Your Repsonsiblities under GDPR

Your Responsibilities Under GDPR 

The General Data Protection Regulation (GDPR) is a new regulation in the European Union.  The law was written in general terms and some aspects of it are unclear at this time.  As best practices emerge and as litigation takes place, the GDPR will be clarified.  Best practices may dictate that this document changes. 

The information provided herein is for informational purposes only and does not constitute legal advice.  Your decision to comply or not comply with the GDPR is your decision alone based on your specific business and use case. 


The GDPR is an European Union (EU) regulation intended to protect the privacy of EU citizens.  The GDPR may be considered to expand the scope of EU data privacy law.  


Businesses based in the EU and those based outside of the EU offering goods or services to, or monitoring, EU residents 

If you are doing business with or collecting any kind of personal data from individuals located in the European Union, you must comply with the General Data Protection Regulation (GDPR) ( that went into effect on May 25, 2018. To help you comply, Artspan can add a cookie notification banner to your site. In addition, we have prepared this FAQ to include other useful information to help you prepare for GDPR. 

If EU citizens sign up for your newsletter, post comments on your blog, contact you through your Artspan website, or purchase artwork (or other goods) from you then, technically, you would be expected to comply with the GDPR. 


If you need to comply with the GDPR, then, in regards to your relationship with Artspan, you are the "data controller" for the data your users provide to you.  Artspan is your "data processor" and you authorize us to process that data, through your contract with us to host your website and other services. 


Personal data under GDPR includes any information about an individual that you may collect directly or indirectly through your website. Some examples of this are a person’s name, address, or email address.  You might obtain such information through a form on your website, such as a contact form, email subscription form, or blog comment. Personal data that may be transmitted indirectly includes things like a user’s IP address or the information stored in a browser cookie. 


The GDPR allows individuals in the EU greater control over their personal data and grants them a number of rights with regard to how that data is processed, stored, and accessed. The section below covers the two situations that you, as a website owner, are most likely to see, but you should also carefully review the full list of data subject rights here: 

The right to be forgotten: A person can request to be “forgotten”; that is, to have all of their personal data removed from your possession. If you are asked to do this, you will need to remove any personal data you have collected from the requester. You will also need to contact any third parties, such as Artspan, that process personal data on your behalf. To ensure that any personal data in Artspan's possession can be removed in a timely manner, you can relay any request to be “forgotten” to us by submitting a request at [email protected]. Let us know the name and email address of the person who made the request and we will remove the user's data from anywhere we have stored it. 

Data portability: Under GDPR, an individual located in the EU may request that you send them any personal data in your possession. In this case, you would need to provide the requester with any personal data that you have in a commonly used, machine-readable format. You would also need to contact Artspan at [email protected] to obtain any personal data stored on our end. 

Access: Any data subject can ask the controller of their information to confirm how and where their personal data is being stored and processed. The data subject also has a right to know how that data is shared with third parties. 

Rectification: The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. 

If a user approaches you with a request to avail themselves of any of the rights mentioned above, please note that you have 30 days to do so.  

If your site visitor is in the EU, they can ask to have their data deleted or exported They can also ask how their data is stored, and/or request that any errors be corrected.  


We've done several things to ensure your Artspan site is GDPR compliant. 

* We've ensured that our analytics partner is GDPR compliant.   

* We've verified that our primary partners are all GDPR compliant.   

* You can request from us that we add a cookie banner to your site, so that uers know that your site uses cookies.  Artspan cookies do not store any personal data about your site visitors but other services you utilize might. 

* We now require that all Artspan Newsletter Subscribers that are added to your list, whether subscribed from your Artspan website, or whether added by you in the Artspan control panel are required to verify their consent to receive promotional newsletters from you by clicking an opt-in link to demonstrate consent. 


Apart from promptly responding to requests from EU data subjects as described above, there are other things you can and should do to help ensure compliance. Here are some suggestions to get you started: 

Add a Privacy Policy to your website. If you already have one, you should review the terms to make sure it complies with the expanded requirements under GDPR. 

Alert visitors to the use of cookies on your website. You may request we add a cookie banner to your website if you want to turn this feature on. 

Inform your visitors and get their consent. Whenever you need to collect data from a user, make sure to clearly state, among other things, why you need it, what you plan to use the data for, whether it may be shared and with whom, and the lawful basis on which you are relying to collect such data. For example, if you have a newsletter or mailing list, make sure that the purpose of your sign up form is very obvious so they know what they are signing up for. 

Obtain consent from existing subscribers.  If you have subscribers on your list who have never explicitly opted in to your list, particularly if you know you have EU based subscribers, you should send your whole newsletter list a re-engagement email requiring them to consent to continue to receive promotional newsletters from you.  After a reasonable period of time, remove the subscribers who did not provide new consent. 

Evaluate third-party apps and vendors for compliance. If you are using any third-party services or widgets to gather or process customer data, you will need to check with those companies to verify they are GDPR compliant and will assist you with, among other things, users’ data removal and portability requests. 


Do you collect personal data on your site using third-party, non- Artspan services? (e.g., Google Analytics, MailChimp, Facebook Pixel, Other widgets or scripts).  

You should read the privacy policies of those services. 

Do you download or export data from your site into another system? 

If so, don't forget to delete that data and/or provide that data if you receive a deletion or export request from an EU citizen. 

Are you gathering information you don’t need? 

If so, consider not gathering that data. 

How can you reduce the amount of data you are responsible for? 

You can disable comments on your blog and move the discussion to a social media site.  That would shift the responsibility for GDPR compliance regarding those comments to that social media site. 

Don't forget places besides Artspan where you store data and don't collect data you aren't using or don't need.