Vee Punia, Q4’s Director of IT & Infrastructure, explained the basics of General Data Protection Regulation (GDPR) in a blog post which you can read here.
According to the GDPR, our clients would be considered Data Controllers (or those who determine what and how data is to be processed). On the other hand, Q4 provides the tools to obtain personal data and would be the Processor (in other words, we process data on behalf of our clients).
Should Q4 receive a Subject Access Request (or request about what personal information is stored) directly from a Data Subject or the individual whose personal data is processed, we will ask the data subject to contact the organization they provided their information to.
In turn, when our clients (the controller) reach out to us for assistance in providing the information that a data subject has requested, Q4 will work directly with our clients as part of our GDPR obligation.
It is important to note that the responsibility of ensuring the identity of the data subject rests upon the Controller. The GDPR expects controllers to make use of appropriate means in this regard and we encourage our clients to work with their legal teams to determine the best way to accomplish this.
No user traffic or web analytics data is stored with Q4. All data is sent to Google and accessed from the CMS through the Google Analytics API.
For Google Analytics profiles managed by clients and used within our products, Q4 recommends the following actions:
Please note that these are Q4’s recommendations only and we encourage our clients to work with their legal and IT teams to determine the scope of GDPR’s applicability within their organizations.