GDPR Guidelines for XMPie Products

Disclaimer

This document is intended for informative purposes only. It does not constitute legal advice regarding the GDPR or any other matter, and may not be used or relied on for such purposes. Always consult a suitably qualified lawyer on any legal question, issue or matter, including the GDPR.

Introduction

This document describes the following:

  • XMPie support for GDPR compliance within its products

  • Steps a customer must take to comply with the GDPR when using XMPie products

The GDPR defines two types of roles: Data Controller and Data Processor.

XMPie is not a Data Controller, and therefore is not obligated to regulations that relate to Data Controllers. These regulations define rules and processes, many of which XMPie products and services do not have control over. For example, there is nothing that XMPie can put in place to control how customers acquire the data, or that consent has been given by citizens.

The majority of XMPie customers host their own uProduce and uStore servers, and are therefore Data Processors. XMPie is a Data Processor for its cloud services, such as Circle and XES. As a result, XMPie without customer cooperation cannot on its own provide compliance to GDPR.

The main goal of XMPie’s GDPR solution is to ensure that its products and services conform with the GDPR regulations, and to provide you the tools, mechanisms and guidelines to allow your organization to comply with the various GDPR requirements.

XMPie’s GDPR solution focuses on:

  • Ensuring data security: Data is stored and transferred securely to avoid security breaches.

  • Ensuring data expiration: Data is held only as long as necessary.

  • Ensuring data integrity: Citizen data is amended, retrieved and deleted upon request.

Note: This document may undergo modifications. Please check for updates on a regular basis.

Terminology

Personal Identifiable Information (PII)

Information that can be used to identify, contact, or locate a single person, or to identify an individual in context. Any information that can be used to distinguish or trace an individual's identity, such as name, social security number, date and place of birth, mother's maiden name, or biometric records, can be considered PII, as well as any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.

In XMPie products, PII is most commonly contained in:

  • Production outputs – the result of XMPie compositions; e.g. personalized PDF or uImage file.

  • Data sources – the recipient information that is used to create the production outputs.

Data Controller

The person (or business) who collects data and determines the purposes for which, and the manner in which personal data is processed, whether in the EU or outside. It is the responsibility and liability of the Data Controller to implement effective measures and be able to demonstrate the compliance of processing activities even if the processing is carried out by a Data Processor on behalf of the Data Controller. XMPie is not a Data Controller.

Data Processor

Anyone who processes personal data on behalf of the Data Controller (excluding the Data Controller’s own employees), whether in the EU or outside.

XMPie is a Data Processor only in cases where it hosts or provides a service.

Sample data source

In the context of GDPR, this is a data source that contains fake recipients only, including their fake personal data.

Prerequisites

GDPR compliance requires the following XMPie software:

  • uProduce 8.2.3 or higher & configured for GDPR

  • uStore 9.2.x or higher & configured for GDPR

  • XES 3.3 or higher & configured for GDPR

  • XMPL 2.2 or higher

XMPie Non-GDPR Compliant Components

Not all XMPie products and features are GDPR compliant. For example, those features which are soon to be deprecated or products that are still in the beta phase.

  • In uProduce:

    • 1G email campaigns

    • 1G cross-media campaigns

  • In uStore:

    • 1G email products

    • 1G cross-media products

    • USADATA recipient lists

  • Circle 1G

  • uCreate Video

  • XCC

XMPie GDPR Solution

The XMPie GDPR solution is based on the fact that XMPie is not a CRM system, and as such it does not keep data longer than is required. For example, for longer than the duration of a marketing campaign or a print job fulfillment. When looking to comply with GDPR regulations, it is recommended to systematically remove unneeded data. The XMPie GDPR solution efforts focus on achieving this recommendation.

uProduce

XMPie provides a GDPR patch for uProduce, for version 8.2.3 or higher.

The uProduce GDPR solution focuses on automatic deletion of:

  • Local and file-based data sources

  • Completed, failed or aborted jobs and their outputs

  • Temporary storage

By default, all of the above expire 30 days after their creation date, and are then deleted from the system. You can configure the expiration period.

