Are you looking for Olark's Data Processing Agreement (DPA)?

Please email gdpr@olark.com with the name and email address of the member of your organization authorized to sign, and we will send you our standard agreement.


Olark and the GDPR

Here at Olark, we believe that strong privacy practices are good for both your customers and your business. We are committed to supporting your compliance with applicable data and privacy regulations, and to providing you with relevant, accurate information about Olark’s data and privacy practices. To that end, we have provided responses to several common data and privacy questions below.

Please note that this information is not legal advice. We strongly encourage you to discuss compliance questions with a lawyer who is familiar with your business.

On May 25, 2018, the new General Data Protection Legislation (GDPR) will be coming into force in the European Union. This legislation affects all companies based in the European Union, as well as any company that does business with customers (including both individuals and corporations) based in the European Union.

We know that those of you who are affected by the GDPR may have questions. While we are not able to answer legal questions regarding how your own organization achieves compliance, we can and will support your compliance efforts by providing information about the data that Olark collects, transmits and stores for your organization. To that end, we have prepared a detailed list of FAQs (below) relating to the GDPR and our compliance efforts. You can also refer to our help center; we will be keeping this page up to date as we progress with the compliance process.

As always, if you have any additional questions or would like to chat this through, please don’t hesitate to reach out via email or chat.

Will Olark support GDPR compliance by May 25, 2018?

Yes. Olark is committed to helping you be GDPR compliant by May 25, 2018. We are working hard with our legal and engineering teams to ensure to the extent Olark directly collects EU personal data it is in compliance with the GDPR.

We are fully compliant with the EU-US Privacy Shield Framework and the Swiss – U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information from the European Union and Switzerland to the United States.

What is GDPR?

The (GDPR) is the new European Union (EU) data privacy law that greatly strengthens data privacy protections for individuals located in the EU (“EU residents”). It basically gives EU residents more control over how organizations collect, process, store, and share their personal data online.

The GDPR also imposes new obligations on all organizations that process EU personal data regardless where the organization is located. The GDPR is territorial - meaning the GDPR applies to any organization that processes EU personal data, regardless of where the organization may be located. “Personal data” is a term that the GDPR broadly defines, but in general it can be thought of as any data that can personally identify an individual or make them identifiable.

We are taking the GDPR very seriously since failing to comply with the GDPR is costly – a fine of the greater of 4% of global revenue or 20 million euros, whichever is greater, can be imposed against an organization in relation to certain GDPR violations.

What does GDPR mean for Olark customers?

If you are using Olark’s products or services to collect information (such as names, email addresses, phone numbers, IP addresses, etc.) from individuals who reside in the European Union, then the GDPR will place additional constraints on the way you handle and use that information.

Olark offers built-in features to help you with your GDPR compliance efforts, and we will continue to support you and in achieving compliance with this and similar privacy legislation.

To best understand your role and Olark’s role under the GDPR, it’s critical to understand three key terms as they relate to our services: data subjects, data controllers, and data processors. The data subjects are your customers or end users residing in the EU. You are the data controller because you decide the purposes for which you need to collect personal data from data subjects and the means by which you want to collect it. Olark is a data processor because we process data from your data subjects on your behalf and on your instructions.

Some other key obligations under the GDPR include:

Notice: Organizations are required to provide notice to data subjects whenever they collect personal data from the data subject. In the notice, organizations must identify the lawful basis for processing the personal data (see Article 6 of the GDPR), among other things. Data controllers must determine which lawful basis applies to their processing.

Individual Rights: The GDPR expands data subjects’ rights to their personal data. Except as limited by applicable law, EU data subjects have the right to access the personal data a company is processing on them; to restrict the processing; to correct incomplete or inaccurate personal data; to have their personal data deleted; and to object to their data being used for certain purposes.

Retention: One of the core principles of the GDPR is “data minimization.” The GDPR requires that EU personal data should not be kept any “no longer than is necessary for the purposes for which the personal data are processed.” It is the responsibility of the data controller to determine the appropriate time period for which to retain EU personal data and, as applicable, convey those periods to their data processors and/or data subjects.

What is Olark doing about GDPR?

Does Olark have a Data Processing Agreement (DPA)?

Yes. We have a DPA. Please email gdpr@olark.com with the name and email address of the member of your organization authorized to sign, and we will send you our standard agreement.

If you would like to modify the standard DPA, or if your business requires a custom DPA, you will need to move to an enterprise plan. You can email gdpr@olark.com for more information.

