Privacy Overview

Adabra Marketing Automation & GDPR

Here is an overview of how our company has dealt with the entry of the General Data Protection Regulation.
The focus of your marketing activities, digital and non-digital, must be on your consumers.
Thanks to Adabra's advanced segmentation, you will be able to use demographic, past and present behavior characteristics and understand where users are in the Customer Lifecycle, tracking their behavior both online and offline.
These dynamic segments, updated in real time, will allow you to get to know your users better, building dedicated experiences for them.

GDPR Regulation ➝

What did Adabra do to comply with the New Rules?

Since the beginning Adabra has always paid great attention to the privacy policy and all subsequent changes. Operating in the field of data profiling and segmentation, it was therefore necessary to be in line (even a step forward in many cases) with legal obligations. It was, therefore, relatively easy to adapt to GDPR as most of the requirements of the new rules were already present in the initial framework of our systems. But let's see together and in detail which new functionalities our platform offers and what has been modernized to comply with the new regulations:

The GDPR gives users ("interested parties"), whose data are processed, a new set of possibilities. One of the most important is the "right to be forgotten", i.e. the possibility for data subjects to have their data, even if collected with their consent, completely deleted.
The law applies to data stored in both digital and paper form, as well as all backups of such data. To make this right effective, Adabra has confirmed the "Opt Out" button, also adjusting standard data storage durations.

The GDPR also introduces the right to data portability, allowing our customers and their users to request personal data about them in a structured, commonly used and electronically readable format and also to request its transfer, for example to another company if their contracts are transferred.The right to data portability applies to the processing:- based on marketing consent - carried out automaticallyThe right to request the transmission of data to another data controller exists only if the operation is technologically feasible, therefore it is necessary that, for example, the two systems involved, (transmitter and receiver) are compatible. Our Adabra platform is already compliant in this respect, and therefore our customers can easily transfer all contacts to external systems in the form that will be more convenient for them: in the form of files or via API.

If the tracking of users is based on anonymous data, which does not allow them to be identified, even indirectly, GDPR does not apply and the customer does not have to worry about obtaining any consent from users.

It is not necessary to modify the contact collection forms. It will not be necessary to include any request for additional consent, compared to those used so far, as long as the customer is able to prove that he has provided the information to those concerned.

The Adabra platform will allow, in line with GDPR's requirements, to identify and reveal where the data was acquired from ("data source").

Contract Modifications

As we have always done, we address our customers with the utmost clarity and transparency.

In order to use Adabra, it is necessary to sign the license agreement and authorize the processing of data by Ad Spray Srl, according to our General Conditions of Service (GSC), which we have updated for everything involved in the implementation of the GDPR.

Even for our current customers, the obligations provided by GDPR will become effective as of 25 May 2018.

View the General Conditions of Service ➝

What happens to the Current Customer Database?

The law is not retroactive, i.e. it means that the use of all behavioural profiles collected legally before the entry into force of the GDPR will continue to be possible.

Further elaboration and profiling of stakeholder profiles should - from now on - be allowed on the basis of new information in accordance with the GDPR.

Deletion of data will only be necessary if requested by the data subject.

How to acquire a Valid and Verifiable User Consent

The consent is valid if it is "explicit", i.e.: expressed. GDPR has excluded that it can detect any form of implicit or tacit consent (i.e. silence is not equivalent to consent), or obtained by proposing a number of pre-selected options.

It must be free (i.e. not forced or conditioned), formulated in a specific form (and therefore not expressed with reference to a generically identified treatment, while the different consents will have to be separated from each other), informed (i.e. preceded by relevant information).

Geographic Localization

Data Storage Explicitation 
Adabra cares about user privacy and has chosen to locate its servers and data storage activities in the EU.
That's right!
The different servers used by Adabra are in Italy and geographically redundant within the European Union. In addition, our suppliers comply with ISO-27001 (Data storage) and even if there are integrations with third party platforms that reside outside the European community, we have verified that they guarantee an adequate level of protection of personal data, adhering to the EU-US Privacy Shield agreement.

Documentation available to the customer
Adabra has implemented a data security policy and IT systems management procedures, all of which are documented and available to the customer.

The most important changes introduced by GDPR

Here are the most important changes introduced by the GDPR

Your personal data (and your customers' data) must be stored in European territory. If the data is stored outside the EU, in agreement with GDPR, Adabra will make sure that the countries to which the data is transferred ensure an adequate level of protection of personal data (adequacy decision of the European Commission), or appropriate safeguards are adopted through contractual instruments (model clauses; binding corporate rules).

Your users have the right to be forgotten and, at their request, you must be able to delete their data from your database.

Your customers have the right to request that their data be returned to them or transferred to another company in a structured, commonly used and electronically readable format.

The consent to process personal data must in any case be requested in the manner provided for and with respect to a correctly formulated statement.

You will have to apply data protection right from the design (privacy by design) of your IT solutions and systems.

The administrative penalties for violation of the regulations increase - up to 20mln Euro and 4% of the turnover, if higher.

The new accountability rules are designed to ensure that the data controller has adopted the appropriate organizational and technological security measures and is able to demonstrate that its processing is carried out in accordance with the GDPR.

You must keep track of the processed data

You are obliged to notify the Data Protection Authority of any incident involving a data breach in terms of loss of confidentiality, integrity and availability and you have a short period to do so: 72 hours!

What do I have to do to Comply with the New Regulations?

You'll need to prepare the necessary documentation, which includes:

Security Policy
A summary document (known as "Security Policy Document") explaining the main precautions to protect the data you manage.
Notification procedure for computer incidents
Adoption and documentation of a procedure to notify computer incidents to the Guarantor Authority for the Protection of Personal Data and possibly to your users.
Procedures for managing the exercise of the right of access
Adoption and documentation of a procedure on the exercise of the right of access to personal data by users.
Register of processing activities
Creation and maintenance of a log that shows how the data process operations are performed.
Privacy Impact Assessment
Carrying out the privacy impact assessment in the event that the processing of personal data poses a high risk to the rights and freedoms of data subjects.
Designation of Data Protection Officer
Designate a Data Protection Officer when your main activities consist of processing operations, which by their nature, scope and purpose require regular and systematic monitoring of data subjects on a large scale.

Choose the Right Partner as your Guide to Success.

Adopt the Adabra method and Create a Winning Strategy!

Contact us for a consultation

How does an Audit take place?

What documentation should I prepare? In the case of audits aimed at assessing the degree of compliance of the organisation with GDPR, it is necessary to demonstrate that:
(i) the data has been obtained on the basis of consent or other legal basis,
(ii) those who process the data have received instructions to do so (written authorization issued by the data controller);
(iii) there is a record of violations (data breaches);
(iv) any violations are notified to the Data Protection Authority within 72 hours of the fact.


The audit will be sent preceded by a written notification and will consist of a visit by auditors who will verify how the data is managed (including the level of security achieved) and the means used, as well as the presence of documentation that is suitable to represent them.

Adabra has also implemented GDPR-compliant security measures for this purpose, including:
the adoption of an access and user management procedure;
the establishment of the log of personal data processing operations; the monitoring and adoption of intervention policies in case of security breaches; the establishment of the log of personal data breaches; the management of backup policies; the adoption of encryption policies for personal data sent by customers.

Subscribe to our Newsletter

Find out how Marketing Automation and Artificial Intelligence can help you improve your results.