Search

GDPR FAQ

This Q&A is intended to provide practical guidance on how to comply with the GDPR when using Voyado Engage, and to help you understand how data protection legislation may affect you as a Voyado customer.

❗ Please note however that Voyado is not a law firm specializing in data protection law, and that we do not offer legal advice. We strongly recommend that you always consult a qualified legal professional to advise whether you are compliant in any given situation.

The information below presumes that you are using Engage correctly and in accordance with our documentation.

General information regarding the GDPR

This section answers general questions regarding the GDPR, what you need to do to comply, what the privacy policy needs to include, which data you may transfer and how long etc.

Is Engage GDPR compliant?

Yes, if you use it correctly. As a customer, you are the data controller, and you need to make sure that all requirements for the processing of personal data you enter into Engage are fulfilled.

What do I need to do to comply with the GDPR when using Engage?

Since we are not the data controller, we can unfortunately not provide a comprehensive answer on what a specific customer needs to do to fulfill all requirements under the GDPR, but in general, the following actions are necessary:

  • Ensure that you have a legal basis under Article 6 GDPR for all personal data processing activities and that you do not process personal data which is regarded as “sensitive” under the GDPR (special categories of personal data under Article 9), or personal data which is otherwise unnecessary, not relevant, inaccurate, or too old (Article 5(1)(c)-(e) GDPR).
  • Ensure that you have obtained valid consent when necessary (Articles 4(11), 6(1)(a) and 7 GDPR), for example for direct marketing. Make sure that you have a correct “consent-process” with for example, “tick-in boxes” with explicit consents for explicit purposes and that you do not use pre-filled “tick-in boxes” as further described under the section “Consent” below.
  • Ensure that your privacy policy discloses that you share customer datawith third parties (including sub-processors that perform services and process data on your behalf). Keep in mind that Voyado uses sub-processors as specified in our Data Processing Agreement and that you also need to disclose that personal data is shared with these. For more information on what your privacy policy should include, please see below.
  • Ensure that you have set retention periods for all personal data and that personal data is not stored longer than necessary (Article 5(1)(e) GDPR).

What should a privacy policy include?

Under Articles 13 and 14 GDPR, your privacy policy should include, among other things, the following information:
  • The legal basis for all processing activities you perform using the individual’s personal data.
  • What personal data is being collected and how the data is processed and used, including the purposes of the processing.
  • Retention periods, namely, for how long different categories of data are saved.
  • You need to explicitly name the recipients or categories of recipients with whom  you share the personal data and its purpose, for example, subcontractors such as Voyado for the purpose of providing individuals with newsletters, etc.
  • A disclosure that the personal data may be processed outside of the EEA and the transfer mechanisms relied on under the GDPR (Articles 44–46), for example an adequacy decision such as the EU-U.S. Data Privacy Framework for certified U.S. recipients, or the European Commission’s Standard Contractual Clauses where applicable, together with relevant technical and organizational measures and supplementary measures where required.
  • We further recommend including a specific section on direct marketing which explains the type of emails, text messages, or other ways of contact, the right to unsubscribe at any time and unsubscribe methods.

Remember to list all processing activities, even those which are less obvious, such as the processing of personal data by logging whether an email has been opened and the links that were clicked on, how you track this, and that this personal data is collected for analysis purposes and to adapt email content to individual reader preferences.

The processing activities conducted by Voyado are listed in the instruction to the Data Processing Agreement between us, and we also recommend discussing this with your IT-team to make sure that all activities are listed.

Can we transfer any kind of personal data to Engage?

Technically you can, but it is not allowed. Special categories of personal data, as defined in Article 9 GDPR, require extraordinary measures and it's therefore not allowed to process such data in Engage unless you have a very specific security arrangement agreed with us.

Special categories of personal data include, for example, data on political or religious views or data concerning health, sexual preferences, or ethnicity. Please note that you are responsible for ensuring that no such personal data is entered into Engage.

How “old” can the personal data we use be?

The GDPR does not allow for the processing of personal data which is no longer relevant or necessary (Article 5(1)(c)-(e) GDPR). There must further be set retention periods for all personal data and you cannot keep personal data that is simply “nice to have”.

The GDPR does not specify what retention periods are suitable. Ultimately you will need to determine this by assessing what is reasonable and proportionate for each category of personal data, taking into account any guidance issued by the relevant supervisory authority as well as its precedent decisions.

Retaining personal data for marketing purposes for longer than a couple of years is generally not permitted unless you can prove that the individual is still “active”, e.g. by continuing to make purchases or otherwise engaging with your businessOld contacts shall be deleted from Engage in line with the storage limitation principle (Article 5(1)(e) GDPR). Prior to deleting them, you may send an email informing them that unless they provide new consent, they will be removed from the newsletter/loyalty club, etc. Do not forget to inform of the retention periods in your privacy policy.

