Information for: DEVELOPERS   PARTNERS

Administering data subject rights requests

The EU General Data Protection Regulation (GDPR) defines any identified or identifiable person as a data subject. To enable personalization on the websites on which you install Acquia Lift, it may store personal data, which based on the GDPR can be broadly defined, as demonstrated in the following information from Article 4 (1):

“[Any] information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.” Some examples of personal data include, but are not limited to: name, personalized email address, mailing address, phone number, dynamic and static IP addresses etc.

GDPR allows data subjects specific rights (also known as data subject rights) relating to the storage and handling of any gathered data about them.

To ensure your needs about the management, reporting, and removal of data subject information are met per the requirements of GDPR, Acquia Lift includes several methods you can use to complete the required tasks as described in the following documentation, along with more information about how Acquia Lift stores personal data.

How Acquia Lift obtains and stores personal data

Acquia Lift uses both profile fields and identifiers to store personal information for data subjects described in the following sections.

Profile fields

Acquia Lift tracks visitors to websites as profiles. You can view the profiles in the Profile Manager interface in the People tab.

For more information about profiles fields, see the following resources:

Identifiers

Identifiers are used to identify and track visitor profiles. Some identifiers are resolvable, which means their value is unique for an individual. An example of a resolvable identifier is email address. Some identifiers are non-resolvable, which means their values are not unique across profiles (such as name).

Acquia Lift assigns a default, resolvable identifier (tracking ID) to each visitor profile. Use API endpoints to configure other identifier values for profiles (such as email address, name, and Facebook ID).

For more information about profiles fields, see the following resources:

Data subject rights

Data subjects may be users of the Acquia Lift group of products, visitors of websites using Acquia Lift (which can include hosted subscribers), or potentially both.

Data subject rights for users

Using the Profile Manager interface, you can read, remove, or rectify the gathered data for users. Depending on your needs, you can also use the Users API endpoint to complete the tasks.

Data subject rights for visitors

The following table describes how Acquia Lift product users administer the data subject rights for visitors:

Right Description
Right to be informed Acquia Lift identifies visitors based on browser cookies, and Acquia Lift users configure the visitor data obtained. Acquia Lift users must communicate both the data gathered to website visitors and to the users’ privacy policies.
Right of access Acquia Lift users can use either the Visitor Query API endpoint or a file export from Profile Manager to view gathered information relating to a visitor profile.
Right to rectification To change person fields, users can either use the updatePerson JavaScript function or do a file import with updatePerson as event_name. To change identifiers, users can use a combination of the PUT and DELETE endpoints of the capture identity API.
Right to erasure Using the File Import API, users can import a purgePerson event to erase a specific visitor profile. The process removes any personal identifiers from the profile (including the tracking ID, email address, and name) and invalidates the profile by assigning it an anonymous tracking ID.
Right to restrict processing

Acquia Lift provides a setDoNotTrack flag for visitors. Configuring the flag causes Acquia Lift to gather no data for the profile.

Users can configure the setDoNotTrack flag with custom website code, by providing visitors a checkbox which will trigger turning on/off the value of the setDoNotTrack flag. For more information, see setDoNotTrack - Acquia Lift JavaScript API.

Right to data portability Acquia Lift allows users to bulk export visitor data as comma-separated value (CSV) files to S3 storage on Amazon Web Services (AWS) by using either the Profile Manager interface or an API endpoint. Alternately, Acquia Lift users can use the Visitor Query API endpoint to fetch data relating to individual visitor profiles.
Right to object You can configure the setDoNotTrack flag for individual visitors when Acquia Lift users want to pause processing for those visitors. For more information about the setDoNotTrack flag, see setDoNotTrack - Acquia Lift JavaScript API.
Rights in relation to automated decision making and profiling Acquia Lift users define both the data collection parameters and how to use those parameters for defining segments. Users decide which content is served to which segment. Acquia suggests users (as a part of their own GDPR efforts) have their own policies answering profiling-and-decision-making-related queries from their data subjects.