TidWiT Inc., (“TidWiT”) is committed to complying with the European Union’s GDPR (General Data Protection Regulation), which is scheduled to go into effect in May 25, 2018. This regulation covers different areas that affect TidWiT as an organization as well as its network platform, customers, and users in the European Union.
The following policy statement shall cover the entire TidWiT Network, including but limited to the www.TidWiT.com site and all the platform instances and sub-instances that may be setup as sub-domains through ontidwit.com with or without any URL vanity features.
Because TidWiT wants to demonstrate its commitment to our users’ privacy and personally identifiable information (PII), it has agreed to disclose its information practices.
TidWiT’s approach to GDPR has been proactive in that we see it as an opportunity to service our customers more effectively, transparently, and securely. TidWiT also sees GDPR as a confirmation of its business model, which promotes conducting content dissemination and marketing within an opt-in network environment as opposed to an opt-out spam e-mail environment. As such, TidWiT’s approach has been to commit to the following:
- Prepping the TidWiT organization to support GDRP with the introduction of a DPO (Data Protection Officer)
- Aligning the TidWiT network and platform features and functionalities to support GDRP regulation as well as US regulations within the EU-US Privacy Shield Framework and the Swiss – US Privacy Shield Framework as set forth by the US Department of Commerce regarding the collection, use, and retention of personal information from European Union member countries and Switzerland, respectively.
- Implementing secure data protection at both the hardware (facility) level as well as the software and transaction levels
- Communicating transparently TidWiT’s Terms & Conditions, PII, and Cookie policies to customers and users
TidWiT has certified to the US Department of Commerce that it adheres to the Privacy Shield Principles, which encompasses both GDPR and US PII regulations. If any conflict arises between any of TidWiT’s Privacy policies and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification page, please visit www.privacyshield.gov
II. GDPR Compliance
TidWiT hereby certifies that it falls under and is compliant to the GDRP regulations as per the following clauses:
While TidWiT is headquartered in the United States, it has operations and customers in the EU and the UK. Therefore, TidWiT recognizes that it falls under the jurisdiction of GDRP.
II.B. Data Controller and Processor
- TidWiT understands GDPR’s regulations as it pertains to the TidWiT Network user’s rights and specifically.
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling
- TidWiT understands GDPR’s regulations as it pertains to the TidWiT Network user’s rights and specifically.
II.C. Data Controller and Processor
The TidWiT Network provides content distribution services on behalf of businesses to their customers. Being a network, TidWiT allows standardization in both the publishing and distribution phases. Additionally, what is unique about TidWiT is the multi-tier model. This means a content publisher could be sitting three or more tiers removed from the users who access their content. This has implications when it comes to Data Control and Data Processing within GDPR. The golden rule we follow, and which complies with GDPR, is that regardless where the content is coming from, as long as it is on the TidWiT network, TidWiT is considered the Data Controller and Processor. In addition, the instance owner on which a user accesses the content would be considered co-Controller. Therefore, the instance owner would be allowed to access the PII of their user and be responsible for making sure that this PII is properly protected according to GDPR. Two examples may help explain more the model and implications.
The first example is one where a User A who accesses a video from an instance of Business “B”, which is running on the TidWiT network (This would be the two-tier model). To access the video, User A must register and give consent to opt-in to the instance whose content he’d like to access. Consent is hence simultaneously issued to both (TidWiT and Business “B” who co-share User A’s PII and Co-control the data).
A second example is when a content publisher “C” syndicates their content through the TidWiT network to a partner ”P”, who then distributes it to a user “U” (This would be a three-tier model). The question here is who is the Data Processor and who is the Data Controller? The Data Processor as always is TidWiT. User “U” however accessed Partner “P”’s instance and consented to sharing PII with them and TidWiT. So TidWiT and Partner “P” are considered co-Controllers of the user’s data, with PII access and responsibility as per GDPR. What about the content publisher ‘C”? They would only be able to get data in aggregated form from TidWiT without any associated PII, therefore protecting User “U” from any communication for which they did not give any consent, in line with GDPR. Since content Publisher “P” does not have access to any PII, they would be absolved of any Data Controller or Data Processor responsibilities under GDPR.
II.E. Personal and Biometric Data
TidWiT’s network is designed to collect and store the least amount of user data aiming for Privacy by Design. As such, TidWiT collects only the needed data about users that would help personalize the experience based on the user’s preferences. During registration, the required fields are limited to first, last name, e-mail, and password. As users interact with the Network, they may optionally add data to their profile to customize it further to their needs. Collected user data may include but not be limited to automatically generated behavioral characteristics based on pages accessed and content viewed. TidWiT considers the sensitivity of the data it collects on its users low to medium.
