LEGAL ADVICE DISCLAIMER: The information provided on this website does not, and is not intended to, constitute legal advice; instead, all information, content, and materials available on this site are for general informational purposes only. 

Readers of this webpage should contact their attorney to obtain advice with respect to any particular legal matter.  

This document explains both how the GA Connector complies with the EU & UK GDPR and how GA Connector users can use our Services in compliance with the GDPR.


Understanding key GDPR compliance requirements and how to comply with them

On May 25, 2018, the General Data Protection Regulation (GDPR) came into force. We at GA Connector are committed to being fully compliant with the new EU requirements.

This new regulation, which is aimed at protecting the privacy of EU citizens, expands citizens’ and residents’ control over the data they share on the web.

  • Below is a list of key compliance obligations you need to comply under the GDPR. We will continue to work on them regularly to help you be transparent with your clients.

    What it means
    Lawful basis of processing As a Data Controller,  you need to rely on a legal basis to process  data. This can be consent, legitimate interest or a contract.

    When you use the GA Connector tool, you act as a Data Controller. Therefore, you need to identify and rely on a lawful basis such as consent to lawfully collect and process personal data.

    Withdrawal of consent (or opt-out) You need to ensure that your customers and website visitors can easily withdraw their consent.
    Transparency When using GA Connector apps, you will need to notify your clients that you are using cookies to track information about them. You can achieve this through your Privacy Policy, Cookies Policy, and Cookies banner.
    Deletion Everyone has the right to be forgotten. GDPR requires the permanent removal of subject’s data upon request. You will have 30 days to respond to deletion requests.
    Access / Portability Your own customers and website users can request access to their data collected via GA Connector.
    Modification GDPR gives the right to modify data, should it be inaccurate or incomplete.
    Security Measures GDPR raises standards in digital security. To stay compliant, personal data needs to be encrypted, and encryption keys should be stored separately from data.
  • Relying on consent when using GA Connector Tracker
    Consent is likely to be the most appropriate legal basis when you implement the GA Connector script. Therefore, you need to ensure that you obtain consent in compliance with the GDPR before you start using GA Connector Script. However, we need to warn you that it is trickier than it sounds and even Amazon was hit with a €746 million fine in Luxemburg due to non-compliance with consent requirements.While we strongly recommend that you seek independent advice for legal compliance when using GA Connector script, here are a few suggestions for obtaining consent in a GDPR-compliant way:Turn off GA Script by default and obtain Prior Consent: Activating GA Connector script may only take place after consent has been given.Voluntariness: The person concerned must consent freely and without coercion. Refusal must not be more difficult than granting consent.Informedness: You need to provide Information about how you use GA Connector Script, what personal data you collect, how you use the collected data, how you combine this data with other data.

    Active consent: Consent must be actively given by your customers/leads/website visitors. Simply providing information before or in parallel to continuing surfing is not sufficient.

    Separate from other declarations: Consent must be given separately from other declarations – for example, consent to the terms and conditions of an online shop.

    Revocability: Users must be able to revoke their consent at any time with future effect.

    For example, you can see on the Reuters’ website that they turn off cookies and scripts that are used for marketing-advertising by default and they ask for user consent:

  • Transparency requirements and GA Connector: Before you activate GA Connector Script and start collecting your customers’ or website visitors’ personal data, you need to provide them with sufficient information about what GA Connector scripts is, what personal data it collects, for what purposes you use it and how users can exercise their statutory rights under the GDPR. Therefore, you may need to take the following steps:In your Privacy and Cookies Policy, you need to address what GA Connector scripts is, what personal data it collects, for what purposes they use it, and how users can exercise their statutory rights under the GDPR.Furthermore, your cookies banner may also need to specifically address how you collect personal data via GA Connector. 

How GA Connector complies with the GDPR requirements

Privacy considerations depending on the type of integration

GA Connector consists of several apps that each serve different purposes, depending on the type of integration.

Each app is built differently and has different privacy considerations:

Salesforce-to-Google Analytics:

GA Connector Salesforce-to-Google Analytics integration is a managed Salesforce package that monitors changes to your Salesforce records, such as:

  • Lead status
  • Opportunity stage
  • Opportunity amount.

In the event of any changes, GA Connector sends data directly to your Google Analytics account via secure HTTPS protocol.

This package doesn’t store any of your data on our servers. Everything is stored either in your Salesforce or in your Google Analytics account.

Furthermore, because of the way Salesforce security was built, it’s technically impossible for us to gain access to your data through this package. You can read more about that here.

