The General Data Protection Regulation (GDPR) is a consumer protection and data privacy law that applies to companies that do business in the European Economic Area (EEA).
GDPR obliges companies to disclose what personal data they collect from individuals (e.g. names and email addresses) and, in many cases, to obtain positive consent before personal data is collected.
Because customers of Vidyard are able to use our technology to obtain personal data (e.g. email address, name, company) about the viewers of their videos, it is important to understand what it means to use Vidyard in compliance with GDPR and how the product enables your team to achieve that.
Learn more about what data Vidyard collects about viewers.
Whose responsibility is it to obtain consent from viewers?
It is your responsibility to ensure that you follow applicable laws in the geographic areas where you conduct business.
If you are using Vidyard to communicate with viewers in the European Economic Area (EEA), you must meet two requirements to ensure you are in compliance with GDPR:
- You must have established a legitimate interest in the individual's personal information or have obtained positive consent from a viewer before a video (using Vidyard’s technology) is allowed to collect personal information (e.g. an email address)
- You must be able to manage requests from viewers (known as data-subject requests) to access, update, or forget the information that you have obtained using Vidyard’s technology.
Vidyard provides you with the tools to meet both requirements.
Note: for users of our free product, Vidyard handles the responsibility to obtain positive consent from viewers. A consent prompt automatically appears on the pages that Vidyard creates to allow free users to share videos with their audience. The prompt appears for viewers when we detect that their IP address may have originated in the EEA.
What tools does Vidyard offer to help customers achieve GDPR compliance?
Obtaining consent from viewers
The technology behind a Vidyard video is what makes it possible to capture analytics as well as to identify and collect information about a viewer. We’ve expanded our product tools so that you can communicate to the Vidyard video player when positive consent has been given to collect information about an individual (e.g. through mechanisms like browser cookies).
Most often this means using the Vidyard Player API along with a banner or prompt on a webpage to ask new site visitors to accept browser cookies and data collection.
Without consent, the video player will only collect completely anonymized viewing data (i.e. viewing data with no associated personally identifiable information).
Managing data-subject requests
We’ve added tools to Vidyard that allows Customers to manage requests from viewers to access, update, or forget information that they have obtained using Vidyard’s technology.
- You can submit requests against an email address through Vidyard’s in-product GDPR request tool
- You can connect to our GDPR Request API to programmatically manage requests against Vidyard’s database.
Can I obtain or remove information that Vidyard has collected about me?
Yes. Residents of the European Economic Area (EEA) can submit a data subject request to a company in order to access, update, or forget any personally identifiable information (PII) that may have been obtained about them (typically associated with an email address).
If you’ve watched a Vidyard video on a company’s website and have questions about what personal information they may have obtained, contact our Data Protection Officer at email@example.com. It is Vidyard’s policy to help you get in contact with our customer to make a request regarding your personal information.
When you make a data subject request, it should encompass any personal information that the company stores within their own databases, as well as any third-party tools that the company uses (e.g. Vidyard). The request is then passed to Vidyard as a sub-processor of the company’s data.
When Vidyard receives a request from one of our customers to forget your personal information, we ensure that your personal information is deleted in its entirety and that any other data associated with your email address is completely anonymized in our database. In some instances (such as maintaining a record of the request or maintaining a do-not-contact list), your email address may be kept on file for limited purposes as allowed by applicable law.
Does Vidyard have a Data Protection Officer?
As part of Vidyard’s own obligations under GDPR, we have appointed a Data Protection Officer who is responsible for ensuring that our responsibilities to manage personal data accordingly are being met. You can contact our Data Protection Officer at firstname.lastname@example.org.
Does Vidyard have a DPA?
Yes, we are more than happy to sign a Data Processing Agreement with customers to complement our existing Terms of Service.
You can review our Data Processing Agreement online. It also includes instructions on how to complete the DPA and submit a signed copy to Vidyard.