TidWiT does NOT collect or store any of the following highly sensitive personal data: Social security numbers, date of birth, Credit/debit card information, Driver’s license number, or State-issued Identification Card number (including Passport), Financial account number, Personal medical information, Health insurance information, Information or data collected through the use/operation of an automated license plate recognition system.
II.F. Data Rectification, Erasure, Objection, and Portability
Business customers and users will have the right to request rectification of their data and TidWiT will comply within a period of two weeks. TidWiT customers and users also have the right to object to the usage of their accounts and to disable their accounts and erase their pertinent data. Users will also have the option to port their data if they so wish. To process such requests, written contact will need to be made with TidWiT’s customer service: customerservice at tidwit.com
II.G. Right to Be Informed and Breaches
TidWiT recognizes the Users’ rights to be informed, which encompasses TidWiT’s obligation to provide ‘fair processing information’, typically through a privacy notice. Even though, TidWiT’s limited PII represents low sensitivity, TidWiT is committed informing its customers within 72 hours of any breaches that occur with a detailed description of the nature of the breach, the scope, its implications, and how the situation is being rectified.
III. Contacting TidWiT’s Data Protection Officer
If users have any questions or suggestions regarding our GDPR Policy, please contact our Data Protection Officer at:
- 11911 Freedom Drive, Suite 805
- Reston VA 20190, USA
- Tel. +1.703.761.7600
- Email: legal at tidwit.com
- Web site URL www.tidwit.com
IV. Where can you find more information about GDPR?
You can learn more about GDPR from the following third-party websites:
V. Glossary of Terms
- BIOMETRIC DATA: Any personal data relating to the physical, physiological, or behavioral characteristics of an individual which allows their identification.
- CONSENT: Freely given, specific, informed statement that agrees to the processing of their personal data.
- DATA BREACH: A breach of security leading to the accidental or unlawful access to, destruction, misuse, etc. of personal data.
- DATA CONTROLLER: The entity that determines the purposes, conditions and ways in which we process personal data.
- DATA ERASURE: Entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data.
- DATA PORTABILITY: This is the requirement for controllers to provide the data subject with a copy of his or her data in a format that allows for easy use with another controller.
- DATA PROCESSOR: The entity that processes data on behalf of the Data Controller
- DATA PROTECTION OFFICER: An expert on data privacy who works independently to make sure organizations are adhering to the GDPR.
- DATA SUBJECT: A natural person whose personal data is processed by a controller or processor.
- PERSONAL DATA: Any information related to a person or ‘Data Subject’ that can be used to identify the person.
- PRIVACY BY DESIGN: A principle that calls for the inclusion of data protection from the onset of the designing of systems, rather than an addition.
- PROCESSING: Any operation performed on personal data, whether or not by automated means, including collection, use, recording, etc.
- RIGHT TO ACCESS: Also known as Subject Access Right: Entitles the data subject to have access to and information about the personal data that a controller has concerning them.
- RIGHT TO BE FORGOTTEN: See Data Erasure.
Frequently Asked Questions About TidWiT’s GDPR Compliance
You’ve no doubt heard about the General Data Protection Regulation (GDPR), a wide-ranging European Union data-privacy regulation that becomes enforceable on May 25, 2018. GDPR extends EU data-protection laws to all foreign companies that process data of EU residents. Under GDPR, individuals must consent, by opting-in, to their data being collected, processed, stored and maintained. Organizations that violate GDPR are subject to substantial fines. This Q&A summarizes TidWiT Inc.’s efforts to ensure compliance with GDPR.
Because TidWiT shares content across the EU, we are both subject to GDPR and compliant with the regulation. When discussing GDPR and TidWiT, it’s important to note that TidWiT does not own the content that it disseminates. Each instance is owned by the partner, and therefore each partner instance of TidWiT is already GDPR-compliant.
GDPR creates clear liabilities on the part of both the controller and the processor of user data. As long as data is on the TidWiT network, TidWiT considers itself both the data controller and processor. As such, TidWiT has taken several critical steps to comply with GDPR, including aligning network and platform features and functionalities to support both GDPR and U.S. data-protection regulations; implementing secure data protection at the hardware, software and transaction levels; and clearly communicating TidWiT’s terms & conditions, personally identifiable information and cookie policies to customers and users. All these activities have been overseen by TidWiT’s dedicated DPO (Data Protection Officer).
TidWiT’s business model as always revolved around conducting content dissemination and marketing using an opt-in network environment, as specified by GDPR.
Since its inception, TidWiT’s policy has been to collect and store the least amount of user data possible, and only enough to facilitate a personalized experience based on the user’s preferences. This data includes first and last name, e-mail address, password, cookies, pages accessed and content viewed. As users interact with the network, they may choose to add data to their profile to further customize it to their needs.
TidWiT is committed to informing customers, partners and appropriate regulators within 72 hours of any data breaches that occur, including a detailed description of the breach, the scope, its implications and how the situation is being resolved.