GDPR Guidelines for XMPie Products
Disclaimer
This document is intended for informative purposes only. It does not constitute legal advice regarding the GDPR or any other matter, and may not be used or relied on for such purposes. Always consult a suitably qualified lawyer on any legal question, issue or matter, including the GDPR.
Introduction
This document describes the following:
-
XMPie support for GDPR compliance within its products
-
Steps a customer must take to comply with the GDPR when using XMPie products
The GDPR defines two types of roles: Data Controller and Data Processor.
XMPie is not a Data Controller, and therefore is not obligated to regulations that relate to Data Controllers. These regulations define rules and processes, many of which XMPie products and services do not have control over. For example, there is nothing that XMPie can put in place to control how customers acquire the data, or that consent has been given by citizens.
The majority of XMPie customers host their own uProduce and uStore servers, and are therefore Data Processors. XMPie is a Data Processor for its cloud services, such as Circle and XES. As a result, XMPie without customer cooperation cannot on its own provide compliance to GDPR.
The main goal of XMPie’s GDPR solution is to ensure that its products and services conform with the GDPR regulations, and to provide you the tools, mechanisms and guidelines to allow your organization to comply with the various GDPR requirements.
XMPie’s GDPR solution focuses on:
-
Ensuring data security: Data is stored and transferred securely to avoid security breaches.
-
Ensuring data expiration: Data is held only as long as necessary.
-
Ensuring data integrity: Citizen data is amended, retrieved and deleted upon request.
Note: This document may undergo modifications. Please check for updates on a regular basis.
Terminology
Personal Identifiable Information (PII)
Information that can be used to identify, contact, or locate a single person, or to identify an individual in context. Any information that can be used to distinguish or trace an individual's identity, such as name, social security number, date and place of birth, mother's maiden name, or biometric records, can be considered PII, as well as any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.
In XMPie products, PII is most commonly contained in:
-
Production outputs – the result of XMPie compositions; e.g. personalized PDF or uImage file.
-
Data sources – the recipient information that is used to create the production outputs.
Data Controller
The person (or business) who collects data and determines the purposes for which, and the manner in which personal data is processed, whether in the EU or outside. It is the responsibility and liability of the Data Controller to implement effective measures and be able to demonstrate the compliance of processing activities even if the processing is carried out by a Data Processor on behalf of the Data Controller. XMPie is not a Data Controller.
Data
Processor
Anyone who processes personal data on behalf of the Data Controller (excluding the Data Controller’s own employees), whether in the EU or outside.
XMPie is a Data Processor only in cases where it hosts or provides a service.
Sample data source
In the context of GDPR, this is a data source that contains fake recipients only, including their fake personal data.
Prerequisites
GDPR compliance requires the following XMPie software:
-
uProduce 8.2.3 or higher & configured for GDPR
-
uStore 9.2.x or higher & configured for GDPR
-
XES 3.3 or higher & configured for GDPR
-
XMPL 2.2 or higher
XMPie Non-GDPR Compliant Components
Not all XMPie products and features are GDPR compliant. For example, those features which are soon to be deprecated or products that are still in the beta phase.
-
In uProduce:
-
1G email campaigns
-
1G cross-media campaigns
-
-
In uStore:
-
1G email products
-
1G cross-media products
-
USADATA recipient lists
-
-
Circle 1G
-
uCreate Video
-
XCC
XMPie GDPR Solution
The XMPie GDPR solution is based on the fact that XMPie is not a CRM system, and as such it does not keep data longer than is required. For example, for longer than the duration of a marketing campaign or a print job fulfillment. When looking to comply with GDPR regulations, it is recommended to systematically remove unneeded data. The XMPie GDPR solution efforts focus on achieving this recommendation.
uProduce
XMPie provides a GDPR patch for uProduce, for version 8.2.3 or higher.
The uProduce GDPR solution focuses on automatic deletion of:
-
Local and file-based data sources
-
Completed, failed or aborted jobs and their outputs
-
Temporary storage
By default, all of the above expire 30 days after their creation date, and are then deleted from the system. You can configure the expiration period.
