GDPR Compliance in Ideas Portal

Hi Chris, you say that the name and email address provided while signing up for an idea portal is not used by Aha! for other purposes.  Is there anything in the privacy policy to this effect?  All I see in there is a statement that personal information can be used for many purposes, including research.  I assume that statement is meant to apply to customers of Aha! (and not users of an ideas portal) but the privacy policy isn't clear on this point.

Are there any updates to this.  We are specifically looking for ways to add a consent statement preferably when the data is collected (email, first / last) or at least in the confirmation email.  Your privacy policy states that we are responsible for obtaining consent - but you provide no mechanism to achieve this in a compliant way.

Second we need a way to make withdraw a simple granting consent.  Forcing users or customers to put in support requests does not satisfy this requirement

It would also be best if there was an unsubscribe link in all of the emails.  This could point to the same location as the core link in the email, but using the unsubscribe makes it clear that this where to go to unsubscribe from a thread.

The ICO guide linked in this thread provides excellent resources regarding all of these items

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/consent/

may help in terms of understanding the consent process

Hi Chris, 

Thank for the feedback. I think ,my issue here is that its not "easy" to manage the PII data in AHA from a Data Processor or Controller perspective. 

There is no specific "Consent" statement which is absolutely required under GDPR which informs the user of how their data will be stored and used

There is no way of easily performing a subject access request search when someone asks - what do you (and AHA) hold about me

There is no easy way of doing a bulk delete if someone objects to us holding said data

Thanks

Ben

Aha! has a Data Processing Agreement (DPA) available for EU customers who need one - contact support@aha.io for that.

Signing up for an ideas portal by providing a name and email address is an unambiguous and affirmative action that the user wishes that information to be processed in the context of the idea portal. This information is not used by Aha! for other purposes, and if it were to be used for other purposes then additional consent would be required.

I disagree that this already exists as GDPR calls for the person to give explicit consent to a privacy policy that the data controller (those who contract with Aha to use the product) creates and also reflects the policies that you operate to as the data processor (in case you use it in any other way). This cannot just be implied through signing into a portal and not knowing how your data will be processed.

GDPR also requires the ability to withdraw consent so a mechanism must exist to do that.

The GDPR Right to be forgotten needs to be considered as although we can esnure that the data is deleted we would need to know that Aha and your service providers will also  delete that data.

Here are the answers to your requests:

1. Since registration for an idea portal is a explicit act it is not clear that any separate consent is necessary. The personal information entered into the portal (name and email address) will not be used by Aha! for any other purpose.
2. The date of signup for the portal is captured.
3. Idea portal users can be deleted by Aha! upon request.
4. A report on information stored about a person can be provided by Aha! upon request.