Pipe's commitment to GDPR
Last updated: 24th of February 2021
In light of the CJEU Schrems 2 decision, we've reviewed our PII data transfers to US companies. As a result, we have started migrating part of the infrastructure to EEU companies or companies in countries for which there is an adequacy decision. For up to date information, please e-mail firstname.lastname@example.org.
Intro to GDPR
The GDPR (General Data Protection Regulation) is a new European privacy law adopted by the European Commission in 2016 designed to strengthen, modernize and unify the data protection laws for ALL individuals within the European Union.
GDPR will replace the prior EU privacy directive (95/46/EC) as well as all the local nation-state laws relating to it. This directive has been the basis of European data protection law since 1995.
The GDPR will be enforceable starting with the 25th May 2018.
There's a rather high chance GDPR will apply to you too as GDPR applies to:
- all organizations established in the EU
- organizations not established in the EU that are targeting & offering goods or services to individuals located in the EU or monitoring their behaviour in the EU.
This means GDPR could apply to any organization anywhere in the world and thus it sets a high bar for privacy rights and compliance GLOBALLY.
Anyone can read the GDPR legislation at https://gdpr-info.eu/. It's quite an easy read as it's written in common language, not in legalese.
What is Pipe doing to achieve compliance
Pipe is excited about the GDPR and the strong data privacy principles and rules that it establishes and we actively preparing our business for the GDPR.
We've thoroughly read the EU documentation on the GDPR, ran through most material available on the GDPR, and discussed with our legal counsel to understand its impact on Pipe and our customers. We are now at a stage where we understand the regulation, the key concepts and what needs to be done moving forward.
Pipe will be fully compliant with the regulation by 25th May 2018 in respect to:
- the data we collect FROM individuals signing up for Pipe accounts, as data controller
- the data we collect FROM individuals visiting our website, through Apache logs, as data controller
- the data we receive FROM our reseller, Paddle.com Market Ltd, about customers, when subscribing, as data controller
- the data we process FOR our clients in their use of the Pipe service as data processor.
Our compliance work does not stop on the 25th of May 2018, we'll continue to take appropriate technical and organizational measures such that processing meets the requirements of the GDPR and ensure the protection of the rights of the data subject.
Compliance as data controller
Here are some of the changes we are making to be compliant as data controllers in regards to the personal data we process for our purposes.
- Pipe accounts can view & edit all the personal data we collect & store (name, email).
- Pipe accounts can now be instantly deleted together with all the related data (video files & metadata, logs, credentials, etc.).
- Since accounts can now be deleted, we’re now collecting the IP and user agent during sign up and sign in with a data retention period of 1 year past the account deletion date.
- Deleted old data we were storing (ICE candidates from our discontinued WebRTC recording client, old email lists on MailChimp, etc.).
- Set up a retention policy for our website's Apache logs (1 month). Apache logs contain the IP, visited page, GET parameters and the user agent.
- Created a Record of Processing Activities as the videos we process might contain sensitive data related to ethnicity/race.
- Appointed a Data Protection Officer as the videos we process might contain sensitive data related to ethnicity/race.
- All personal data is stored in the EU hosted by EU organizations (EmailOctopus) or US organizations (Amazon Web Services, DigitalOcean) for which there's an "adequacy decision" like participating in the EU-US Privacy Shield.
- Educated all staff on the GDPR.
- We've also reviewed our relation with Paddle.com Market Ltd, our reseller, in terms of data they pass on to us, data we used as controllers, to show clients where their invoices will be sent by Paddle.
- Updated our sign up process to include a separate checkbox for being added to our "News & Product Updates" email list
- Set up a retention policy for personal data associated with expired trial/subscription accounts, data that we collect as a controller (1 year), and remove old data.
- Re-collect consent & proof of consent from the existing emails on our News & Product Updates email list.
- Review the use of non-essential cookies on the Pipe website and blog
- Celebrate 🎉
What is Pipe doing to help you achieve compliance
We've made the above changes so that Pipe is compliant with the GDPR as a data controller in regards to the personal data it collects from its account holders (email, name) and website visitors but we're also making changes towards being compliant as a data processor in relation to the data we process for you (audio & video files, snapshots, device names, IPv4, user agents, referer, etc. ).
Do you need to comply with the GDPR?
You should consult with legal counsel regarding the full scope of your compliance obligations but generally speaking, if you are an organization established in the EU or that processes personal data of EU citizens, you have to comply with GDPR.
If you're selling to businesses your EU customers might have a hard requirement for you to comply with GDPR depending on the nature of your business.
What happens if you do not comply?
Non-compliance with GDPR can result in fines:
- as high as 20 Million Euros or 4% of annual global turnover for blatant violations of the individual's rights, the basic principles for processing including consent rules and the rules for data transfers to international organizations set forth in the GDPR legislation
- as high as 10 Million Euros or 2% of annual global turnover for blatant violations of your obligations as a data controller or processor.
Controller or Processor?
In the context of the Pipe platform and the data we collect and process for you as our customer, you are a controller and we are a processor for your data.
GDPR defines 2 types of consent:
- unambiguous consent
- explicit consent
As a data controller, you need explicit consent for processing sensitive data. There are 6 categories of sensitive data:
- health records
- racial or ethnic origin
- political opinions
- membership of trade unions
- sex life and sexual orientation
- genetic and biometric data
It is our understanding and the understanding of the legal counsel we've consulted that video recordings can reveal the racial or ethnic origin of the person being recorded thus we consider that you as a data controller need to obtain explicit consent before recording individuals.
We recommend you read the Updated Guidelines on Consent (April 2018) for details on how to obtain explicit consent.
The burden of proof for demonstrating consent lies with the controller
What we're doing to help you achieve compliance
- OCTOBER 2020: Rolled out a new lifecycle feature which allows you to automatically delete recordings and associated PII after a number of days.
- Highlighted all personal metadata (collected with the recordings) in the Pipe account's recordings list to help you with awareness.
- Reviewed code for deleting videos (through the REST API, UI, account deletion and on trial/subscription expiration) to make sure the snapshot & video files are deleted together with any (personal) metadata gathered with the video.
- Set up a tight retention policy for the video files and video metadata we collect as a processor once the trial/subscription expires (28 days).
- Updated our REST API and webhooks to make sure it transmits all (personal) metadata we collect with the videos.
- All your personal data is processed in the EU or in the US with US organizations that are participating in the EU-US Privacy Shield (Amazon Web Services, DigitalOcean). The European Commission has reconized US companies participating in the EU-US Privacy Shield as providing adequate level of protection (source).
- Set up a tight retention policy for our media server logs and Apache client delivery logs (28 days). Media server logs contain the IP of the recording device.
- Removed the HTTP referer data from all but the 1st of our webhooks that fires to make sure we're not keeping the data for longer than necessary.
- Implemented a Do Not Store (Personal) Metadata - along with the existing Do Not Store (Files) - to make it easier to comply with GDPR's data storage limitation principle.
- Update our Terms of Service to stipulate all clauses under Art.28 (3) of the GDPR (the new Data Processing Addendum).
- Announce GDPR Compliance