Hootsuite and the General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) is a comprehensive European data protection law that came into force on May 25, 2018 and affects organisations which process personal data of EU individuals.
As a Canadian company, Hootsuite is already subject to data protection laws that provide for similar standards as existing European laws. And as a company with millions of users in Europe, Hootsuite understands the need to provide its EU users with services and solutions that will help them meet the EU’s stringent data protection requirements.
Who does the GDPR apply to?
The GDPR applies to virtually all organisations that process the “personal data” of EU individuals as a result of services offered to them or which monitor them, regardless of whether the organisation physically resides in the EU. Personal data is any information relating to an identified or identifiable natural person, such as a name, email address and credit card number.
How does the GDPR apply to Hootsuite and its users?
Hootsuite is a social media management tool that enables its users to bring together their social networks and integrate with hundreds of business applications, all in one place. Because the content on social media is user-generated, it may contain personal data if users of social media decide to share such information. As a result, the GDPR will apply to both Hootsuite and its users, but in different ways.
The GDPR distinguishes between organisations that are “data controllers” and those that are “data processors”. As explained in our Privacy Policy, our users are the data controllers of the content that they process through our platform and Hootsuite is a data processor of content generated, requested or published via its supported social networks. Hootsuite will only process content in accordance with the instructions our users give us through our services. For more information on the types and categories of data we and our users collect and process, please see our Privacy Policy.
How is Hootsuite compliant with the GDPR?
Hootsuite has formulated a robust privacy program and promotes a culture of data privacy throughout the organisation. We have appointed a data protection officer and we have a dedicated privacy team to manage the privacy program.
At the Executive level, we have established a Privacy Council that provides strategic input into Hootsuite’s data protection practices. Our employees receive regular privacy and security training from onboarding and onwards; and are continuously informed of new privacy developments. We respect individual rights and promptly respond to and manage data subject requests. Hootsuite also embeds privacy by design principles within the organisation by conducting privacy impact assessments and privacy reviews when implementing new product functionality and introducing new processes.
How do I enter into a Data Processing Addendum (DPA) with Hootsuite?
To assist you with your compliance efforts, Hootsuite makes available a GDPR Data Processing Addendum (DPA). You may request the pre-signed Hootsuite DPA by visiting our webpage here and follow the instructions on how to complete the DPA through our electronic signature webform.
How is Hootsuite different than other social media management services?
Hootsuite is a Canadian company with its head-office located in Vancouver, British Columbia. For the purposes of EU data protection law, Canada is considered a country which provides adequate protections for personal data, as confirmed by the European Commission in Commission Decision 2002/2/EC. Hootsuite has the advantage of being based in a country with strong data protection laws.
What organisational and technical safeguards does Hootsuite provide to help its users comply with the GDPR?
Hootsuite maintains a high level of technical and organisational measures to protect your data. Read more about our privacy and security practices in our Trust Centre and details about our security practices are available here.