Regarding data-source deletion, you may set specific data sources as permanent, which means they will never expire. You may want to mark a data source as permanent in the following cases: uStore sample data sources which are used for proofs, additional data sources which do not contain PII (such as car models and clothes catalogs), etc. Data sources can be marked as permanent as long as they do not contain PII. In case you still want a data source with PII to permanent, you will have to handle citizen requests manually.

Upon installation of the GDPR patch, all existing data sources are marked as permanent in order to prevent automatic deletion, as XMPie cannot assess which data sources need to permanent.
By default, new data sources that are added will be marked as non-permanent.

Your responsibility

The following are not managed by XMPie, and as such you will have to handle them on your own:

  • Post GDPR patch installation

    Review all data sources and mark the relevant ones as non-permanent.

  • GDPR automatic deletion configuration

    Ensure that the automatic deletion mechanism is configured to be enabled.

  • Remote data sources

    You are responsible for retrieving or deleting recipient data from remote data sources by citizen request, and for amending data and holding it only as long as necessary.

  • Materials and tacking data of 1G email and web campaigns

    Since 1G email and web campaigns are not GDPR compliant, it is recommended that you convert them to 2G campaigns, and delete the 1G campaign’s materials and tracking data. Otherwise, you will have to manually maintain them.

  • Packed and unpacked VPC packages

    You are responsible to delete packed VPC packages shortly after production, since they contain citizen data. In addition, because unpacked VPC packages are kept in the system for later usage, these packages must not contain real data but rather sample data.

  • Deletion of job outputs from remote destinations

    In case you defined job outputs to be sent to a remote destination, it is your responsibility to handle their deletion.

  • uImage compliancy

    In order for uImage to be GDPR compliant, do not use PII in the uImage files that can identify a citizen. For example, first name only cannot identify a citizen, whereas email or phone number can. If you do wish to use images that can identify a citizen, you will have to manually maintain them.

Important

When a job is deleted by the automatic deletion mechanism, it is completely removed from the database, including its ticket and messages, and not just marked as deleted. This is because tickets and messages may contain PII.

uStore

XMPie provides a patch for upgrading uStore versions 9.0.x or higher to version 9.2, which supports GDPR.

Recipient Data

The uStore GDPR solution for recipient data focuses on the automatic deletion of:

  • Recipient lists

  • Circle instances

  • Production output

  • Proof files

  • Uploaded files (of both Composite products and File Attachment property)

The shopper has a 30-day period from creating the order until the uploaded recipient list, created Circle instance, proofs and other personal data expire and are then automatically deleted.

After the recipient list had been deleted, the shopper may still continue the order by re-uploading the recipient list.

On order submission, the shopper or approver(s) are required to confirm that all order information is GDPR compliant.

Once the order arrives in the Back Office, the administrator has an additional 30-day period to fulfill the order before the recipient list, production output, etc. also expire and are automatically deleted.

You can configure the expiration period of the Storefront and Back Office globally to apply to all stores. In addition, GDPR functionality needs to be enabled per store. Upon installation of the GDPR patch, GDPR is disabled for all stores.

In case of a personal data deletion request by a recipient:

  • In 1G products (dynamic print and composite products), automatic deletion handles it.

  • In 2G products (XM campaign products), the administrator should handle this request using Circle.

In case of a personal data retrieval request by a recipient:

In 1G products (dynamic print and composite products), there is no need to provide this information by the XMPie system, since no data was collected by the system in addition to the data held by the Data Controller. In any event, the data that was uploaded to XMPie expires within a 30-day period, before you need to comply with the retrieval request.

In 2G products (XM campaign products), the administrator should handle this request using Circle.

FreeFlow® Core, Xerox® workflow automation solution and an integrated component of uStore, is GDPR compliant. Jobs which have succeeded are automatically deleted from the system shortly after completion. Jobs which have failed need to be manually deleted from FreeFlow Core via the Job Management and Status user interface.

Your responsibility

The following are not managed by XMPie, and as such you will have to handle them on your own:

  • Post GDPR patch installation

    Ensure GDPR is enabled on uProduce, and review all stores to enable GDPR for the required ones.

