Privacy by design
Hotjar began to dedicate internal resources to the GDPR in June 2017, almost a full year before the deadline. We did this because we value our customers (and their customers) rights to privacy.
We store all data in the EU and compliance with and to international law and regulations is very important to us.
Here’s a condensed version of our GDPR Roadmap and steps taken on our journey:
We took many steps across the entire company to ensure our compliance with the GDPR. We improved anonymity within our analytics tools and made changes to allow you to tailor how you request consent within our feedback tools.
We also worked on interfaces that allow you to address requests from your customers related to their rights for accessing any personal data that might be stored in your Hotjar account.
Based on the research conducted by both our inside and outside counsels we are confident these changes address the requirements of the GDPR.
There are two things that you might need to do depending on your situation and jurisdiction. Below are the only impactful changes that we can foresee that might affect you as a result of using Hotjar:
The General Data Protection Act (GDPR) is considered to be the most significant piece of European data protection legislation to be introduced in the European Union (EU) in 20 years and will replace the the 1995 Data Protection Directive.
The GDPR regulates the processing of personal data about individuals in the European Union including its collection, storage, transfer or use. Importantly, under the GDPR, the concept of “personal data” is very broad and covers any information relating to an identified or identifiable individual (also called a “data subject”).
It gives data subjects more rights and control over their data by regulating how companies should handle and store the personal data they collect. The GDPR also raises the stakes for compliance by increasing enforcement and imposing greater fines should the provisions of the GDPR be breached.
The GDPR enhances EU individuals’ privacy rights and places significantly enhanced obligations on organizations handling data.
In summary, here are some of the key changes to come into effect with the upcoming GDPR:
If you are a company outside the EU, you should still be aware of this. The provisions of the GDPR apply to any organization that processes personal data of individuals in the European Union, including tracking their online activities, regardless of whether the organization has a physical presence in the EU.
The General Data Protection Regulation (GDPR) is considered to be the most significant piece of European data protection legislation to be introduced in the European Union (EU) in 20 years and will replace the 1995 Data Protection Directive. The GDPR enhances EU individuals’ privacy rights and places significantly enhanced obligations on handling data.
The GDPR regulates the processing of a data subject’s personal data in the European Union including its collection, storage and transfer or use. The GDPR gives data subjects more rights and control over their data by regulating how you should handle and store any personal data they collect.
As of the 25 May 2018, you need to be in compliant with the provisions of the GDPR.
The GDPR grants 8 fundamental rights to data subjects. These are:
The provisions of the GDPR apply to any entity that processes personal data of individuals in the European Union (EU), including tracking their online activities, regardless of whether the entity has a physical presence in the EU.
Yes! If you are an entity outside the EU, you should still be aware of the GDPR and comply with it if you process personal data of individuals in the EU.
Yes! The UK will still be part of the European Union on the 25th May 2018. Also, if you processes personal data of individuals in the European Union you would still need to comply with the GDPR even post-Brexit.
Yes! If you collect personal data, you need to comply.
Lack of compliance can result in fines of up to 4% of annual global turnover or €20 Million (whichever is largest) for breaching GDPR.
A Data Protection Officer must be appointed in the case of : (a) public authorities, (b) entities that engage in large scale systematic monitoring, or (c) entities that engage in large scale processing of sensitive personal data. It you don’t fall into one of these categories, then you do not need to appoint a Data Protection Officer (although this is highly advisable).
A Data Controller represents the entity that determines the purposes, conditions and means of the processing of personal data. The Data Processor is the entity which processes personal data on behalf of the controller.
In your entity’s relationship with Hotjar, you are the Data Controller of your end user’s personal data (assuming you are capturing some) and Hotjar is the Data Processor. With respect to your entity’s own data, Hotjar is the Data Controller.
If you are an entity based in the EU, or collect data from data subjects in the EU you should sign a Data Processing agreement with Hotjar. You can review and digitally sign a copy of our Data Processing Agreement here. We will countersign it and provide you with a fully executed downloadable copy via email within 2 business days. Always check with you own legal counsel before signing the agreement!
If you have any questions about its contents simply email firstname.lastname@example.org.
No - this isn’t required. The agreement needs to be signed by the entity which effectively entered into the Terms of Service with Hotjar, being the Data Controller.
The agreement needs to be entered into with the entity which effectively entered into the Terms of Service with Hotjar, being the Data Controller.
Disclaimer: We are here to help - but Hotjar does not provide legal advice. This material has been prepared for informational purposes only, and it is not intended to provide, and should not be relied on for legal or compliance advice. For specific advice on how you are to comply with the GDPR, you should consult your own legal advisor.