Can I use Olark and still be GDPR compliant?

Yes, Olark is committed to supporting your GDPR compliance efforts by May 25th 2018 and beyond.

How will the GDPR affect my use of Olark?

If you are using Olark’s products or services to collect information (such as names, email addresses, phone numbers, IP addresses, etc.) from individuals who reside in the European Union, then the GDPR will place additional constraints on the way you handle and use that information.

Olark will offer built-in features to help you with your GDPR compliance efforts, and we will continue to support you in achieving compliance with this and similar privacy legislation.

How will Olark handle notice requirements for me?

Olark cannot handle notice requirements on our customers’ behalf; however, we do plan to provide you with tools to communicate notice to your customers via the Olark chatbox.

Additional context: As the data controller, you are required to provide notice to individuals located in the European Union whenever you collect data from them. The notice that you provide needs to identify the legal basis (or “lawful basis”, i.e., legitimate reason) applicable to your processing of personal data, including any data processed via Olark. Article 6 of the GDPR lists six such legal bases: consent, contract, legal obligation, vital interests, public tasks, and legitimate interest. As a data processor, Olark does not and cannot determine the legal basis for processing visitor personal data on behalf of its customers;

How will Olark help me respond to individual rights requests (e.g., right to access, correction, erasure, etc.)?

By May 25th, Olark will have tools in place to help you export, modify and delete files. We will continue to build out tools to help you respond to individual rights requests as our products and services expand and evolve.

Additional context: One of the changes under the GDPR is the expansion of privacy rights for individuals located in the EU. As a data controller, you will need to be ready and able to comply with applicable individual rights requests, such as deleting a customer’s personal data from your records or providing them with a copy of the data you hold. The GDPR grants some exceptions to compliance with individual requests; consult with a legal expert to determine whether you are covered under an exception.

If none of the other legal bases apply to your data usage, you will need to obtain specific, informed, freely given, and unambiguous consent to use your customers’ data in the way you intend. Note that an “opt-out”, where the customer is opted in to data usage by default, may no longer be sufficient.

Consent is most often required for marketing uses (e.g., using an email address to send a customer promotional emails), but may be required for other uses, too. Be sure to ask your legal counsel to check the e-Privacy Directive (and once finalized, the e-Privacy Regulation) for additional e-marketing requirements.

Yes. We will provide tools to add a consent option to your chat box. You can expect those tools to be available in your account by May 25th 2018.

It remains your responsibility to verify that your use of customer data is consistent with the consent given.

Do I have to delete all my transcripts from Olark to be compliant?

Not necessarily! If you received an individual rights request for erasure, you should consult with your legal counsel to determine how to respond. However, outside of an individual rights request, your obligation depends on how you use or process transcript data and which legal basis applies to such processing.

You may be able to continue using transcripts if your legal basis for processing transcript data still applies. For example, you may continue to use transcript data because you have a legal obligation to retain the data, if processing the data is in your website visitors’ legitimate interest, or if your use of transcript data is directly related to performance of a contract or to steps a customer has requested you take prior to entering into a contract.

Finally, you may be able to fulfill your GDPR obligations by refraining from certain uses of transcript data.

By May 25th, Olark will provide tools that allow you to redact certain visitor information from transcripts after a certain amount of time, or at a particular customer’s request. These privacy tools will destroy all form submissions (e.g., responses to pre-chat name, email, and phone fields); all text that is formatted as an email address, phone number, or IP address; and the visitor’s internal ID. This information is replaced with in the transcript . Redaction also destroys all visitor files uploaded through the chatbox.

Again, you should consult with your legal counsel to identify the best option for your company. Transcript data cannot be restored once deleted, so if transcript data is valuable to your business, we encourage you to explore the possibility of modifying or limiting your use of transcripts rather than deleting the data entirely.

Do you have an updated privacy policy?

We are updating our privacy policy and it will be linked here shortly.

What tools will you offer to help us control data retention?

We will have a number of options in our privacy dashboard. The privacy dashboard will be available before May 25th.

  • You will be able to choose to automatically redact certain visitor information from all transcripts after a specified time period.

  • You will be able to redact certain information for a single visitor, based on the visitor’s email address, if that visitor submits a request for erasure.

  • You will be able to export all transcripts associated with a visitor’s email address, along with other information about that visitor, to a CSV file.

  • You will be able to add a custom consent request and agreement checkbox to the chat box. When a visitor grants or withdraws consent via the checkbox, their action will be noted in the chat transcript.