Over a year ago, SiteGround began the important task of preparing for the General Data Protection Regulation (GDPR) - a new law designed to protect the personal data and privacy of EU residents. While working on this implementation we have seen that the main principles behind the law are genuinely good for our users. The regulation aims to make personal data processing more transparent and to give people more control over their data. Even though the GDPR only applies to EU citizens, we have decided to go beyond and adopt the same good policies for all of our users, regardless of their citizenship or location. The new rules are becoming effective on 25th of May 2018. The following two documents apply these rules to our service:
- Our Data Processing Agreement (DPA), which regulates our responsibilities as a host, thus allowing our clients to have GDPR compliant sites themselves, if they need to.
Processing of your personal data
1. You provide minimum data and are in control of it
The first thing you need to know is that we collect the minimum data needed to provide our stellar service. When you sign up with SiteGround, you provide your contact and billing information. We need these to process your orders, keep you updated about scheduled maintenance, and send critical information related to the services you use. You can edit this data, download it and request profile deletion through your customer area.
2. We share your data with secure partners only
To provide all services around your hosting account we share some of your data with external providers like domain registrars, SSL providers, and content delivery network (CDN) providers. All such partners are either natively GDPR-compliant themselves or have signed a special contract with us to meet our data protection standards.
3. You control your email subscription preferences
If you’ve given us your express consent, we also use your email address to share tips, special offers, and to announce new products. This consent can be withdrawn or modified at any time through the my details section of your user area.
4. We keep only aggregated browsing data
Processing of the data uploaded on your account
As a hosting provider we also have responsibilities as a data processor. This means that when our customers use our services to store any personal data on SiteGround servers, we are required by the GDPR to meet some criteria for handling this data too. These obligations are described in details in the new Data Processing Agreement, and you can see below some of the major points explained.
1. Transparent Security measures
One of our main responsibilities as an entity processing information, uploaded on our servers by our customers, is to provide adequate security measures. The DPA has them listed in the form of an official document (Annex 2 of DPA).
2. Minimum access principle
The DPA puts in writing our obligation to access any data that our customers store on our servers only to the extent needed to provide our services and to make sure only employees that are directly involved with the provision of the service have access to it.
3. We provide access to secure partners only
Sometimes our partnering companies need access to the data uploaded on our servers so that we can provide our service. Our data center partners are an example of such a partnering company. We provide access only to partners that have same or higher level of data protection as the one we guarantee you through our DPA.
4. Any personal data breach is timely disclosed
Our DPA responsibilities include timely disclosure by SiteGround, if a personal data breach is detected by us to have happened on the servers used by our clients. We are obliged to notify our affected customers within 72 hours.
5. Any end user GDPR requests are appropriately passed on
Also if SiteGround receives a request by an individual, using a website hosted on our servers, to exercise one of the personal data rights outlined in the GDPR, we’ll redirect them to the site owner.
6. Our DPA helps you become GDPR-compliant
Our new DPA does not make sites hosted by us GDPR compliant on its own. Our customers, as site owners, are solely responsible to apply the GDPR principles in processing their European users’ personal information. However, even if you have done your part on making your website GDPR compliant, it will not be fully there, unless your hosting provider has a DPA. At SiteGround we are proud to have this covered for everyone from day one of the GDPR launch.