What is GDPR?

The General Data Protection Regulation (GDPR) is a regulation in European Union (EU) law that addresses data protection and privacy for individuals within the European Union.  Prior to May 25, 2018 when the GDPR enforcement began, each EU member state had its own privacy laws based on a common framework defined in a 1995 EU directive (Data Protection Directive 95/46/EC). The GDPR replaces these laws with a single regulation that unifies data protection requirements for all EU member states. 

The aim of the GDPR is ‘… to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.’ The GDPR also addresses the movement of personal data outside the EU.

Revulytics and the GDPR

At Revulytics, trust is key. Some of the largest software vendors in the world trust us with their highly valuable assets – data on who and how their software applications are being used or mis-used.  We are committed to data protection and privacy and comply with the GDPR in the marketing and delivery of our solutions to our customers. We are also committed as a data processor to helping our customers understand the implications of the GDPR related to the use of software usage analytics solutions and comply with the GDPR when using our technology. 

We have updated our business and marketing practices to meet the GDPR requirements. You can learn more about our commitment to privacy here. Also, Revulytics participates in and has certified its compliance with the EU-U.S. Privacy Shield Framework and Privacy Shieldthe Swiss-U.S. Privacy Shield Framework. Privacy Shield covers the export of personally identifiable information from the EU to the US. Revulytics is committed to subjecting all personal data received from EU member countries and Switzerland, in reliance on the Privacy Shield Framework, to the Framework’s applicable Principles.  

What the GDPR means for customers using our solutions

At Revulytics, we’ve received questions from our customers on how to ensure GDPR compliance. The bottom line for Revulytics customers: our software usage and intelligence analytics platform can be leveraged in a manner that is GDPR compliant. 

The GDPR defines several principles that provide a foundation for the prescribed data protection requirements. Several of these principles apply to the collection of personal information for the purpose of protecting or improving software (Lawfulness, fairness and transparency; Purpose limitation; Data minimization and proportionality; Storage limitation; and Accountability).

Using the legitimate interest of the data controller as the legal basis for processing data within Revulytics Compliance Intelligence eliminates the need to obtain consent. You will still need to comply with the fairness and transparency principle – including providing appropriate notices in your external privacy policy, so that it is reasonable for data subjects to expect that their information will be collected and processed. 

Similarly, while not explicitly called out in a recital, the improvement of products and services may also be considered a legitimate interest. The Article 29 Working Party’s Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC specifies “processing for research purposes (including marketing research)” as processing for a legitimate interest of the data controller when balanced with the protection of the rights and freedoms of the data subject. Therefore, consent is not needed for Revulytics Usage Intelligence. 

Revulytics technology supports the foundational principles helping customers strike the appropriate balance between running an effective license compliance program or data-driven roadmap and properly working with customer data. Revulytics customers using Revulytics Compliance Intelligence or Revulytics Usage Intelligence are the data controller. As controller, they decide what information is to be collected and how it is to be processed. Revulytics is the data processor and may only process a data subject’s personal information based on a customer’s direction. 

Any personal information collected for the purposes of piracy detection and enforcement, as well as software usage for product improvement, should be used only for these purposes unless your privacy notice specifies other uses for the information. Compliance Intelligence customers have the ability to collect user name, user email address, WiFi geolocation and SSID data, and computer host name. Customers can choose to only collect a non-reversible hash used for some of this data to mitigate the risk of misuse of the information. Usage Intelligence only requires IP address as personal information. This information is only used to obtain country location and is then deleted -  essentially removing the classification of the data from personal information. Since it is being collected, you need to inform your users of this collection in the privacy notice, but it is recommended that you stress that it is solely used to identify a country and then no longer retained. 

Revulytics allows you to decide how long to keep the information you collect. Although Usage Intelligence has a highly competitive data retention time-period, as noted above, the Organizational IP Address is deleted immediately after the company receives data and the location information has been resolved. 

The power of Revulytics Compliance Intelligence and Revulytics Usage Intelligence and the actionable insight they provide can be harnessed in a GDPR world to drive revenue, protect your IP, and build and deliver better product while increasing customer acquisition, retention, and overall satisfaction.

For our Data Processing Addendum (DPA), contact us at privacy@revulytics.com.  

Any statement made on this page is not intended to replace your policies or advice provided by your legal counsel, but to provide insight into the EU privacy environment.