If you utilize the contact collection feature within your chatbot, it's important to consider the obligation to obtain users' consent for processing their personal data in compliance with the General Data Protection Regulation (GDPR). In this article, we will provide you with recommendations on how to properly set up the contact collection function to ensure compliance with current legal regulations.
Please see this tutorial about Leadgen Chatbot for more information.
Who is responsible for what?
Under GDPR, it is important to differentiate between the data controller, who determines how and why personal data is processed, and the data processor, who processes personal data on behalf of the controller.
If you are using the automatic contact collection feature through a chatbot, you become the data controller. You determine what data will be collected, how it will be handled, and you are responsible for complying with legal obligations regarding the protection of personal data. Smartsupp, the company providing the chatbot platform, acts as the data processor and processes the data based on your instructions.
Requiring consent
The contact collection feature of the chatbot includes the option to require consent for processing visitors' personal data. If you enable this option, the chatbot will first prompt the visitor to grant consent before proceeding with the data collection. This consent is also stored in the visitor's profile. This way, you have an overview of which of your contacts have given their consent and which have not. If a visitor does not grant consent, the chatbot will not proceed with the contact collection.
Communication with contacts
It is important to ensure that within your marketing communication, you only contact those contacts who have given their consent for the processing of their personal data. Contacting contacts who have not provided consent for the processing of their personal data would be in violation of the applicable GDPR regulations.
Link to the Privacy Policy
If you require GDPR consent from your visitors, it is recommended to properly include a link to your Privacy Policy within the chatbot. While it is not mandatory to publish the chatbot's Privacy Policy, we strongly recommend providing a link to it, as you, as the data controller, have an obligation under GDPR to inform your customers about how their personal data will be handled. By including the link, visitors will have all the information about how their data is processed, and by granting consent, they will be aware of the subsequent marketing communication from your side.
If you do not include the link in the chatbot, the chatbot will refer to general GDPR information provided in the widget, where our role as the data processor is described in relation to your role as the data controller.
Conclusion
We recommend adhering to the provisions of GDPR when using the automatic contact collection feature through a chatbot. It is important to require consent from your visitors for the processing of their personal data and to only engage with those contacts who have granted their consent within your marketing communications.