Modus Engagement Inc., a Delaware Corporation, together with its affiliates (“Modus”), has developed, operates, and maintains a “Enterprise Digital Sales Enablement Solution” under a Software as a Services model, for the benefit of the Modus Clients (the “Platform”). Modus Clients may potentially use the Platform to collect and process personal data relating to individuals in the European Union. As a result, Modus is committed to helping Modus Clients understand the European Union’s new General Data Protection Regulation and its effect on their relationship with Modus, as well as ensuring compliance with that law, to the extent applicable.
What is GDPR?
The European Union’s General Data Protection Regulation (GDPR) is a new privacy law that is effective beginning on May 25, 2018. The GDPR is intended to enhance the protection afforded to personal data of E.U. residents (referred to as data subjects) and increases the obligations placed on companies to use the data in transparent and secure ways.
For a useful summary of the rights and obligations under the GDPR, please review the Guide to the GDPR provided by the U.K. Information Commissioner’s Office.
Who does the GDPR apply to?
The GDPR applies to companies that are either (1) “established” in the E.U. or (2) process personal data about E.U. data subjects in connection with (i) the offering of goods or services to such data subjects or (ii) monitoring the behavior of data subjects in the E.U. Accordingly, the GDPR’s reach is not limited simply to organizations that are located, organized, or employ data subjects in the E.U.
What rights do individuals have under GDPR?
The GDPR affords E.U. data subjects certain rights relating to the processing of their personal data, including the following (as applicable):
- The right to be informed about certain details regarding the processing of personal data, including what personal data is processed, how it is processed, the purpose and lawful basis for the processing, third parties with whom it is shared, how long it is retained, the existence of data subjects’ rights, consequences for failing to provide personal data, how long the data is retained, and details regarding transfers to countries outside the E.U. and any related safeguards.
- The right to obtain and access their personal data.
- The right to request that their personal data be corrected, modified, or erased.
- The right to object to or restrict the processing of their personal data.
- The right to request their personal data in a format that allows it to be ported to another similar service.
- The right to withdraw consent for processing of their personal data
To the extent a Modus Client uses Modus’ services to process personal data regarding E.U. data subjects, it is the responsibility of the Modus Client to ensure that it informs the data subjects regarding these rights and otherwise comply with the GDPR.
Is Modus a “Processor” or “Controller” under the GDPR?
The Modus Client decides which individuals to interact with through the Modus Platform and what, if any, personal data should be processed about those individuals. As such, the Modus Client is acting as the so-called “Controller” of the personal data under GDPR and must comply with the GDPR’s requirements for Controllers. Modus is only offering the means allowing the Modus Client to interact with their respective Users and Prospects through the Modus Platform. This means that Modus is only processing the personal data for and on behalf of the Modus Client as a “Processor” (as defined under GDPR).
What does the Modus Platform consist of?
Modus offers an “Enterprise Digital Sales Enablement” solution that, at its core, provides businesses with the content, information, analytics, and tools that help marketing departments to better engage with the sales teams and/or their potential buyers throughout the buying process. The Modus Platform measures the engagement of each party using the Platform, analyzes their behavior and profiles them, as well as measures the attractiveness of content shared with them, to the extent they are interacting with the Platform within the online environment of the Platform as hosted by Modus for and on behalf of the Controller. The Modus Platform is offered as a “Software as a Service” (“SaaS”) model, which is a software licensing and delivery model in which software is centrally hosted and made available to multiple users over a network, including through interacting products (including front-end clients, apps, Web-Interface, plugins, or Integrations to third-party applications). Personal Data on E.U. data subjects is processed for the purpose of allowing Sales Enablement to take place for the benefit, and under the control, of the Modus Client.
What roles and interactions are part of the Modus Platform?
There are three roles by which you can interact with or through the Modus Platform:
- “Administrator” (marketing) – Manages user accounts, uploads content, and monitors usage statistics.
- “User” (sales rep) – Presents content to prospects, sharing content with prospects, and monitoring prospect engagement with content.
- “Prospect” (potential buyer) – Receives specific content and presentations from User.
Each of these roles will generate their specific analytics regarding how they interact with the content being made available through the Modus Platform. Prospect-generated analytics will be visible to Users and Administrators. User-generated analytics will be visible to Administrators.
What types of personal data may be processed through the Platform?
