GDPR Compliance with Hotjar
Check out our latest webinar recording of how to build trust and transparency around your data by using Hotjar in a GDPR-compliant manner.
On May 25, 2018, the General Data Protection Regulation (GDPR) will come into force, impacting how businesses collect and process data from individual EU data subjects.

If you have or plan to have website/app visitors who are data subjects in the EU, or you process any form of data on EU data subjects, this one’s for you. 

Watch our panel of experts in this webinar recorded on May 2nd 2018, as we discuss an overview of the requirements under the GDPR, the steps Hotjar has taken, and features available to assist you with your GDPR compliance programs.

Frequently Asked Questions
We have compiled this list from the most common questions we have received around GDPR, but as always if there is any further questions you have please do not hesitate to reach out to support@hotjar.com and a member of our team will be sure to you help out.

What is the GDPR?

The General Data Protection Act (GDPR) is considered to be the most significant piece of European data protection legislation to be introduced in the European Union (EU) in 20 years and will replace the 1995 Data Protection Directive. The GDPR enhances EU individuals’ privacy rights and places significantly enhanced obligations on organizations handling data.

What does the GDPR regulate?

The GDPR regulates the processing of a data subject’s personal data in the European Union including its collection, storage and transfer or use. The GDPR gives data subjects more rights and control over their data by regulating how you should handle and store any personal data they collect.

When do I need to comply with the GDPR?

As of the 25 May 2018, you need to be in compliant with the provisions of the GDPR.

What rights will data subjects have under GDPR?

The GDPR grants 8 fundamental rights to data subjects. These are

  • Right to be informed - Entities must be transparent in how they are using personal data and must inform data subjects of this.
  • Right of access - Data subjects will have the right to know what personal data is held about them and how it is processed.
  • Right of rectification - Where reasonably possible, data subjects will be entitled to have personal data rectified/edited if they feel that it is inaccurate or incomplete.
  • Right to erasure - This is also sometimes referred to as 'the right to be forgotten', Here, data subjects have the right to have their personal data permanently deleted upon their request and they do not have to provide a reason for the request.
  • Right to restrict processing - Data subjects have the right to block processing of their personal data.
  • Right to data portability - Where reasonably possible, data subjects have the right to retain and reuse their personal data for their own purpose.
  • Right to object - In certain circumstances, data subjects are entitled to object to their personal data being used. This includes, if personal data is used for the purpose of direct marketing, scientific and historical research, or for the performance of a task in the public interest.

Who does the GDPR apply to?

The provisions of the GDPR apply to any entity that processes personal data of individuals in the European Union (EU), including tracking their online activities, regardless of whether the entity has a physical presence in the EU.

We are not based in the EU. Do we still need to comply?

Yes! If you are an entity outside the EU, you should still be aware of the GDPR and comply with it if you process personal data of individuals in the EU.

We’re is based in the UK. Do I still need to comply due to Brexit?

Yes! The UK will still be part of the European Union on the 25th May 2018. Also, if you processes personal data of individuals in the European Union you would still need to comply with the GDPR even post-Brexit.

We don’t charge money for the services provided. Do we still need to comply with the GDPR?

Yes! If you collect personal data, you need to comply.

What happens if we don’t comply with the GDPR?

Lack of compliance can result in fines of up to 4% of annual global turnover or €20 Million (whichever is largest) for breaching GDPR.

Do we need to appoint a Data Protection Officer?

A Data Protection Officer must be appointed in the case of : (a) public authorities, (b) entities that engage in large scale systematic monitoring, or (c) entities that engage in large scale processing of sensitive personal data. It you don’t fall into one of these categories, then you do not need to appoint a Data Protection Officer (although this is highly advisable).

What is the difference between a Data Processor and a Data Controller?

A Data Controller represents the entity that determines the purposes, conditions and means of the processing of personal data. The Data Processor is the entity which processes personal data on behalf of the controller.
In your entity’s relationship with Hotjar, you are the Data Controller of your end user’s personal data (assuming you are capturing some) and Hotjar is the Data Processor. With respect to your entity’s own data, Hotjar is the Data Controller.

As a Data Controller, do I have to sign a Data Processing Agreement with Hotjar?

If you are an entity based in the EU, or collect data from data subjects in the EU you should sign a Data Processing agreement with Hotjar. You can review and digitally sign a copy of our Data Processing Agreement here. We will countersign it and provide you with a fully executed downloadable copy via email within 2 business days. Always check with you own legal counsel before signing the agreement! 
If you have any questions about its contents simply email legal@hotjar.com.

We has a number of sites associated to its account. Do we need to sign an agreement per site?

No - this isn’t required. The agreement needs to be signed by the entity which effectively entered into the Terms of Service with Hotjar, being the Data Controller.

We are an agency and we use your product for a number of our customers. Should it be us or our customers who sign the Data Processing Agreement?

The agreement needs to be entered into with the entity which effectively entered into the Terms of Service with Hotjar, being the Data Controller.

We would like to inform my end users that we use Hotjar on our site. Can you provide any sample wording that we could use in our Privacy Policy?

Yes - We have a sample English version and a German translated version of wording you can include in your Privacy Policy. This was developed in conjunction with a German attorney. Please note that it is a very generic statement and might need to be tailored to fit your particular use of our service. We also recommend that you work with your own counsel to make sure that it addresses any concerns your business and customers might have.


Disclaimer: We are here to help - but Hotjar does not provide legal advice. This material has been prepared for informational purposes only, and it is not intended to provide, and should not be relied on for legal or compliance advice. For specific advice on how you are to comply with the GDPR, you should consult your own legal advisor.

further-reading-icon

Further Reading
If you want more information, check out the following:
acceptable-use-policy-icon

Acceptable Use Policy

Review our dos and don’ts

GDPR-icon

GDPR Commitment

Take a look at our commitment to GDPR

legal-overview-icon

Legal Overview

Review all our legal docs

data-processor-agreement-icon

Data Processor Agreement

Review and/or sign our DPA

At Hotjar, we are constantly working towards building a service that helps you create better experiences without compromising the privacy of your users.

Sign up or ask a question if you still have concerns. Our team is here to help you.
$('head').append(""); $(document).ready(function(){ if( $(window).width() < 768 ){ $('.leftImage').each(function() { $(this).siblings('.rightContent').after(this); }); } });