Yoast and your privacy (GDPR)
As of the 25th of May 2018, EU citizens have more control over what data companies store and process about them due to the GDPR. At Yoast, we have always aimed to store as little personal details as possible. Our plugin itself stores no personal data, only website data. The personal data we might have from you is the data you have provided. In this manner, no DPA or Data Processing Agreement is needed. You can review our DPA Article on how we handle compliance.
All the information you have provided is available for you in MyYoast. Every customer and newsletter subscriber of Yoast has the option to log in and see things like courses you are subscribed to and course progress, plus the option to download purchased products and invoices.
Note that most of this all isn’t personal data. In the Account section in MyYoast, you will also find an overview of the product subscriptions you have, and an overview of your orders. In the Profile > Danger zone section, we have created the option to download a CSV file with details like the address details you have provided us when purchasing products. Furthermore, your newsletter subscription is located in the profile section as well for your convenience.
In case you have any more questions about your personal details or for instance would like to change the email address we use to contact you, feel free to use our contact form to get in touch. We’re happy to help!
What is the GDPR?
The GDPR or European Union’s General Data Protection Regulation is a major change in the way we process personal data, in the sense that we all need to be clear about what data we process and where we process that in what way. Openness about what we do with your personal data. That makes all the sense in the world to us. Here’s Wikipedia‘s summary:
The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU). It also addresses the export of personal data outside the EU.
In short, as an individual, you need to be able to get proper insights into what personal data of yours is processed by for instance Yoast, for what purpose and how. And you have the right to have old and irrelevant data deleted (“forgotten”) as well. So if you want your personal data removed from our systems, we must act on that request. This applies to every company that has EU customers or stores any other personal data of EU residents.
Strict take on privacy issues
At Yoast, we take privacy very seriously. Always have, and that is why we store and process as little details as we can to be able to work with/for you. You’ll rarely find us asking excessive details that we really don’t need for that.
As a general rule, do not give us personal data. Not your own, not your customers’ and not your visitors’. (We actually put this in our Terms of service.) This may sound strange but for most things, we just do not need personal data. And under the GDPR, you should not give us personal data if it is not needed. If we do need personal data, we will ask first.
One of the things that we will be more strict on, for instance, is that we won’t accept people’s own personal login details. You’ll be amazed how many people simply send their own login details over email. This isn’t secure in any way, as you will understand.
With the GDPR, we need you to be in the driving seat in these cases. It’s your (customer’s/employee’s) data. You need to be able to control our access to your website, which means you need to create a login for your website especially for us, for the time of the assignment (so just to fix something in support, or for us to be able to configure our plugin). When that assignment is done, we will let you know and we’ll insist that you remove our login details as they are no longer needed. It’s your responsibility to remove these, as that isn’t something we can control. On our side, we will make sure to remove these login details from our records.
This is about personal data, not website data
Please note, that most details we do have access to in our line of work, relate to website data, not personal data. The login details procedure as described in the previous section is especially needed in case of an online shop that stores customer data as well. As we want a solid procedure for this, we apply this procedure to all websites, just to make sure we and you are not overlooking that tiny piece of personal information you stored and made accessible for us by that login.
GDPR targets that personal data. Where it comes to website data: we need that data to further optimize your website. No personal data is needed for that, so please don’t make this data accessible to us. If you really have to, follow the procedure as described. Of course, we will not touch that data in any way that’s not agreed on. For instance, if we need to use the data for testing purposes, we’ll need to agree to this use in writing. And we’ll agree on what happens with that data after testing if needed.
We will respect your rights
You have the right to inspect the data we store. On request, we will give you a complete overview of personal data we have of you, and copies as we have them. If you then see errors in that data, we will happily correct it. (Unpaid invoices do not count as errors. Just kidding.)
As mentioned before, you also have the right to be forgotten. You have the right to have us remove your personal data from our records. We will, of course, act appropriately on your request. But please note that, under the GDPR, we are allowed to keep the data we need to do our work. So if you, for instance, have an active Yoast plugin and want support, we are allowed to store your name, email address and the like for that purpose. The same goes for your invoice: tax regulations require us to store these for at least seven years after your purchase. But that just goes for the invoice data itself. Other data we will delete as soon as we no longer need it.
When the personal data in question is from your employees or customers, then they have these rights and you are responsible for ensuring they can exercise them. Tell us beforehand, so we can conclude a data processing agreement to figure out the best way of working here. Do not send us other people’s personal data without a data processing agreement in place.
The GDPR requires us to take “adequate” security measures to protect all personal data we store. All our websites are secured using SSL/https, something we have been recommending for all websites, not just for GDPR but also for SEO reasons. We are monitoring site security and security certificates to make sure your data is as safe and secure as possible.
Needless to say that this page will be adjusted after every step we take in the process of GDPR compliance, for instance, if anything changes in the GDPR rulings. Any questions about the GDPR can be sent to us via our contact page.