Kindful is committed to data protection. That’s why we welcome the General Data Protection Regulation (GDPR).
The GDPR is a regulation intended to strengthen and unify personal data protection for all individuals within the EU. It aims to protect the fundamental right to privacy and the protection of personal data.
Customer trust is our absolute top priority. We know that our users worldwide care deeply about their privacy and data security. We have established two data services that will enable your organization to respond to GDPR data requests. This gives Kindful customers and donors greater control over personal data and the tools necessary to protect the information of visitors to Kindful tools and pages.
To whom does the GDPR apply?
The GDPR applies to any organization processing (collecting, recording, storing, using, disclosing, etc.) an individual’s personal data if the organization is established in the EU, targeting in the EU, monitoring EU residents, or performing these tasks as obligated via contract. Organizations that are subject to the GDPR and collect, store, or process personal data must comply with the GDPR’s Data Protection Principles and other conditions of processing. The GDPR makes no distinction between non-profit or for-profit organizations.
The GDPR does not apply to organizations who are neither established in the EU, nor process individual, personal data of EU residents.
If you believe your organization may be subject to the GDPR, consult your legal advisor.
Does the GDPR only apply to EU organizations?
No. Organizations outside of the EU can also be subject to the GDPR if they hold or process personal data of EU citizens—regardless of whether the company is based in the EU—but only if they’re actively targeting EU residents by taking steps like using an EU language or currency, or specifically advertising in the EU.
What are the GDPR data protection principles?
- Lawfulness, fairness and transparency: Processing must be lawful, fair and transparent.
- Purpose limitation: Personal data must be collected for specified, explicit and legitimate purposes and not further processed in an incompatible way.
- Data minimization: Personal data must be adequate, relevant and limited to what is necessary to achieve the purposes for which it was collected.
- Accuracy: Personal data must be accurate and kept up to date and collector must take reasonable steps to rectify or erase inaccurate data.
- Storage Limitation: Personal data must not be kept in identifiable form for longer than necessary.
- Integrity and confidentiality: Personal data must be processed in a way that ensures security of the data and protects it from unauthorized use.
- Accountability: Controllers must demonstrate compliance with the Principles.
What is Kindful doing to ensure data protection for all our customers?
The security of our users' accounts and donation pages is of the utmost importance to us. Kindful uses advanced security tools to locate and eliminate security issues. We also perform regular internal security audits. If you believe you've found a security issue or vulnerability, please contact email@example.com.
Kindful’s payment processing tools (donation pages/donation plugin) are Payment Card Industry Data Security Standards (PCI DSS) compliant. For more information on PCI Compliance, click here.
Kindful's signup and login services are completed through a secure server (HTTPS/SSL). Additionally, your password is stored using best practices that safely hash passwords. In the event of a security breach, your original password cannot be recovered from our servers.
Kindful uses Transport Layer Security (TLS) encryption to help protect your online financial transactions.
In accordance with the GDPR, site visitors have the right to access their data or "be forgotten" (be permanently deleted from your databases).
Identify your organization’s basis for data processing
While much of the focus of the GDPR is on opt-in consent, there are six lawful bases under which your organization can process data. You must decide which legal basis you are relying on for processing personal data for each of your activities and clearly document this.
Aside from processing based on consent, GDPR provides that processing personal data by an organization can be lawful if it is necessary for the performance of a contract, to comply with a legal obligation (e.g., tax reporting and receipting), to protect a person’s vital interests, for the performance of a task carried out in the public interest, in the exercise of the processor’s official authority, or where necessary for purposes of legitimate interests of the processor.
Kindful has established two data services enabling your organization to comply with GDPR data requests. Click here to learn more.
Is Kindful GDPR Compliant?
The EU’s GDPR (General Data Protection Regulation) is a regulation intended to strengthen and unify personal data protection for all individuals within the EU. It aims to protect the fundamental right to privacy and the protection of personal data.
The GDPR applies to any organization processing (collecting, recording, storing, using, disclosing, etc.) an individual’s personal data if the organization is established in the EU, targeting in the EU, monitoring EU residents, or performing these tasks as obligated via contract
The GDPR does not regulate software specifically, but Kindful has established processes to enable your organization to comply with the GDPR.
When we get gifts from EU residents, how can they opt into communications?
When someone makes a donation via a Kindful Donation page, they do not have the opportunity to explicitly opt-in to marketing communications from your organization. For this reason, we do not recommend syncing any EU residents into your email marketing client from Kindful.
How can find all of my contacts who are EU residents?
Use the “In Country” filter to find all contacts who have an EU address by selecting each of the EU countries. Note, if you don’t have any contacts with an EU address, you will not see any EU countries in your “In Country” filter in Kindful.