Regarding data-source deletion, you may set specific data sources as permanent, which means they will never expire. You may want to mark a data source as permanent in the following cases: uStore sample data sources which are used for proofs, additional data sources which do not contain PII (such as car models and clothes catalogs), etc. Data sources can be marked as permanent as long as they do not contain PII. In case you still want a data source with PII to permanent, you will have to handle citizen requests manually.
Upon installation of the GDPR patch, all existing data
sources are marked as permanent in order to prevent automatic deletion,
as XMPie cannot assess which data sources need to permanent.
By default, new data sources that are added will be marked as non-permanent.
Your responsibility
The following are not managed by XMPie, and as such you will have to handle them on your own:
-
Post GDPR patch installation
Review all data sources and mark the relevant ones as non-permanent.
-
GDPR automatic deletion configuration
Ensure that the automatic deletion mechanism is configured to be enabled.
-
Remote data sources
You are responsible for retrieving or deleting recipient data from remote data sources by citizen request, and for amending data and holding it only as long as necessary.
-
Materials and tacking data of 1G email and web campaigns
Since 1G email and web campaigns are not GDPR compliant, it is recommended that you convert them to 2G campaigns, and delete the 1G campaign’s materials and tracking data. Otherwise, you will have to manually maintain them.
-
Packed and unpacked VPC packages
You are responsible to delete packed VPC packages shortly after production, since they contain citizen data. In addition, because unpacked VPC packages are kept in the system for later usage, these packages must not contain real data but rather sample data.
-
Deletion of job outputs from remote destinations
In case you defined job outputs to be sent to a remote destination, it is your responsibility to handle their deletion.
-
uImage compliancy
In order for uImage to be GDPR compliant, do not use PII in the uImage files that can identify a citizen. For example, first name only cannot identify a citizen, whereas email or phone number can. If you do wish to use images that can identify a citizen, you will have to manually maintain them.
Important
When a job is deleted by the automatic deletion mechanism, it is completely removed from the database, including its ticket and messages, and not just marked as deleted. This is because tickets and messages may contain PII.
uStore
XMPie provides a patch for upgrading uStore versions 9.0.x or higher to version 9.2, which supports GDPR.
Recipient Data
The uStore GDPR solution for recipient data focuses on the automatic deletion of:
-
Recipient lists
-
Circle instances
-
Production output
-
Proof files
-
Uploaded files (of both Composite products and File Attachment property)
The shopper has a 30-day period from creating the order until the uploaded recipient list, created Circle instance, proofs and other personal data expire and are then automatically deleted.
After the recipient list had been deleted, the shopper may still continue the order by re-uploading the recipient list.
On order submission, the shopper or approver(s) are required to confirm that all order information is GDPR compliant.
Once the order arrives in the Back Office, the administrator has an additional 30-day period to fulfill the order before the recipient list, production output, etc. also expire and are automatically deleted.
You can configure the expiration period of the Storefront and Back Office globally to apply to all stores. In addition, GDPR functionality needs to be enabled per store. Upon installation of the GDPR patch, GDPR is disabled for all stores.
In case of a personal data deletion request by a recipient:
-
In 1G products (dynamic print and composite products), automatic deletion handles it.
-
In 2G products (XM campaign products), the administrator should handle this request using Circle.
In case of a personal data retrieval request by a recipient:
In 1G products (dynamic print and composite products), there is no need to provide this information by the XMPie system, since no data was collected by the system in addition to the data held by the Data Controller. In any event, the data that was uploaded to XMPie expires within a 30-day period, before you need to comply with the retrieval request.
In 2G products (XM campaign products), the administrator should handle this request using Circle.
FreeFlow® Core, Xerox® workflow automation solution and an integrated component of uStore, is GDPR compliant. Jobs which have succeeded are automatically deleted from the system shortly after completion. Jobs which have failed need to be manually deleted from FreeFlow Core via the Job Management and Status user interface.
Your responsibility
The following are not managed by XMPie, and as such you will have to handle them on your own:
-
Post GDPR patch installation
Ensure GDPR is enabled on uProduce, and review all stores to enable GDPR for the required ones.
