Difference between revisions of "ATC/Current/AdminGuide/GDPR"

From Genesys Documentation
Jump to: navigation, search
(Published)
(Published)
Line 3: Line 3:
 
|Platform=PureEngage, PureConnect, PureCloud
 
|Platform=PureEngage, PureConnect, PureCloud
 
|Dimension=Compliance
 
|Dimension=Compliance
|Context={{MINTYDOCSPRODUCT}} is compliant with GDPR.
+
|Context=Learn how to use {{MINTYDOCSPRODUCT}} in a GDPR-compliant way.
 
}}
 
}}
 
=={{MINTYDOCSPRODUCT}} and GDPR==
 
=={{MINTYDOCSPRODUCT}} and GDPR==
For the purposes of GDPR compliance, {{MINTYDOCSPRODUCT}} is a Data Processor on behalf of our customers. Our customers are the Data Controllers of the personally identifiable data they collect from their end customers, the Data Subjects. This article describes how to adhere to GDPR consent requirements, should consent be necessary. To determine whether you need to obtain your end-customers' consent to collect their personally identifiable data, consult your legal advisor.  
+
For the purposes of GDPR compliance, Genesys is a data processor on behalf of customers who use the {{MINTYDOCSPRODUCT}} product. You, our customers, are the data controllers of the personal data you collect from your end customers, the data subjects. This article describes how to adhere to GDPR consent requirements, should you identify consent as the most appropriate lawful basis for processing personal data. Note that there is no ‘right’ or ‘wrong’ lawful basis for processing personal data; the GDPR requires that data controllers consider the most appropriate lawful basis. A helpful link for what to consider when determining the most appropriate lawful basis can be found {{#Widget:ExtLink|link=https://ico.org.uk/for-organisations/resources-and-support/lawful-basis-interactive-guidance-tool/|displaytext=here.}}
  
{{NoteFormat|Be sure you understand the steps you need to take before you collect, process, or store your end-customers' personally identifiable data.|1}}
+
{{NoteFormat|Be sure you understand the steps you need to take before you collect, process, or store your end-customers' personal data.|1}}
  
{{MINTYDOCSPRODUCT}} collects data about visitors' activities on business websites. We use machine learning and AI to analyze customer-generated events (page views, searches, form-fills, and chat) to determine the probability of a specific customer achieving a specific outcome. An outcome is an event the business wants to maximize or minimize. Example outcomes are making a purchase, signing up for a webinar, or filling a complex form online. For information about how {{MINTYDOCSPRODUCT}} uses cookies to track visitor activity on websites, see ''How {{MINTYDOCSPRODUCT}} uses cookies to identify visitors'' in the {{#mintydocs_link:manual=Developers|topic=Tracking_code}} article.
+
{{MINTYDOCSPRODUCT}} collects data about visitors' activities on business websites. It uses machine learning and AI to analyze customer-generated events (page views, searches, form-fills, and chats) to determine the probability of a specific customer achieving a specific outcome. An outcome is an event the business wants to maximize or minimize. Example outcomes are making a purchase, signing up for a webinar, or filling out a complex form online. For information about how {{MINTYDOCSPRODUCT}} uses cookies to track visitor activity on websites, see {{#mintydocs_link:manual=Developers|topic=Cookies|link text=Cookie usage.}}
  
{{NoteFormat|{{MINTYDOCSPRODUCT}} does not pass end-customer data to any advertising or re-targeting companies. {{MINTYDOCSPRODUCT}} passes end-customer data to business-integrated tools such as Salesforce, Marketo, and so on '''only''' when one of our business customers configures that behavior for their organization.|1}}
+
Businesses use end-customer data that {{MINTYDOCSPRODUCT}} collects for three primary purposes:
 +
* Customer support - proactive or AI-driven engagement via chat and callback offers;
 +
* Sales engagement -  proactive or AI engagement via chat, callbacks, and content offers;
 +
* Marketing - proactive or AI; for example, sign-up for an event or webinar via content offer.
 +
 
 +
If you are still unsure as to whether you should obtain the data subject's consent to process their personal data, you may wish to consult your legal advisor.
 +
 
 +
{{NoteFormat|Genesys does not pass end customer personal data processed through {{MINTYDOCSPRODUCT}} to any advertising or re-targeting companies. End-customer personal data processed through {{MINTYDOCSPRODUCT}} may be shared with business-integrated tools such as Salesforce and Marketo. This will happen '''only''' when one of our business customers configures that behavior for their organization. |1}}
 +
 
 +
==Conditions for consent==
 +
If you have identified consent as the most appropriate lawful basis for processing end customer personal data, then the following conditions should be met when obtaining consent:
 +
 
 +
* You must be able to demonstrate that the data subject has consented to processing of his or her personal data. That means you should maintain a record or audit trail of consent being given.
 +
 
 +
* If the data subject's consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language.
  