  • Materials and tacking data of 1G email and XM products

    Since 1G email and dynamic with web products are not GDPR compliant, it is recommended that you convert them to 2G XM campaign products, and delete the 1G campaign materials and tracking data from uProduce.

  • Deleting citizens from predefined and uProduce recipient lists

    During product definition, if you allow selection of recipients from a uProduce data source, or using a predefined recipient list, then upon a deletion request of a citizen’s personal data, you will have to manually handle this.

  • Order expiration during fulfillment

    uStore Back Office marks orders that are about to expire. Be attentive to regularly check and handle these orders, otherwise the production materials will be lost, and you will not be able to fulfill the orders.

  • Using sample data in product definition

    You should use sample (fake) data only when defining a product.

    • 1G products (dynamic print and composite products) should use a sample data source for the production parameters of print and proof jobs, used in the product definition.

    • 2G products (XM campaign products) should be based on Circle templates that use a sample data source as the recipient list.

Important

  • When saving a product, all uProduce data sources used by production parameters of print and proof jobs are marked as permanent, and therefore are not deleted by the automatic deletion mechanism of uProduce. This is because the lifespan of the products is usually much longer than 30 days, and the data sources used are either sample data sources, or additional data sources that don’t contain PII.

    Note that if by mistake you saved a product that uses a data source that contains PII, then replaced it with a sample data source, uStore will not mark the data source with PII as non-permanent, thus you should manually mark it as non-permanent in uProduce.

  • Once a campaign-on-demand order has terminated, the entire campaign is deleted including all its data.

  • Proofs use the recipient list data as long as it is available. However, when the recipient list is automatically deleted, the sample recipient list is used instead.

User Data

In addition to recipient data, uStore is concerned with personal data of users, both registered and anonymous.

Registered users can be deleted from the system upon request, whereas anonymous users are automatically deleted after a 30-day period. On deletion, the system deletes non-submitted orders, uEdit documents, uploaded images, etc. Submitted orders are kept permanently. User information is deleted only if there are no submitted orders relating to the user.

In case of a data retrieval request by a user, it is possible for the administrator to extract all the personal information and order data from the user’s account.

Circle

XMPie provides an upgrade of Circle to comply with GDPR. For complete details about the Circle GDPR solution, see Circle and GDPR in the Circle Help.

The Circle GDPR solution includes the following:

  • Circle provides the ability to retrieve or delete citizen personal data from the system, from both an entire account or a specific campaign. To enable this ability, it is required to provide a single field name and value in order to locate a citizen in the recipient list.

    When deleting a citizen, data is removed from the recipient table selected in the Master list and from the tracking storage only.

    When retrieving citizen personal data, data is retrieved from the recipient table selected in the Master list and from the tracking storage. This data is provided in both a human and machine-readable format.

    Note that in cases of remote data sources, only tracking data is removed or retrieved.

  • Data sources created by Circle (and uploaded to uProduce) are marked as permanent, and therefore are not deleted by the automatic deletion mechanism of uProduce. This is because the lifespan of Circle projects is usually much longer that 30 days.

    However, if you do wish to delete an entire data source or a specific recipient, you can  do it manually in Circle.

  • When deleting a Circle project, all tracking data of the campaign is deleted, in addition to deletion of the uProduce campaign, including all its materials.

Your responsibility

The following are not managed by XMPie, and as such you will have to handle them on your own:

  • Remote data sources

    You are responsible for retrieving or deleting recipient data from remote data sources by citizen request, and for amending data and holding it only as long as necessary.

  • Additional tables and additional data sources

    Since XMPie deletes and retrieves personal data only from the recipient table selected in the Master list, make sure that other recipient and non-recipient tables in all data sources of the project do not contain any PII. However, if they do, you will have to manually maintain them.

  • Right to object to automated decision processing regulation

    You are responsible for all automated decisions made in your project.

Important

  • Recipients selected as the sample recipients of a project should not contain PII. That is, they should not be real recipients of the campaign.

