What is GDPR?

The European Union (EU)'s General Data Protection Regulation (GDPR) is a new regulation that came into effect on the 25th of May, 2018. Its aim is to harmonize the data privacy laws across the EU, and (in particular) protect the rights of residents of the EU about the processing of their personal data. It recognizes the data privacy rights of EU residents, and lays down rules regarding the processing of their personal data.

In essence, the GDPR aims to give EU residents full control over their personal data.

What is personal data?

In context to GDPR, personal data is any data that can directly or indirectly help identify a natural person. This includes, but is not limited to: name, address, phone number, email address, IP address, traveling habits, and photos.

When and where does GDPR take effect?

GDPR applies for any activity that collects or processes personal data of EU residents. It does not matter if the activity takes place inside the EU or not. GDPR has global reach.

Why be GDPR compliant?

EU's GDPR came into effect on the 25th of May, 2018. It is legally binding. The concerned Supervisory Authority (as defined by GDPR), may fine the non-compliant person or organization up to 20 million Euros or 4% of their annual worldwide turnover from the preceding year, whichever is higher. Levying a fine is for two reasons:

  • A deterrent, so that Data Controllers and Data Processors act responsibly, and adhere to GDPR's guidelines.
  • A compensation for the persons who have suffered material or non-material damage because of infringement to GDPR.

Key roles that GDPR identifies

  • Data Subject: A resident of the EU from whom, or about whom, data is collected and/or processed.
  • Data Controller: The person or organization that defines the purpose and means of collecting and processing data.
  • Data Processor: The person or organization that processes the collected data on behalf of the Data Controller.

In this context, when you use Zoho Sites to build a website:

  • The site visitors who view and interact with the website act as the Data Subjects.
  • The site administrator or the site author, who creates and publishes website content such as, text, design, and forms is the Data Controller.
  • Zoho Sites who processes and serves given data using the Zoho Sites website builder acts as the Data Processor.

Here is how Zoho Sites helps you stay compliant with the GDPR:

The following are the features that Zoho Sites provides for Data Controllers to remain GDPR compliant.

  • Data Security
    • Secure transit: SSL/TLS encryption keeps your website safe during transit.
    • Security Audit: Zoho is ISO 27001 certified & SOC 2 Type II compliant. 
    • Encryption: All access tokens like login credentials and passwords are encrypted at rest.
    • Access Restriction
      • Member Portal The member portal enables you to manage which visitors get to view what pages.
      • Intranet  Access restriction enables you to limit your website's visibility by hiding pages from either all organization members or specific members in your organization.
  • Privacy by Design
    • Anonymization

      In order for you to view your visitor statistics, Zoho Sites anonymizes IP addresses to their respective country codes. Only anonymized data gets stored and never the IP address.

    • Roles

      The contributors feature enables you to invite friends, family, and colleagues to collectively edit your site content and design.

      You can grant four levels of access:

      1. Admin
      2. Author
      3. Developer
      4. Guest
      Each role has its own privileges, invitees can access your site only after they accept the invitation sent to their email address.
  • Audit Logs

    You, the data controller can get insight and control over all data that has been entered in your site by either contributors or yourself.

  • Data Portability

    All data that you have entered in your website can be downloaded at any time in a .zip format which is password-protected.

  • Form Data

    You, the data controller can download form data at any time.

  • Consent

    Before integrating with any internal or third-party service, your permission will be requested. Once you grant permission, you can integrate with Zoho products such as: Zoho CRM, Zoho PageSense, Zoho Campaigns, and Zoho Sales IQ. Each of these Zoho products are GDPR-ready. Click here to learn more.

Data Subject Rights

The following are the Data Subject Rights that GDPR recognizes and how Zoho Sites helps you address them.

  •  

    Right of access:

    A visitor may request you (the Data Controller) for data that he has submitted through the forms on your website. You can download the data and send it to your data subjects.

  •  

    Right to rectification:

    Data Subjects may request to rectify data that they have entered in forms. Once the request is made, you can make required changes to the form data. Click here to learn more about downloading form data.

  •  

    Right to be informed:

    Website visitors have the right to be informed on how their personal data was, is, and will be processed. You can link your websites privacy policy to any place where you collect data or at the footer of your website. By doing this, you can address the 'Notice' and 'Transparency' requirements of GDPR.

  •  

    Privacy:

    The blog comments and comment box features have an "Guest" option for Data Subjects to comment anonymously. 

Data Hosting (Locality)

Zoho Servers are located in the most secure data centers in US, EU, and CN. The region where we host your service data depends on the Zoho domain that your Zoho Sites account is registered in.

The following table lists the Zoho domains and their respective hosting locations.

Zoho Domain - Account creationData Center Location
sites.zoho.comUS (United States)
sites.zoho.euEU (European Union)
sites.zoho.com.cnCN (China)