-
Materials and tacking data of 1G email and XM products
Since 1G email and dynamic with web products are not GDPR compliant, it is recommended that you convert them to 2G XM campaign products, and delete the 1G campaign materials and tracking data from uProduce.
-
Deleting citizens from predefined and uProduce recipient lists
During product definition, if you allow selection of recipients from a uProduce data source, or using a predefined recipient list, then upon a deletion request of a citizen’s personal data, you will have to manually handle this.
-
Order expiration during fulfillment
uStore Back Office marks orders that are about to expire. Be attentive to regularly check and handle these orders, otherwise the production materials will be lost, and you will not be able to fulfill the orders.
-
Using sample data in product definition
You should use sample (fake) data only when defining a product.
-
1G products (dynamic print and composite products) should use a sample data source for the production parameters of print and proof jobs, used in the product definition.
-
2G products (XM campaign products) should be based on Circle templates that use a sample data source as the recipient list.
-
Important
-
When saving a product, all uProduce data sources used by production parameters of print and proof jobs are marked as permanent, and therefore are not deleted by the automatic deletion mechanism of uProduce. This is because the lifespan of the products is usually much longer than 30 days, and the data sources used are either sample data sources, or additional data sources that don’t contain PII.
Note that if by mistake you saved a product that uses a data source that contains PII, then replaced it with a sample data source, uStore will not mark the data source with PII as non-permanent, thus you should manually mark it as non-permanent in uProduce.
-
Once a campaign-on-demand order has terminated, the entire campaign is deleted including all its data.
-
Proofs use the recipient list data as long as it is available. However, when the recipient list is automatically deleted, the sample recipient list is used instead.
User Data
In addition to recipient data, uStore is concerned with personal data of users, both registered and anonymous.
Registered users can be deleted from the system upon request, whereas anonymous users are automatically deleted after a 30-day period. On deletion, the system deletes non-submitted orders, uEdit documents, uploaded images, etc. Submitted orders are kept permanently. User information is deleted only if there are no submitted orders relating to the user.
In case of a data retrieval request by a user, it is possible for the administrator to extract all the personal information and order data from the user’s account.
Circle
XMPie provides an upgrade of Circle to comply with GDPR. For complete details about the Circle GDPR solution, see Circle and GDPR in the Circle Help.
The Circle GDPR solution includes the following:
-
Circle provides the ability to retrieve or delete citizen personal data from the system, from both an entire account or a specific campaign. To enable this ability, it is required to provide a single field name and value in order to locate a citizen in the recipient list.
When deleting a citizen, data is removed from the recipient table selected in the Master list and from the tracking storage only.
When retrieving citizen personal data, data is retrieved from the recipient table selected in the Master list and from the tracking storage. This data is provided in both a human and machine-readable format.
Note that in cases of remote data sources, only tracking data is removed or retrieved.
-
Data sources created by Circle (and uploaded to uProduce) are marked as permanent, and therefore are not deleted by the automatic deletion mechanism of uProduce. This is because the lifespan of Circle projects is usually much longer that 30 days.
However, if you do wish to delete an entire data source or a specific recipient, you can do it manually in Circle.
-
When deleting a Circle project, all tracking data of the campaign is deleted, in addition to deletion of the uProduce campaign, including all its materials.
Your responsibility
The following are not managed by XMPie, and as such you will have to handle them on your own:
-
Remote data sources
You are responsible for retrieving or deleting recipient data from remote data sources by citizen request, and for amending data and holding it only as long as necessary.
-
Additional tables and additional data sources
Since XMPie deletes and retrieves personal data only from the recipient table selected in the Master list, make sure that other recipient and non-recipient tables in all data sources of the project do not contain any PII. However, if they do, you will have to manually maintain them.
-
Right to object to automated decision processing regulation
You are responsible for all automated decisions made in your project.
Important
-
Recipients selected as the sample recipients of a project should not contain PII. That is, they should not be real recipients of the campaign.
