Kameleoon's GDPR compliance

In 2018, the protection of Internet users' personal is taken further. Fines for companies making fraudulent use of personal data are multiplied (up to 130-fold). This legal revolution is brought on byGDPR.

The General Data Protection Regulation was adopted by European Parliament in 2016 and will be effective on May 25, 2018. The regulation affects all companies that proceed European users’ personal data.


Disclaimer : Kameleoon does not provide legal advice regarding GDPR. This page only aims to inform on the major challenges GDPR implies and how Kameleoon's personalization tool complies with this regulation.

What changes with GDPR?


1. Collection and processing of personal data

Under RGPD, you no longer have the right to collect personal data if the user hasn't explicitly authorized you to do so. Your data management policy needs to be perfectly clear. You do not have the right to process a visitor's personal data unless they explicitly agreed.


2. Data transfer outside the EU

With GDPR, transferring a customer's personal data outside the European Union becomes illegal. A company operating on several continents and using tools that centralize customer data outside the EU breaches the new regulation. The same is true for any company operating in Europe and centralizing user data outside the EU.


3. Obligation to report security leaks and data theft

Yahoo, MySpace, eBay, Sony, Ashley Madison, Dropbox, Tumblr, LinkedIn, Adobe, etc.: Data theft happens all the time. In the past, companies tried to hide these glitches as long as they could. With GDPR, corporations have 72 hours from the moment the breach is known to inform the competent authorities. Users also have to be informed, although GDPR doesn’t set a timeframe for that. However, it’s a matter of common sense and of keeping their trust to inform users as soon as possible.


4. User’s right to retrieve the collected data (portability)

Under GDPR, you must be able to reconstitute all of a visitor’s data at his request, in a structured, unencrypted format.


5. Right to erasure

A person who has given you his or her data has the right to ask you to erase it entirely. If they do, you have to comply.


6. Nomination of a Data Protection Officer

The nomination of a Data Protection Officer (or DPO) is mandatory for all corporations proceeding user data on a large scale or regularly tracking data subjects or sensitive information. This also applies to the public sector, independently of the purpose or type of processing.


Any corporation disrespecting the new rules risks fines of up to 4% of their overall revenue, or €20 million, according to the severity of the infraction.

How Kameleoon complies with GDPR

Platform compliance

  • Data Collection

  • In its standard setup, Kameleoon's platform doesn't collect or processes any personal data as defined by GDPR. The only data collected is anonymized browsing data which doesn't allow a visitor's identification. However, the Customer has the possibility to inject existing personal data from their ecosystem (CRM, DMP, ...) into Kameleoon, to improve analyses and results. In that case, the Customer has total control over the information and selects only authorized data. Kameleoon processes this personal data in a totally GDPR-compliant way and follows the Customer's written instructions and data processing procedures.

  • IP anonymization:

  • As the IP address is considered personal data, Kameleoon doesn’t process or save it but replaces them by a randomly generated ID. This guarantees complete anonymization and a higher level of data protection.

  • Encryption:

  • Kameleoon complies with security standards and offers the encryption of information under certain conditions. Kameleoon’s JavaScript communicates in HTTPS with kameleoon.com if the original (client’s) page also is in HTTPS.

  • Portability:

  • Kameleoon enables the Customer to deliver the entirety of a given visitor's collected data at their demand.

  • Right to erasure:

  • Kameleoon can erase any personal data within 72 hours. Moreover, visitors have the possibility to opt out of the personalized experiences they are offered. To prevent their data from being used for personalization, visitors have access to a link offering to deactivate tracking and any type of data processing. The Customer only needs to add a link to the website's privacy policy page. The parameter “#kameleoonOptout=true” must be added at the end of the URL. A “kameleoonOptout” cookie is created in the user’s browser, storing the information about their refusal and completely deactivating Kameleoon.

Organizational compliance

  • Nomination of a DPO: Our security and GDPR compliance program is supervised by a Data Protection Officer named in January 2018.

  • Response in case of an incident: Our incident management program enables us to react to security breaches on a 24/7 basis. If visitor or customer data is impacted, the Customer is informed without delay, as stipulated in the contract.

  • Security insurance plan: Kameleoon's security measures take into account state-of-the-art technology and GDPR requirements. Kameleoon guarantees confidentiality, integrity, availability and traceability of the Customer's data and keeps an updated written documentation detailing implemented technical and organizational security measures.

  • EU-based servers: Kameleoon’s servers are situated in Europe. No personal data whatsoever circulates outside the EU, so our customers are sure to comply with GDPR’s data circulation restrictions.

  • Product development and new features: All new features to be developed are GDPR compliant and follow strict guidelines to guarantee compliance with personal data protection rules.

GDPR Compliance

Getting ready