In order to process personal data, you need a legal basis under Article 6 GDPR. This section deals with which legal basis could be applicable.

What legal basis should I refer to regarding the processing of personal data for receipt of newsletters?

Since newsletters usually involve direct marketing, you should generally use consent obtained in accordance with Articles 6(1)(a) and 7 GDPR for newsletter registrations and for sending direct marketing by email and/or text message. You should use separate “tick-in boxes” for different contact methods. 

However, the exception under § 19 of the Swedish Marketing Act (2008:486), commonly referred to as the “soft opt-in” rule, may allow direct marketing by email to an email address obtained in connection with the sale of goods if (i) the individual has not objected against this, (ii) the direct marketing relates to your own similar goods, and (iii) the individual was given a clear opportunity to object both when the email address was collected and in each subsequent direct marketing email.

There are similar rules in other European countries, but please check the applicable local marketing laws if you operate or target individuals outside of Sweden. Note that marketing legislation is usually applicable regardless of where your office is registered if you directly market to individuals in the applicable country. 

For information on how to obtain valid consent, please see the section “Consent” below.

Do I need a legal basis to send an order confirmation and collect delivery details?

All processing of personal data requires a legal basis under Article 6 GDPR. For order confirmations and delivery details, however, you do not need explicit consent, you can instead use the legal basis “processing is necessary for the performance of a contract” according to Article 6(1)(b) GDPR. 

Personal data which you are required to store due to legislation can be processed under Article 6(1)(c) “legal obligation” in the GDPR for as long as you are required to keep records under applicable local laws.

The GDPR sets up requirements for how a consent process must be designed, which information must be provided, who may consent etc. This section deals which such questions.

What are the legal requirements for sufficient consent?

Consent needs to be specific, informed, and unambiguous in all aspects (Articles 4(11) and 7 GDPR). We recommend that you use a “tick-in box” (which may not be prefilled!) for the opt-in and make sure that the text next to the box includes the specific purpose the individual is agreeing to, for example:

“I agree to receive newsletters with marketing material from [XAB] and that [XAB] may process my personal data for this purpose and as further described in the *Privacy Policy [link]*. I understand that I can unsubscribe from the newsletter at any time by using the unsubscribe link in the email or by contacting [XAB] directly.”

Although still very common, general consents are not valid under the GDPR. You can, for example, not obtain consent for all different purposes listed in a privacy policy. Before submitting their consent, you need to inform the individual of their right to revoke consent at any time (Article 7 GDPR).

Information on how and the methods for unsubscribing can either be provided directly or elaborated in a reference to the privacy policy. Whenever you send out direct marketing, you need to include an unsubscribe link.

Do we need a double opt-in if the individual has registered in a physical store?

A double opt-in is not explicitly required by the GDPR. However, it must be possible to provide evidence that the person to whom the email address belongs (i.e. the person who has authority to use the email address) was the person who registered and not someone else, and that valid consent was obtained.

A double opt-in provides a feasible means of collecting this evidence and we, therefore, recommend that where email addresses have been received via an offline source, they are promptly followed up with a confirmation email with a registration link.

This is usually also the only efficient way to provide the individual with your privacy policy and all information that is required under the GDPR (Articles 13 and 14).

How do we prove consent and how should you document the circumstances under which consent was given?

If an individual does challenge your right to send them marketing emails, it is important that you can defend yourself by providing details on when, how, and under what conditions the individual first registered (including evidence of consent where this is your legal basis (Article 7 GDPR)). For this you will need to store the following data:

  • The IP address used to register.
  • The date and time of registration.
  • A copy of your T&Cs or similar as shown at the point of registration.
  • The registration page as shown at the point of registration.

You should keep copies and an archive of previous privacy policies and consent agreements when you make changes (e.g. screenshots saved as PDFs or images) to track the changes. In addition, and if you use double opt-ins, you could send a copy of each confirmation email that is sent to your internal email archive.

Do we need separate consent for open and click tracking?

No separate consent is necessary, you must however have a legal basis under Article 6 GDPR and inform the individuals by stating in your privacy policy that you are logging whether an email has been opened and which links were clicked on, how you track this, and that this data is used for analysis purposes and to adapt email content to individual reader preferences.

Can children consent to the processing of personal data?

No, according to the GDPR individuals under the age of 16 cannot provide valid consent without parental authorization (Article 8 GDPR). The EU member states are however entitled to set their own age limit down to 13 years old and the age limit does therefore vary for some of the EU member states.

