Introduction to GDPR in Sitecore CDP

Abstract

Use Sitecore CDP to help you achieve GDPR compliance.

The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy for all individuals within the European Union. This regulation also addresses the export of personal data outside the EU.

This guide can be used as a GDPR compliance reference, by organizations that use the Sitecore CDP 2.0 data model. If you have questions about which data model version your organization uses, please contact your Sitecore Account Manager.

Sitecore CDP provides a complete view of your customer base using algorithms to build detailed customer profiles from behavioral and transactional data points, captured from online and offline data sources. To ensure the data is available for real-time personalization, the platform produces views of the data at different speeds giving eventual consistency.

Sitecore CDP is not designed to be a compliance tool or central consent hub that manages consent for other marketing or operational systems. Any organizations using Sitecore CDP to orchestrate consent or meet compliance across the marketing stack do so at their own risk and Sitecore accepts no responsibility for the performance of Sitecore CDP used for this purpose.

Roles within GDPR

In the context of GDPR compliance, Sitecore CDP is considered the data processor, and an organization using Sitecore CDP is considered the data controller. The individual with the personal information is the data subject.

As a data controller, it is your organization's responsibility to be compliant with all GDPR regulations. This includes not using Sitecore CDP to store or process any sensitive personal data.

Rights of the data subject under GDPR

In line with GDPR compliance, Sitecore CDP can help your organization ensure that you support the following rights of the data subject:

  • Right to erasure, that is, the right to be forgotten.

  • Right to data portability.

  • Right to data rectification.

  • Right to restrict processing.

  • Rights in relation to automated decision making and profiling.