  • Template projects should use a sample data source in the recipient list, since this data is copied to the instance. Alternatively, after creation of an instance and replacement of the recipient list, the copied template’s data source should be deleted.

XMPie Email Service (XES)

GDPR compliancy requires XES version 3.3 or higher. In addition, you must contact XMPie Support and request to make your XES account GDPR compliant.

Note that by default all XES accounts are located in Amazon US region, nonetheless they are GDPR compliant due to Privacy Shield protection. However, XMPie provides you the option to move your account to Amazon EU region, if you wish to do so for some additional reason.

Important

When your XES account is GDPR compliant, “View in browser” and “PDF-on-Demand” are available for only 30 days after the email was sent.

Additional Recommendations

Ensuring Easy Retrieval and Deletion of Citizen Personal Data

One of the main issues which arises when there is a need to retrieve or delete citizen personal data, is identification of the citizen in the recipient list.

XMPie’s requires to provide a single field name and its value in order locate a recipient in the database.

Circle provides the means to delete or retrieve a citizen’s personal data from a single project or from an entire uProduce account.

In case requests are from a single project only, different projects can use different fields to identify the citizen. For example, XMPie recipient key, email address or phone number.

In case requests are from an entire uProduce account, you will need to have a field that appears in the recipient lists of all campaigns of the account, which identifies the citizen. For example, CRM identifier, email address or phone number.

Ensuring Data Security for the Web

When implementing or running web campaigns, XMPie cannot control what personal information is contained within a personalized URL, or what information is displayed on personalized pages. Therefore, the major part of the responsibility is in the hands of those creating the campaigns. They must be extra cautious not to expose citizens’ personal information, and must use the tightest security version of XMPL. See XMPL release notes for latest version.

The following guidelines will help you ensure data security of your websites.

Recipient Key

It is recommended not to use personal information in the recipient key, in order to avoid webpages from being accessed by hackers. Finding the recipient key pattern and guessing its values might cause data breaches.

In websites that do not require signing in to access personal data, guessing the recipient key enables easy access to a citizen’s personal data. In addition, it reveals that the person is part of the campaign.

It is therefore not recommended to use in the recipient key first and last name, email address, identification number, etc.

Learn how to generate a non-PII recipient key.

Secured URL

The strongest way to achieve data security in a website is by signing in to the website. This allows providers to deliver both secure and personalized campaigns which require users to validate themselves before exposing any personal information.

As part of the GDPR solution, XMPL provides the ability to define a website that requires the recipient to supply credentials and sign-in upon each entry to the website or XMPL API.

Learn how to secure your website using SecURL.

HTTPS Protocol

XMPie recommends the use of encrypted HTTP traffic, via HTTPS protocol, and suggests that this is used when personal data is being transferred. See Circle HTTPS Configuration Prerequisites.

Physical Data Storage and Transfer

GDPR prohibits storage and transfer of citizen personal data outside of Europe, without proper protection, as set by the GDPR regulation. For example, data can be stored in and transferred to Amazon non-European regions due to Privacy Shield protection.

XMPie is responsible for data storage and transfer for its cloud services, such as Circle and XES, and cloud-hosted systems, such as uProduce and uStore.

However, the majority of XMPie customers host their own uProduce and uStore servers, and are therefore responsible to ensure the physical location of the servers.

General Security

GDPR requires to comply with industry security standards. For example, network security, file system and database encryption (if required), etc.

XMPie is responsible for security of its cloud services, such as Circle and XES, and cloud-hosted systems, such as uProduce and uStore.

However, the majority of XMPie customers host their own uProduce and uStore servers, and are therefore responsible to ensure the security of the servers.

In order to achieve better security, it is highly recommended that the customer creates a tiered environment where only the necessary parts of the system are exposed to the internet.

In addition, it is important that the customer analyzes the sensitivity of the data that is stored on the servers in order to assess whether file system and database encryption are required.

For more information, refer to the following:

Summary

For information on how configure GDPR in uProduce, uStore and Circle, refer to the following:

 

Created by: Svetlana Bogush, last updated: December 25, 2018