In Sweden, Denmark, and Finland the age limit is 13 years. If the child is below the age limit, the processing is only allowed with explicit consent from a guardian. Please note, however, that under the Swedish Marketing Act (2008:486), including the rules on good marketing practice and unfair marketing practices (Sections 5 and 6) and electronic direct marketing (Section 19), companies are not allowed to send direct marketing (marketing by emails, text messages, mail, etc.) to children under 16. In Sweden, it is therefore not possible for a child under 16 to consent to direct marketing. Similar legislation applies in most EU member states, so always check the applicable local marketing laws when operating or targeting individuals outside Sweden.

How do we ensure that the individual is over 16, do we always need to ask for age?

During the registration process, you should clearly state that subscribers must be at least 16 years old (or 13, depending on the applicable age limit). By registering, the subscriber confirms that he or she is at least 16 (or 13) years old. This does not apply, however, if the offer is directed at children, in which case it may be necessary to obtain age verification as well as the consent of a guardian.

Please note that direct marketing is not permitted to children under the age of 16, and that further restrictions under applicable marketing legislation may apply when directing marketing at children.

The rights of the individual under the GDPR

Under the GDPR, individuals are afforded several rights in relation to the processing of their personal data. This section outlines those rights and explains how Voyado can assist you in fulfilling your obligations and ensuring compliance.

What should we do if an individual asks us to delete all personal data about her/him?

The customer has a right under the GDPR to request that all personal data you have on her/him shall be deleted (Article 17 GDPR). This is however not an absolute right, and exceptions may apply under Article 17(3) GDPR. For example, you may be entitled or required to keep personal data where processing is necessary to comply with a legal obligation, such as keeping financial information and receipts.

You may also keep personal data where processing is necessary for the establishment, exercise, or defence of legal claims, for example to defend yourself against a possible claim from the individual. All other personal data shall however be deleted.

It is a common misconception that all personal data needs to be deleted with just “one click”. This is not the case. Under the GDPR, you must, after receiving a request, delete the personal data within 30 days and send confirmation of this to the individual concerned (Article 12(3) GDPR).

Voyado provides tools for both the export and deletion of personal data. If you are unsure of how to use these, please reach out to your contact person for a demonstration.

What should we do if an individual requests access to their stored personal data?

Voyado provides a tool you can use to export all personal data processed on a specific individual to provide a report to the individual in response to an access request (Article 15 GDPR). There is no legally prescribed form on how to provide this personal data, but the easiest way would be by email, perhaps with an attached spreadsheet.

When preparing an access extract, you may structure, label and explain the information to make it clear and intelligible to the individual (Article 12(1) GDPR), provided that the underlying personal data is not changed, omitted, hidden or misrepresented. Voyado may not be the only system in which you process personal data about the individual, so you may need to manually compile information from Voyado and other systems when responding to an access request (Article 15 GDPR).

Can I correct personal data in Engage if we get a request that personal data is incorrect?

Yes, you can correct personal data stored in Engage if the individual exercises the right to rectification (Article 16 GDPR). Please reach out to your contact person if you are unsure about how to use this function.

Voyado and third-country data transfers

Third-country transfers, including transfers to the U.S., have been a hot topic for discussion since the CJEU’s ruling in Schrems II and have further developed following the European Commission’s adequacy decision for the EU-U.S. Data Privacy Framework adopted on 10 July 2023. 

This section describes how Voyado complies with the third country transfer rules.

How does Voyado comply with third country transfer rules, including the CJEUs ruling in Schrems II?

To transfer personal data outside of the EU/EEA, you need to rely on one of the available transfer mechanisms under the GDPR (Article 44 GDPR). One such mechanism is an adequacy decision by the European Commission (Article 45 GDPR). On 10 July 2023, the European Commission adopted an adequacy decision for the EU-U.S. Data Privacy Framework. This means that transfers to U.S. organizations certified under the EU-U.S. Data Privacy Framework may be based on that adequacy decision.

Privacy Shield is no longer a valid transfer framework, as the ruling in Schrems II declared that the European Commission’s Privacy Shield Decision for transfers of personal data to the U.S.was invalid on account of invasive US surveillance programs, thereby making transfers of personal data on the basis of the Privacy Shield Decision illegal. Schrems II remains relevant for transfers that are not covered by an adequacy decision, including transfers to U.S. recipients that are not certified under the EU-U.S. Data Privacy Framework and transfers to other third countries without an applicable adequacy decision.

For transfers that are not covered by an adequacy decision, another transfer mechanism may be required. This may include the European Commission’s Standard Contractual Clauses (Article 46 GDPR), please see link here. Where required, the transfer should also be supported by a transfer impact assessment and appropriate supplementary technical, contractual or organizational measures.