Businesses use end-customer data that {{MINTYDOCSPRODUCT}} collects for three primary purposes:
+
* The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.
* Customer support - proactive or AI-driven engagement via chat and callback offers
 
* Sales engagement -  proactive or AI engagement via chat, callbacks, and content offers
 
* Marketing - proactive or AI; for example, sign-up for an event or webinar via content offer
 
  
You may have additional legitimate bases for collecting, storing, and processing end-customer data. Customer support or sales engagement use cases are typically legitimate. Marketing use cases do not typically qualify as applicable, legitimate interests for collecting personally identifiable data. Consult the appropriate legal sources to determine the applicable bases for collecting personally identifiable data as per your business model.
+
* When assessing whether consent is freely given, utmost account shall be taken of whether, among other things, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.
  
==Implement consent for tracking visitors on your website==
+
If you have identified consent as the most appropriate lawful basis for processing end customer personal data, then you should consider what consent has been given before calling the following functions.
Work with your legal counsel to determine whether you need explicit consent to track visitors on your website. If you need explicit consent, see ''Obtain consent'' in the {{#mintydocs_link:manual=Developers|topic=Tracking_code|}} article.  
 
  
{{NoteFormat|Be sure to state on your user interface why you require consent.|1}}
+
The <tt>ac('init',...)</tt> function starts {{MINTYDOCSPRODUCT}} tracking on your website.
  
The <tt>ac('init',...)</tt> function starts {{MINTYDOCSPRODUCT}}'s tracking on your website. Call this function only after you receive explicit consent. 
+
The <tt>ac('record',...)</tt> function allows {{MINTYDOCSPRODUCT}} tracking of custom user actions on your website.
  
==Implement consent for form-fill data on your website==
+
The <tt>ac('identify',...),</tt> function is used to identify end-users.
Work with your legal counsel to determine whether you need explicit consent to collect form data. To obtain consent for collecting personally identifiable data via a form submit action, include a checkbox with a label such as the following on your website:
 
*I agree or disagree to allow ''the business''  to use this data for ''purpose''.
 
  
Also:
+
For more information about these functions and others where consent may need to be considered, see  
*Enable the form's Submit button only after the visitor has selected the checkbox.
+
{{#mintydocs_link:manual=Developers|topic=Tracking_code|link text=About the tracking snippet.}}
*When the visitor clicks the Submit button, call the <tt>ac('record',...)</tt> function to pass the visitor's data to {{MINTYDOCSPRODUCT}}.
 
*Whenever you call <tt>ac('identify',...)</tt>, consider whether you need to obtain consent.
 
For more information about these functions, see {{#mintydocs_link:manual=Developers|topic=Tracking_code}}.
 
  
 
{{NoteFormat|If you require consent to be GDPR-compliant, obtain that consent before passing any personally identifiable data to {{MINTYDOCSPRODUCT}}.|1}}
 
{{NoteFormat|If you require consent to be GDPR-compliant, obtain that consent before passing any personally identifiable data to {{MINTYDOCSPRODUCT}}.|1}}
  
==Make a "Right to be forgotten" request==
+
==Make a "right to be forgotten" request==
As a Data Controller, you can make a "right to be forgotten" request on behalf of a visitor. To do this, send an email to [mailto:DataPrivacy@Genesys.com DataPrivacy@Genesys.com]. Be sure to provide the following identifying parameters for the visitor. These parameters are the primary keys by which {{MINTYDOCSPRODUCT}} recognizes unique visitors:
+
As a data controller, you can make a "right to be forgotten" request on behalf of a visitor. To do this, send an email to [mailto:DataPrivacy@Genesys.com DataPrivacy@Genesys.com]. Be sure to provide the following identifying parameters for the visitor. These parameters are the primary keys by which {{MINTYDOCSPRODUCT}} recognizes unique visitors:
 
*Email address
 
*Email address
 
*Phone number
 
*Phone number
Line 48: Line 53:
  
 
{{NoteFormat|
 
{{NoteFormat|
It is your responsibility as the Data Controller to:
+
It is your responsibility as the data controller to:
*Confirm the visitor's identity before submitting a "right to be forgotten" request on their behalf to {{MINTYDOCSPRODUCT}}.  
+
*Confirm the visitor's identity before submitting a "right to be forgotten" request on their behalf to Genesys.  
 
