16 Replies Latest reply on Feb 2, 2018 8:30 AM by Dan Stevens.

    EU companies operating globally > GDPR question!

    Carly Stevens



      As a company operating in the EU (and globally), we're trying to get prepared for GDPR and keep getting stuck in the same place. We can't ever avoid our data being transferred outside of the EU because 1. Marketo is hosted in the USA (correct?), and  2. we have multiple regions across the globe using the same instance.


      As GDPR dictates that we need to be explicit in how we handle contact data, our Data Protection Officer had previously advised that we should have a checkbox on all forms which says 'I agree that my personal information can be made available to Argus Group companies and Argus services providers outside of the EEA'. Sounds fine in principle, but essentially, even if they don't check that box and submit, their data will still be available to other regions - we can't physically lock it down can we? And often wouldn't want to as we run cross-regional campaigns.


      What to do in this scenario? We can't make people check the box just to be able to submit the form. Equally, we don't want to stop people accessing the info behind a form, just because they don't want their data to be made available outside of the EEA. Want to avoid changing forms individually and go for a one size fits all sort of approach.


      Any feedback on what similar companies are doing would be great. Are we worrying unnecessarily?

        • Re: EU companies operating globally > GDPR question!
          Gerard Donnelly

          Hi Carly Stevens,


          This doesn't answer your entire question but can you not use the one form and dynamically hide and show elements based on country drop down. If theyselect a certain country you show a different terms and conditions box and then choose whether or not to make it required in order to access the content.





          1 of 1 people found this helpful
          • Re: EU companies operating globally > GDPR question!
            Grégoire Michel

            Hi Carly,


            The location of your data depends on your Marketo pod. You can know it from the URL in your browser when you are connected to Marketo. It will usually start with app-XX and XX will tell you the pod. "sj" for san Jose, "lon" for London, etc...


            There are 2 aspects to the RGPD : agreement to the storage of the data and agreement to the usage of that data for specific treatments (such as sending batch emails). Some of our clients have decided to have 2 checkboxes on their forms, one for each aspects and the first one being mandatory to be able to validate the form (in other terms, if you do not agree with the vendors storing the data somewhere, you cannot get access to the content).


            Some of our customers, on the opposite, have preferred to have only 1 checkbox for both aspects and have a smart campaign that erases the data from Marketo immediately after the form submit if the box is unchecked.





            1 of 1 people found this helpful
              • Re: EU companies operating globally > GDPR question!
                Carly Stevens

                Ours is SJ.


                And thank you, this is really, really helpful.

                • Re: EU companies operating globally > GDPR question!
                  Mark Knight


                  i am working with a german DPO / lawyer to cover our GDPR needs for our website in Europe and we have covered this issue. He agrees with you ... you need two check boxes BUT (a very big but...)


                  1 consent to store and process the registrants data and this needs to be coupled with a link to a specific consent statement detailing the fields captured and why / what to expect... (it can’t be a generic link to privacy policy, that gets linked to from the specific statement)


                  1 consent to further email marketing (if not already opted in)


                  BUT... Neither of these boxes can either be pre-checked, nor mandatory.

                  GDPR is specific about this. You cannot couple consent (tick this and you can have the content) doing so invalidates the consent...

                  (assuming we are talking about a form that then provides access to white paper download etc - there are some exceptions to this depending upon what the user is registering for...)


                  You have to give the option of allowing the registrant to download the white paper without giving you the consent to store and use their data- let alone opt-in to further emails... and the only field you can make mandatory on that form is email address, assuming you deliver the whitepaper via email... you can include other fields but these are optional.


                  its a brave new world...

                    • Re: EU companies operating globally > GDPR question!
                      Grégoire Michel

                      HI Mark,


                      I am dealing with about 15 layers and DPO through EU on this subject, from my various customers, and they do not agree between them


                      I fully agree that the checkboxes cannot be pre-check, and the GDPR guidelines are explicit on this point all my correspondants also agree on this.


                      BUT the guidelines also say that:

                      “tying” the provision of a contract or a service to a request for consent to process personal data that are not necessary for the performance of that contract or service, is considered highly undesirable and that if consent is given in this situation, it is presumed to be not freely given

                      But there is a contradiction in not making the checkbox about data storage mandatory: If the person does not check it, then you are not entitled to let their data enter Marketo database Anyway, as always with the GDPR, there are some leeway in the following statement :

                      data that are not necessary for the performance of that contract or service

                      Entering the data in Marketo is required to be able to send the white paper, so making the "storage consent" checkbox mandatory is acceptable...


                      As wrote earlier, I and have some customers who make that box non mandatory and then run smart campaign to immediately delete the lead after sending the white paper link, and other who make that box mandatory. Time will tell.



                      1 of 1 people found this helpful
                      • Re: EU companies operating globally > GDPR question!
                        Dan Stevens.

                        Mark, thanks for sharing.  It's useful to hear of all of the different perspectives and interpretations of GDPR.  Just out of curiosity - since you didn't mention it in your reply - what is his take on cookie/tracking consent?  Does that introduce yet a third checkbox?  Even though there's a lot of information/discussion that addresses this (including the recent post from Michelle Miles - Marketing Strategies to Thrive in a GDPR World) - it would be interesting to hear his perspective on this.