GDPR and user data management

In the Analyse > user management > user data management section, you will find information regarding the management of personal data within Send. You can manage all aspects of it, in case your company has not adopted the full platform but is only working with the Send module.

Here, functions are available to assist the Data Controller in complying with GDPR principles regarding the exercise of the Data Subject's rights. For a complete view of the regulations, please refer to the Official Journal of the European Union.

warning

To access the User data management page, a profile with specific permissions is required to access features related to GDPR compliance. Users to whom this role should be assigned must be indicated to Customer Service, either directly by the Data Protection Officer (DPO) or by the contractual representative.

The User data management page consists of three main sections:

• User search
  Allows you to search for a single contact only within deliveries whose queue has already been extracted and optionally decide to remove them from one or more of these, ensuring they do not receive communications that are no longer consistent with any modified data or consent.

• User removal
  To physically delete from Contactlab systems all data related to a specific contact, in accordance with the exercise of the right to be forgotten. Additionally, you can view the history of removed contacts.
  The removal of a contact for the exercise of the Right to Erasure cannot be restored.

• Request user data
  To access and manage relevant data of a single contact concerning the exercise of the right to Access/Portability and to view the history of previous requests.

Managing the rights of the Data Subject

Consent collection and management

The collection and management of consents related to marketing activities across different channels and/or profiling occur through the usual methods of inserting and updating contact profiles within the Send user database.

Given that Send represents a complete or partial copy of data collected and managed in the systems of the Data Controller or their suppliers, the responsibility for defining and managing consents within Send rests with the Data Controller.

It is assumed that the collection and management of consents, as well as the maintenance of logs regarding the execution of Data Subject requests, are operated by the Data Controller outside of Send and reported into Send through regular user database update flows.

Consequently, the Data Controller has full autonomy to introduce new fields in the user database related to privacy consents to manage communications according to the preferences expressed by end users. It is their responsibility to define filters for deliveries, consistent with the purpose of the communication and in relation to the tracked consents.

Exercise of the right to object/restrict/rectify

As with consent management, data related to the exercise of the rights to Object/Restrict/Rectify can be mapped entirely autonomously by the Data Controller, on existing fields or those specially created within the Send user database.

Thus, it is the Data Controller’s responsibility to specify the correct conditions in the creation of filters or base filters depending on the type of communication intended for the target, ensuring consistency in communications as well as adherence to the operational status (consent yes/no, objection yes/no, restriction yes/no) of each Data Subject.

Moreover, to ensure that the Data Subject does not receive deliveries that have already been scheduled but are no longer consistent with any Objections/Restrictions/Rectifications, the Data Controller can retrieve the list of scheduled deliveries containing the specific user in the sending list and optionally decide to remove them from one or more of these.

info

In addition to GDPR-related purposes, the User Search feature for searching one or more contacts can be used to check for the presence of specific users in scheduled deliveries, allowing for controls and potential corrective actions before the deliveries are sent.

Exercise of the right to be forgotten - User removal

To remove a contact, the user with assigned specific permissions can proceed as follows:

• Go to the Analyse > user management > user data management section and select the User removal tab.
• Enter the Email address or Phone number of the contact to be removed.
• Select the Extend effect to sub-companies option to remove the contact's data from all configured sub-companies.
• Click on Remove user data.
• Upon confirmation, the user's data will be removed from the system.

danger

The data removal operation is irreversible.

Exercise of the right to access and portability - Request user data

To request the data of a contact, proceed as follows:

• Go to the Analyse > user management > user data management section and select the Request user data tab.
• Enter the Email address or Phone number of the contact in question to search for their data.
• Select the Extend effect to sub-companies option to search for the contact's data from all configured sub-companies.
• Click on Request user data.

The output of this procedure is a JSON file containing the requested data, available in the my contactlab > download area, following the usual report management mechanisms in Send.
The file remains available for two weeks, after which it is permanently deleted from the Download area. This ensures automatic compliance with any erasure requests for data contained in the file.

The types of data included in the file are:

• The user profile retrieved from the user database.
• A list of emails sent to the user over time.
• Email events related to the user (open, click, etc.).
• Any presence of the user in blacklists.
• Newsletter subscriptions.
• Tracking of the user's email content sharing.

As an alternative to using the UI, user data removal following an erasure request can be performed via API, and upon request, a feature for bulk contact data removal (mass erasure) can be made available.