The Modus Platform processes certain “information relating to an identified or identifiable natural person” for and on behalf of its Customers. For each role (Administrator, User, Prospect), certain contact information is processed (i.e. direct identifiable personal data such as an e-mail address or name) as well as certain account information, profiling/behavioral information, device information, connection information, content, integrations with marketing automation/CRM services, and geolocation data (i.e., indirect identifiable personal data requiring a whole dataset in order to identify a single person). For specific information on which types of personal data are being processed, see the administration settings in the Modus Platform or contact the Modus data protection officer at firstname.lastname@example.org.
Does Modus process financial data?
No, Modus does not process any financial data.
Does Modus process any sensitive personal data, as defined by the GDPR?
No, Modus does not process any sensitive personal data, such as medical, racial, criminal, or social security information.
What is the lawful basis for processing personal data?
Modus’ Clients are responsible for identifying for E.U. data subjects a lawful basis for the processing activities relating to their personal data on E.U. data subjects. Appropriately obtained and informed consent may be a lawful basis for processing personal data. To that end, the Modus Platform can be used to prompt for consent to process personal data upon the initial interaction with the Platform.
How long does the Modus Platform retain personal data?
Production Data: Administrators and Sales Reps – Once the account is deleted by the Modus Client, all personal data is immediately deleted and analytics data is anonymized.
Prospects – Data is retained for a period of time that is configurable by the Modus Client, after which it is anonymized.
Backups: Our security team performs automated data backups on a daily and weekly basis. These backups are retained for three months before secure destruction.
Does Modus use Subprocessors?
Modus uses subprocessors both in our core Platform, as well as the implementation of certain configurable features. The subprocessors used for our core Platform are necessary to the functionality of our Platform (for example, hosting providers). Some subprocessors are used for optional features of the Platform, which can be disabled. For more information on the specific subprocessors we use, please contact the Modus data protection manager at email@example.com.
What parties have access to Personal Data as processed by the Modus Platform?
Modus shares personal data with:
- Employees and individual contractors;
- Subprocessors (see above);
- Prospects (limited to contact information of the User sending content to the Prospect); and
- Other third parties as required by law.
Data is only shared to the extent as necessary for a specific purpose to that party.
Does Modus have a Data Processing Agreement available?
To the extent processing of personal data within your organization falls within the material scope and territorial scope of GDPR (articles 2 and 3 GDPR), the GDPR requires that the processing occurs under a Data Processing Agreement that requires certain minimum criteria to be met (article 28,3 GDPR). Modus therefore has created a so-called “Data Processing Addendum” or “DPA” that includes all the required GDPR terms. The Modus DPA reflects the unique aspects of the Modus Platform and processing activities, and modifies the Modus Clients’ agreement for the Modus Platform to bring it into GDPR compliance.
What is Modus doing to help clients comply with GDPR?
In addition to these FAQs, Modus is taking the following steps to assist Modus Clients in complying with the GDPR.
Dedicated privacy page: gomodus.com/gdpr
Data protection manager: Modus has appointed a data protection manager who works closely with our security and product teams.
Privacy settings: Additional privacy settings and functionality in the admin space of the Platform are in development. These privacy settings will allow for a more granular approach to set the respective privacy settings. These settings make a clear distinction for Modus Clients to change “General Privacy Settings”, “User Privacy Settings”, and “Prospect Privacy Settings.” These privacy settings can be managed by the respective account owner or privacy officers at the Customer in the backend of the Modus Platform. Vetting by Modus of its subprocessors: Each subprocessor of Modus is vetted by Legal, Security, and the Modus data protection officer in the areas of security, contractual terms, and data processing agreements.
Anonymization: Personal data of Prospects is anonymized after a certain time of inactivity to be determined by the Customer.
Product engineering: All new product capabilities that are to be introduced from 2018 onwards will (i) follow the GDPR principles of “privacy by design” and “privacy by default” and (ii) give flexibility to both EU customers and non-EU customers regarding privacy, while (iii) keeping all changes as simple as possible.
How can concerns regarding processing be registered?
In the event that you have a complaint about Modus as it relates to our processing of your personal data, please contact us directly at firstname.lastname@example.org and we will work to resolve this complaint with you. You also have the right to log a complaint with the data protection authority. You can find additional information on how to contact your national data protection authority here: https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-are-data-protection-authorities-dpas_en
Who can I contact for more info?
Modus has appointed a data protection manager who can be contacted at email@example.com