Zoho-to-Google Analytics

Zoho-to-Google Analytics works the same as Salesforce-to-Google Analytics, except that for certain technical reasons, it doesn’t send data directly to Google Analytics, but sends it first to the GA Connector server and the server sends it to Google Analytics.
We don’t store any of your data.

GA-to-Salesforce and GA-to-Zoho integration (API-based)

This is the only case where we store information on our servers.

Here is what we collect:

  • First and last click source information (source, medium, term, campaign, content, landing page, etc.)
  • Location and time zone (based on user’s IP address, which we don’t store anywhere in our system)
  • Information about device (browser, device type, device version)
  • Google Analytics client ID
  • Email addresses and phone numbers that users enter in forms on the website (in order to be able to match visitor data with CRM data).

All data is securely stored on Digital Ocean in NYC. Industry-standard security measures are implemented in order to protect this data.

You can read more about how this type of integration works here.

GA-to-CRM (cookie-based integration)

When a user visits a website with a GA Connector cookie-based tracking code, the tracking script collects information about the referral URL and landing page URL and sends it to our server via encrypted HTTP protocol. The server returns parameters to the script and stores them it in cookies and hidden form fields.

After that, GA Connector’s job is done, and the webs

How GA Connector complies with the GDPR

What it means What GA Connector implemented
Lawful basis of processing We need to identify and rely on a legal basis to process personal data. This can be consent, legitimate interest or a contract. You can have a look at our Privacy Policy to see what legal basis we rely on for each processing activity. 
Withdrawal of consent (or opt-out) After signing up for GA Connector, you will get a number of emails to help you install our app.

We won’t spam you, ever.

You can unsubscribe automatically by clicking “unsubscribe” in an email or manually by emailing contact@gaconnector.
Cookies When using cookies on our website, we comply with the EU-UK GDPR and do not activate cookies without user consent, unless they are strictly necessary. 
Deletion Everyone has the right to be forgotten. GDPR requires the permanent removal of subject’s data upon request. You will have 30 days to respond to deletion requests. To delete your personal data or your client’s information, please contact us at [email protected].
Access / Portability You and your clients have the right to access personal data we have about you. To request a contact record, please contact [email protected].
Modification GDPR gives the right to modify data, should it be inaccurate or incomplete. To modify your personal data or your client’s information, please contact us at [email protected].
Security Measures GDPR raises standards in digital security. To stay compliant, personal data needs to be encrypted, and encryption keys should be stored separately from data. All personal data (email and/or telephone) that is stored on our server is encrypted.
Data Processing Agreement Article 28 GDPR requires us to sign a Data Processing Agreement with our customers, who are data controllers.  You can check our Data Processing Agreement here: https://gaconnector.com/about-us/ga-connector-data-processing-agreement.pdf 
Confidentiality We are obliged to implement appropriate measures to ensure the confidentiality of data. We implement necessary technical security measures and enter into confidentiality agreements with all our employees and contractors. 

FAQ

What is the relationship between the GA Connector and You?

When you implement the GA Connector script and collect and use personal data, you are a Data Controller because you ultimately decide how you collect and use personal data. 

Under the EU & UK GDPR, the GA Connector is considered a Data Processor and is subject to a different set of obligations.

What governs the relationship between the GA Connector and the Customers?

Under the GDPR, a Data Controller and a Data Processor shall enter into a Data Processing Agreement that governs the processing of personal data.

To comply with our GDPR obligations, we enter into a Data Processing Agreement with our customers when they sign up on our platform. 

You can access our Data Processing Agreement here: 

https://gaconnector.com/about-us/ga-connector-data-processing-agreement.pdf

GA Connector fully compliant?

Yes. We do our best to stay transparent and honest with our clients. We are preparing new features and updates.

Does GA Connector store personal information?

Not until users start filling out the forms on your website, at which point you should ask for consent to store this information.

Until users start interacting with your forms, GA Connector doesn’t store any personal information. For this reason, we stopped storing users’ IP addresses; since we don’t have any control over the Cookie Policy on our clients’ websites, we decided not to store this data or send it to CRM systems.

Where is my data stored?

GA Connector data is processed and stored with Amazon data storage. It’s located in North Virginia. Amazon supports GDPR and will be fully compliant by May 25, 2018.

Will GA Connector be able to comply with the right to be forgotten?

If your clients want their data erased, please contact us via [email protected].

Do I need to have client’s consent before a session starts with GA Connector?

This is not necessary. The information that GA Connector stores before form submission is not classified as private. Private information may be tracked when submitting forms, so at this point, you should ask your clients for consent.