-
Template projects should use a sample data source in the recipient list, since this data is copied to the instance. Alternatively, after creation of an instance and replacement of the recipient list, the copied template’s data source should be deleted.
XMPie Email Service (XES)
GDPR compliancy requires XES version 3.3 or higher. In addition, you must contact XMPie Support and request to make your XES account GDPR compliant.
Note that by default all XES accounts are located in Amazon US region, nonetheless they are GDPR compliant due to Privacy Shield protection. However, XMPie provides you the option to move your account to Amazon EU region, if you wish to do so for some additional reason.
Important
When your XES account is GDPR compliant, “View in browser” and “PDF-on-Demand” are available for only 30 days after the email was sent.
Additional Recommendations
Ensuring Easy Retrieval and Deletion of Citizen Personal Data
One of the main issues which arises when there is a need to retrieve or delete citizen personal data, is identification of the citizen in the recipient list.
XMPie’s requires to provide a single field name and its value in order locate a recipient in the database.
Circle provides the means to delete or retrieve a citizen’s personal data from a single project or from an entire uProduce account.
In case requests are from a single project only, different projects can use different fields to identify the citizen. For example, XMPie recipient key, email address or phone number.
In case requests are from an entire uProduce account, you will need to have a field that appears in the recipient lists of all campaigns of the account, which identifies the citizen. For example, CRM identifier, email address or phone number.
Ensuring Data Security for the Web
When implementing or running web campaigns, XMPie cannot control what personal information is contained within a personalized URL, or what information is displayed on personalized pages. Therefore, the major part of the responsibility is in the hands of those creating the campaigns. They must be extra cautious not to expose citizens’ personal information, and must use the tightest security version of XMPL. See XMPL release notes for latest version.
The following guidelines will help you ensure data security of your websites.
Recipient Key
It is recommended not to use personal information in the recipient key, in order to avoid webpages from being accessed by hackers. Finding the recipient key pattern and guessing its values might cause data breaches.
In websites that do not require signing in to access personal data, guessing the recipient key enables easy access to a citizen’s personal data. In addition, it reveals that the person is part of the campaign.
It is therefore not recommended to use in the recipient key first and last name, email address, identification number, etc.
Learn how to generate a non-PII recipient key.
Secured URL
The strongest way to achieve data security in a website is by signing in to the website. This allows providers to deliver both secure and personalized campaigns which require users to validate themselves before exposing any personal information.
As part of the GDPR solution, XMPL provides the ability to define a website that requires the recipient to supply credentials and sign-in upon each entry to the website or XMPL API.
Learn how to secure your website using SecURL.
HTTPS Protocol
XMPie recommends the use of encrypted HTTP traffic, via HTTPS protocol, and suggests that this is used when personal data is being transferred. See Circle HTTPS Configuration Prerequisites.
Physical Data Storage and Transfer
GDPR prohibits storage and transfer of citizen personal data outside of Europe, without proper protection, as set by the GDPR regulation. For example, data can be stored in and transferred to Amazon non-European regions due to Privacy Shield protection.
XMPie is responsible for data storage and transfer for its cloud services, such as Circle and XES, and cloud-hosted systems, such as uProduce and uStore.
However, the majority of XMPie customers host their own uProduce and uStore servers, and are therefore responsible to ensure the physical location of the servers.
General Security
GDPR requires to comply with industry security standards. For example, network security, file system and database encryption (if required), etc.
XMPie is responsible for security of its cloud services, such as Circle and XES, and cloud-hosted systems, such as uProduce and uStore.
However, the majority of XMPie customers host their own uProduce and uStore servers, and are therefore responsible to ensure the security of the servers.
In order to achieve better security, it is highly recommended that the customer creates a tiered environment where only the necessary parts of the system are exposed to the internet.
In addition, it is important that the customer analyzes the sensitivity of the data that is stored on the servers in order to assess whether file system and database encryption are required.
For more information, refer to the following:
-
Security for Web Products
Summary
For information on how configure GDPR in uProduce, uStore and Circle, refer to the following:
-
Using uProduce with GDPR Patch
Created by: Svetlana Bogush, last updated: December 25, 2018