*Provide the identifying parameters of the visitor who is requesting to be forgotten.  
 
*Provide the identifying parameters of the visitor who is requesting to be forgotten.  
 
'''Notes:'''
 
'''Notes:'''
 
*All identities related to these parameters will be subject to deletion.
 
*All identities related to these parameters will be subject to deletion.
*After {{MINTYDOCSPRODUCT}} deletes visitor data, it cannot be recovered.|1}}
+
*After Genesys deletes visitor data, it cannot be recovered.|1}}
 
 
{{MINTYDOCSPRODUCT}} honors "Right to be forgotten" requests within 28 days. {{MINTYDOCSPRODUCT}} sends a confirmation to the Data Control when data has been deleted.
 
  
==Make a "Right of access" request==
+
Genesys honors "right to be forgotten" requests within 28 days. Genesys sends a confirmation to the data controller when data has been deleted.
As a Data Controller, you can make a "right of access" request. To do this, the designated representative from your organization should send email to [mailto:DataPrivacy@Genesys.com DataPrivacy@Genesys.com]. The email should contain the identifying parameters for the visitor. These parameters are the primary keys by which {{MINTYDOCSPRODUCT}} recognizes unique visitors:
 
  
 +
==Make a "right of access" request==
 +
As a data controller, you can make a "right of access" request. To do this, the designated representative from your organization should send an email to [mailto:DataPrivacy@Genesys.com DataPrivacy@Genesys.com]. The email should contain the identifying parameters for the visitor. These parameters are the primary keys by which {{MINTYDOCSPRODUCT}} recognizes unique visitors:
 
*Email address
 
*Email address
 
*Phone number
 
*Phone number
Line 66: Line 70:
  
 
{{NoteFormat|
 
{{NoteFormat|
It is your responsibility as the Data Controller to:  
+
It is your responsibility as the data controller to:  
* Confirm the visitor's identity before submitting a "right of access" request on their behalf to {{MINTYDOCSPRODUCT}}.
+
* Confirm the visitor's identity before submitting a "right of access" request on their behalf to Genesys.
 
* Provide the identifying parameters of the visitor whose data is to be provided.  
 
* Provide the identifying parameters of the visitor whose data is to be provided.  
  
 
Note:
 
Note:
*{{MINTYDOCSPRODUCT}} will provide all data related to the identities having these parameters.  
+
*Genesys will provide all data related to the identities having these parameters.  
 
|1}}
 
|1}}
  
{{MINTYDOCSPRODUCT}} honors "Right of access" requests within 28 days. {{MINTYDOCSPRODUCT}} sends your designated representative the data in JSON format.
+
Genesys honors "right of access" requests within 28 days. Genesys sends your designated representative the data in a suitable format.
  
 
==Stop tracking==
 
==Stop tracking==
For information on how to stop tracking if a visitor revokes consent, see ''Stop tracking if a visitor revokes consent'' in the {{#mintydocs_link:manual=Developers|topic=Tracking_code}} article.  
+
For information on how to stop tracking if a visitor revokes consent, see ''Stop tracking if a visitor revokes consent'' in the {{#mintydocs_link:manual=Developers|topic=Web_Tracking_API|link text=Web Tracking API}} article.
  
 
[[Category:V:ATC:Draft]]
 
[[Category:V:ATC:Draft]]

Revision as of 22:06, March 4, 2019

This topic is part of the manual Genesys Predictive Engagement Administrator's Guide for version Current of Genesys Predictive Engagement.


Learn how to use Genesys Predictive Engagement in a GDPR-compliant way.

Genesys Predictive Engagement and GDPR

For the purposes of GDPR compliance, Genesys is a data processor on behalf of customers who use the Genesys Predictive Engagement product. You, our customers, are the data controllers of the personal data you collect from your end customers, the data subjects. This article describes how to adhere to GDPR consent requirements, should you identify consent as the most appropriate lawful basis for processing personal data. Note that there is no ‘right’ or ‘wrong’ lawful basis for processing personal data; the GDPR requires that data controllers consider the most appropriate lawful basis. A helpful link for what to consider when determining the most appropriate lawful basis can be found here.

