclear from where the contacts have been sourced. With sources such as LinkedIn, the prospect (a Data Subject) himself/ herself posts contact details publicly, however it is often unclear from where the lead generation tool/ third party vendors obtain their information;
- it is often unclear if the Data Subject had consented to the collection of his contact details at all. If a tool is used to guess the email id/ contact details of a prospect, such tools should be avoided;
- even if the Data Subject had provided his or her consent to an entity for processing his or her personal data, that consent may have been specific to that entity or for that particular purpose. For example- If person A has a private email id or a private number, he/ she might have provided it to a local restaurant to be contacted about a dinner reservation; Person A would not expect to be contacted on that number or email id about marketing of facility management services or software development services, and would certainly object to receiving the same. At the same time, the marketing effort would have gone to waste.
In case of purchase of contact lists from third parties, it is advisable to have contractual clauses in place, whereby the third party-
- Warrants that it has legitimately acquired the contact details;
- Warrants that the contact details may be used for marketing the Offerings of Blazeclan in EU;
- Indemnifies Blazeclan, in case Blazeclan faces any adverse consequences from using the contact details.
- EU residents who put their information up on company websites/ blogs/ articles etc. or LinkedIn may expect to be contacted about a range of issues. It would be better to source the contact details from the aforementioned sources (where the prospect has himself/ herself put up the contact details) rather than collecting the contact details from third party vendors.
Should Blazeclan rely on contacts collected using Lead Retrieval Devices in light of the GDPR?
Occasionally, at trade conferences, lead retrieval devices are provided by organizers of the conferences. When it comes to accessing personal data from lead retrieval devices provided by organizers of conferences and events, it can be difficult to understand and be certain for what purpose the Data Subject has provided his details. The standard exchange of business cards at an event such as a conference can be considered an implicit consent to hear from the person with whom the business card has been exchanged (unless the business card was dropped in a bowl to enter into a contest of some sort). On the other hand, contacts collected from a lead generation device can be ambiguous in terms of the intent with which the Data Subject may have provided his contact details. Thus, where possible greater reliance must be placed on business cards collected from a person while informing him/ her about your company/ Offerings or if they visit your booth at a conference.
- The above observations are based on facts and records provided to us and representations given by the client. Further, the observations are based on our understanding of facts and the legal position prevailing as on the date of issue of note. Accordingly, our observations will vary in case of any variations to fact, law, assumptions or representations, which we have relied upon. We assume no responsibility to update the observations for events and circumstances occurring after the date of this note. As we are authorised to practice in India, any comments regarding foreign law, its contents or applicability are merely our observations.
- The above observations are only for the client and cannot be shared with, used by or relied upon by any person or third party. We assume no responsibility or liability in relation to any decision made by the client or any person or third party, based on the above observations.
- The conclusions reached and views expressed are matters of observation based on our understanding of the related laws, rules, notifications, circulars, and precedents.
- Opinion/ notes are often on the unsettled provisions of law and in such cases are based on our estimation of probable outcome if the law as it stands is applied to the facts before us. In such cases, we provide our independent observation which may not necessarily be the view held by the majority in the field. There is no guarantee that other parties or authorities would subscribe to the views expressed by us. Therefore, LegaLogic, its partners, associates, employees or staff shall not be held liable for any action/ consequence arising out of any contrary view(s) taken by any other party or statutory authority with respect to this note.
- Without our prior written consent, this note may not be quoted in whole or in part or otherwise referred to in any document or delivered to any other person or entity. In the event, any loss is suffered as a result of reliance on the content of this note, which loss is directly attributed to gross negligence on our part, our liability for such loss attributable to us shall be determined by the competent court. However, under no circumstance will our liability exceed the fees paid to us for issuing this note. This document is governed by and shall be construed in accordance with Indian law. Any dispute relating to or arising from this document shall be subject to the exclusive jurisdiction of the Courts at Pune.
 Article 4(1) of the GDPR |  Article 4(2) of the GDPR |  Article 4(11) of the GDPR |  Article 21 of the GDPR |  Chapter II of the GDPR |  Recital 47 of the GDPR |  Article 21 (3) of the GDPR |  Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 (Directive on Privacy and Electronic Communications)