Voyado may rely on the adequacy decision for transfers to U.S. sub-processors that are certified under the EU-U.S. Data Privacy Framework, where applicable (Article 45 GDPR). For U.S. sub-processors that are not certified under the EU-U.S. Data Privacy Framework, or for other third-country transfers not covered by an adequacy decision, Voyado uses appropriate transfer mechanisms such as the European Commission’s Standard Contractual Clauses where required (Article 46 GDPR), subject to our Data Processing Agreement.

In addition to this, where relevant, we agree on specific and extra organizational security measures with such subcontractors in order to mitigate any risks and to keep the personal data safe. We further only use very well renowned subcontractors with high security standards and only for the processing which is deemed necessary.

Voyado works with legal specialists with extensive experience in the area and we keep ourselves continuously updated on any news and further guidance provided by the European supervisory authorities and the European Commission. Should anything change in the future, we will undertake immediately available actions.

Do we need to undertake any actions with regards to third country transfers?

As a data controller, you need to inform individuals if their personal data may be transferred outside of the EU/EEA and which transfer mechanism is relied on (Articles 13, 14 and 44–46 GDPR). 

Your privacy policy should, where relevant, explain that transfers to U.S. recipients certified under the EU-U.S. Data Privacy Framework may rely on the European Commission’s adequacy decision, while transfers to U.S. recipients that are not certified or to other third countries may rely on another transfer mechanism such as the European Commission’s Standard Contractual Clauses and, where required, supplementary technical and organizational measures. It is further always recommended to work proactively with data minimization and other risk minimizing activities.

Technical and organizational security measures

What technical and organizational security measures does Voyado provide?

A comprehensive description of which technical and organizational security measures apply between you and Voyado is included in the Data Processing Agreement. In general, Voyado implements the following measures to support appropriate security of processing for the Product under Article 32 GDPR.

1. General security measures

Measures that generally prevent unauthorized processing of personal data.

  • Security standard – Voyado maintains and operates an Information Security Management System (ISMS) certified under ISO/IEC 27001 (or equivalent), and applies technical and organizational security measures in accordance with that framework.
  • Encryption of personal data – Data transfers to and from Voyado are protected using encryption following current established practice. At rest, data is encrypted where technically feasible, at least using disk-level encryption.
  • Separation of data – Customer data is separated using logical separation or logical identifiers, tagging information to clearly identify ownership and ensuring that customer data can only be accessed by that customer.
  • Regular and independent vulnerability and penetration testing, as well as regular security updates and patches.

2. Physical access control

Measures that prevent unauthorized persons from gaining access to data processing systems which process personal data.

  • Access to systems and personal data is restricted to those who need access to deliver the Product to customers on a need-to-know basis.
  • User authentication to protect access to data processing systems.
  • Secure password policies. Employee workstations are encrypted using full-disk encryption and protected with strong passwords.

3. Organizational measures

Measures which ensure secure routines and practices within the organization.

  • Risk management – Voyado has documented processes and routines for handling risks within its operations. Voyado periodically assesses risks related to information systems and the processing, storing and transmitting of information.
  • Change control – Voyado maintains a structured change management process to ensure that changes are reviewed and tested before being deployed to production. Roll-back measures are in place in the event of any unintended behavior.
  • Secure testing – Voyado maintains separate production and testing environments.
  • Data protection officer – Voyado maintains a data protection officer who has appropriate security competence and overall responsibility for implementing the security measures and who will be the contact person for the customer’s security staff.
  • Security is the responsibility of everyone who works for Voyado, and all employees are trained to identify security risks and take action to prevent them.

4. Data breach management

Measures that ensure secure and proper management in the event of any data breaches.

  • Voyado has established procedures for data breach management.
  • Voyado informs the applicable customer about any personal data breaches as soon as possible in accordance with the Data Processing Agreement, so that the customer can assess any notification obligations under Articles 33 and 34 GDPR.
  • All reporting of personal data breaches shall be treated as confidential information.
  • Reporting includes available information necessary to report to the supervisory authority and, where required, to affected individuals (Articles 33 and 34 GDPR).

5. Business continuity management

Measures which ensure the on-going operation of the Product.

  • Voyado identifies business continuity risks and takes necessary actions to control and mitigate such risks.
  • Voyado has documented processes and routines for handling business continuity.
  • Information security shall be embedded into the business continuity plans.
  • The efficiency of Voyado’s business continuity management and compliance with availability requirements is periodically evaluated.

6. Certifications

Voyado currently maintains ISO 27001 certification. More information is available in the Voyado Trust Center (http://trust.voyado.com).

The technical and organizational measures are subject to technical progress and development and Voyado will implement alternative adequate measures to always adhere to industry security best practices.

 

Last updated: 2026-05-07

Was this article helpful?

/