Important
Be sure you understand the steps you need to take before you collect, process, or store your end-customers' personal data.

Genesys Predictive Engagement collects data about visitors' activities on business websites. It uses machine learning and AI to analyze customer-generated events (page views, searches, form-fills, and chats) to determine the probability of a specific customer achieving a specific outcome. An outcome is an event the business wants to maximize or minimize. Example outcomes are making a purchase, signing up for a webinar, or filling out a complex form online. For information about how Genesys Predictive Engagement uses cookies to track visitor activity on websites, see Cookie usage.

Businesses use end-customer data that Genesys Predictive Engagement collects for three primary purposes:

  • Customer support - proactive or AI-driven engagement via chat and callback offers;
  • Sales engagement - proactive or AI engagement via chat, callbacks, and content offers;
  • Marketing - proactive or AI; for example, sign-up for an event or webinar via content offer.

If you are still unsure as to whether you should obtain the data subject's consent to process their personal data, you may wish to consult your legal advisor.

Important
Genesys does not pass end customer personal data processed through Genesys Predictive Engagement to any advertising or re-targeting companies. End-customer personal data processed through Genesys Predictive Engagement may be shared with business-integrated tools such as Salesforce and Marketo. This will happen only when one of our business customers configures that behavior for their organization.

Conditions for consent

If you have identified consent as the most appropriate lawful basis for processing end customer personal data, then the following conditions should be met when obtaining consent:

  • You must be able to demonstrate that the data subject has consented to processing of his or her personal data. That means you should maintain a record or audit trail of consent being given.
  • If the data subject's consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language.
  • The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.
  • When assessing whether consent is freely given, utmost account shall be taken of whether, among other things, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.

If you have identified consent as the most appropriate lawful basis for processing end customer personal data, then you should consider what consent has been given before calling the following functions.

The ac('init',...) function starts Genesys Predictive Engagement tracking on your website.

The ac('record',...) function allows Genesys Predictive Engagement tracking of custom user actions on your website.

The ac('identify',...), function is used to identify end-users.

For more information about these functions and others where consent may need to be considered, see About the tracking snippet.

Important
If you require consent to be GDPR-compliant, obtain that consent before passing any personally identifiable data to Genesys Predictive Engagement.

Make a "right to be forgotten" request

As a data controller, you can make a "right to be forgotten" request on behalf of a visitor. To do this, send an email to DataPrivacy@Genesys.com. Be sure to provide the following identifying parameters for the visitor. These parameters are the primary keys by which Genesys Predictive Engagement recognizes unique visitors:

  • Email address
  • Phone number
  • Cookie ID
  • Business-specific ID that has been passed to Genesys Predictive Engagement with other customer data
Important

It is your responsibility as the data controller to:

  • Confirm the visitor's identity before submitting a "right to be forgotten" request on their behalf to Genesys.
  • Provide the identifying parameters of the visitor who is requesting to be forgotten.

Notes:

  • All identities related to these parameters will be subject to deletion.
  • After Genesys deletes visitor data, it cannot be recovered.

Genesys honors "right to be forgotten" requests within 28 days. Genesys sends a confirmation to the data controller when data has been deleted.

Make a "right of access" request

As a data controller, you can make a "right of access" request. To do this, the designated representative from your organization should send an email to DataPrivacy@Genesys.com. The email should contain the identifying parameters for the visitor. These parameters are the primary keys by which Genesys Predictive Engagement recognizes unique visitors:

  • Email address
  • Phone number
  • Cookie ID
  • Business-specific ID that has been passed to Genesys Predictive Engagement with other customer data
Important

It is your responsibility as the data controller to:

  • Confirm the visitor's identity before submitting a "right of access" request on their behalf to Genesys.
  • Provide the identifying parameters of the visitor whose data is to be provided.

Note:

  • Genesys will provide all data related to the identities having these parameters.

Genesys honors "right of access" requests within 28 days. Genesys sends your designated representative the data in a suitable format.

Stop tracking

For information on how to stop tracking if a visitor revokes consent, see Stop tracking if a visitor revokes consent in the Web Tracking API article.

Retrieved from "https://all.docs.genesys.com/ATC/Current/AdminGuide/GDPR (2025-06-18 20:08:24)"
Comments or questions about this documentation? Contact us for support!