GDPR is a set of rules governing how the personal information of European Union (EU) citizens can be collected, managed, processed, or stored. Under GDPR, users have the right to see what data has been collected about them, and the right to request the deletion of collected data.
Under GDPR, both Tilia and the Partner have responsibilities when it comes to handling customer data. This document helps clarify these responsibilities and outlines processes for responding to GDPR requests.
Article 4 of General Data Protection Regulation (GDPR) provides these definitions:
- Controller means “the natural or legal person, public authority, agency, or other body, which alone or jointly with others, determines the purposes and means of the processing of personal data;....”
- Processor means “the natural or legal person, public authority, agency, or other body, which processes personal data on behalf of the controller;...”
There are 3 categories of customer information collected by Tilia:
- Account Information. This is the information passed to us by a Partner in setting up an account for the end-user. At a minimum, account information always comprises usernames and email addresses, which are required for account creation. This data is retrievable by the Partner and a copy of this data is often stored on the Partner’s systems.
Account information may also include, but is not limited to: First Name, Last Name, Date of Birth (DOB), the user’s acceptance of Tilia Terms of Service, and the login provider (if logging in through a 3rd party service such as Twitch or Steam).
- Know Your Customer (KYC) Data. For users to perform certain activities, Tilia may collect KYC data. KYC data is collected directly from the user, either via our web interface or through email/phone contact with Tilia customer support. KYC data is shared with our partner, Acuant, in the process of verifying the user’s identity. KYC data is NOT accessible by the Partner.
KYC data may include but is not limited to: First Name, Last Name, Street Address, City, State, Country, Postal Code, DOB, Phone Code, Phone Number, Social Security Number (SSN), and Supporting Documents (e.g. a copy of the user’s government-issued photo ID, a copy of a utility bill)
- Payment Method Information. Lastly, we collect information associated with any payment methods added to the system. This includes details regarding the customer’s PayPal or credit card accounts; this information is also shared with the corresponding payment provider.
Payment method information may include but is not limited to: First Name, Last Name, Email address, Street Address, City, State, Country, Postal Code, along with the information required to process credit card and PayPal transactions.
To determine responsibility for addressing GDPR requests, it is important to identify if you are the processor or the controller of that data.
- If you collect and store that data, you are the controller.
- If another party is collecting that data and passing it to you to perform some contract, you are the processor.
If you are the controller, you must handle the GDPR requests. The processor has no obligation to handle GDPR requests.
As mentioned above, a variety of payment method information is collected by Tilia. For data that is only retrievable by Tilia, Tilia is the controller.
Some customer data can also be retrieved by the Partner to provide a seamless user experience. Partner-retrievable data includes the payment method address, the masked credit card number, expiration date, BIN number, etc. We treat this data as if both Tilia and the Partner are controllers of the data.
This means that both Tilia and the Partner should respond with this data in a GDPR request, and either can delete the payment method information on file upon request.
In addition to the legal requirements of GDPR, the overall customer experience should be considered. Generally, our Partners prefer to provide first-line support for all customer inquiries, including GDPR requests.
The following scenarios outline a process for handling both GDPR requests and deletion requests.
The Partner receives a GDPR request from a customer.
- The Partner verifies the user. Once verified, the Partner gathers all data for which they are the controller and provides it to the customer.
- The Partner explains to the customer that some data is controlled by Tilia. The Partner notifies us via the Tilia ticketing system that the customer is issuing a GDPR request. Tilia responds by sending the requisite information directly to the customer.
Tilia receives a GDPR request from a customer.
- Tilia verifies the customer. Once verified, Tilia gathers all data for which we are the controller and provides it to the customer.
- Tilia explains to the customer that some data is controlled by The Partner. Tilia directs the customer to contact the Partner directly for this data.
The Partner receives a deletion request from a customer.
- The Partner verifies the user. Once verified, the Partner deletes all data for which they are the controller. If the customer requests a complete deletion of all data, this should also include "closing" the customer’s Tilia account.
- The Partner sends a delete request to us via the Tilia ticketing system.
Tilia receives a deletion request from a customer.
- Tilia verifies the customer. Once verified, Tilia directs the user to contact the Partner to request a full GDPR delete.
- Upon closing the user account in their system, the Partner sends a delete request to us via the Tilia ticketing system.
Due to regulatory requirements, certain transactional information cannot be deleted. This means that even in the case of a full GDPR delete, Tilia may need to retain certain records. Contact our Compliance Team with any questions.