Customer Service

The Chat Shop + GDPR

June 10, 2021
June 10, 2021

Data Privacy in the EU

Understanding data privacy in the European Union (especially with the new GDPR) can be as frustrating as straightening out a tangled thread. The EU/EEA have a few different policies in place so that when companies capture personal data, they’re honest and transparent about why they want it, where they’re storing it, why they’re processing it, and who gets their hands on it. Basically, these laws and directives ensure a protected flow of data from individuals to companies they trust and any other party that company trusts.

A Brief History of EU Data Privacy

Let’s bring it back to the 1940s. After World War II, the council that became the EU formed and passed the European Convention on Human Rights. The proto-EU did this to guarantee certain freedoms and rights across its member states. One of those new, important rights was a person’s right to privacy of correspondence. That’s a big one. The right to privacy in correspondence became tighter and with more caveats attached as new tech in the 20th century brought in new ways of communication.

In 1980, Baby-EU and the Organization for Economic Cooperation and Development (OECD) drafted a new framework (inventively called Treaty 108) to regulate automatic processing of personal data. Basically, 108 gave us all the aspects of data privacy we’ve come to know and love (or love-hate) like:

  • Obtaining and processing data fairly and lawfully
  • Collecting data in an adequate, relevant manner
  • Maintaining adequate security of data
  • Deleting personal data
  • Keeping data only as long as it benefits parties involved

And in 1995, we got the last major update to EU data privacy, and it was a big one: The European Data Protection Directive (DPD for short). This bad boy gave substance to all the promises of Treaty 108 and then some. It basically acted (and still acts) as a template for compliance around the bare minimums companies and governments can do for data privacy in the internet age. We got new standards and protections that mean our sensitive data isn’t hanging out on someone’s desk in an unlocked office. It also means we need consent to process and control data and have to scrutinise all of our business partners, especially partners who are based outside the European Union, for possible data security breaches. And that’s how we got…

The EU-US Privacy Shield

Everything you know and love that enables us to do business across the pond.

In 2016, the Privacy Shield replaced Safe Harbor with a certification process friendly to small and medium businesses and a “blanket” applicability to data transfers between certified US entities and their customers in the EU. But the Privacy Shield added some new commitments over Safe Harbor to data subject rights, protection during onward transfer to sub-processors, and cooperation between the EU and US on alleged infringements and government surveillance.



This is the one you’re all here for.

It’s been 20 years since the DPD; a lot’s changed about how we do business and the transactions we perform digitally. The GDPR is here to help (at least that’s what it keeps telling us). But because we’ve all been hanging out for 20 years, it means that the GDPR is a whopper to get up to snuff with.

The GDPR means some new rights for all of us, including:

The right to be forgotten

Anyone can delete their data

The right to object

Anyone can say no to things like profiling

The right to rectification

Anyone can change or complete their data

The right of access

Anyone can know what data is being processed and how

And the right to data portability

Anyone can transmit their data from one organisation to another (source: regulation pdf)

And companies have some new standards to live up to:

  • disclosures when obtaining consent
  • consent must be “freely given, specific, informed, and unambiguous”
  • clear legal language in those consent declarations that is easily understandable

And some companies have a new job to fill:

  • Data Privacy Officer (DPO), who hangs out and reviews compliance with the GDPR

So, what’s The Chat Shop doing about GDPR?

GDPR badge

TL;DR: We’re on it.

The Chat Shop’s Approach to Security

Given the intricacies of EU data privacy laws, we know you have questions about security and processing. Using this understanding of The Chat Shop’s different technologies, customers can work with their own attorneys and solicitors to ensure compliance with the laws that apply to them.

Managed chat & Data retention

We’re a data processor of personal information collected on behalf of our clients. The data we collect is all yours to control, so you can follow-up on those nice leads you get!

We keep a copy of the data we send you for a limited time, though. Our Data Retention Policy is a big one, and part of our sustained GDPR compliance agenda to make your data work harder for you.

For our clients and partners who control data, we process and store it with specific timeframes in mind. In our new GDPR-friendly policies, all of your customer data we capture will be retained for 15 months from the time of its acquisition and will be For Your Eyes Only. We’re very 007 like that.

Data hosting & Our partners

We store your chat transcript and escalation data on Amazon Web Services servers located in the UK, Ireland, Germany, and the US. Amazon Web Services maintains ISO 27001, SOC 2 Type II, and several other certifications to demonstrate the rigor of their hosting and infrastructure management programme. You could say they have a License to Kill (not really). Information about AWS certifications is available on the AWS Security Compliance site.

LiveChat, Inc:

LiveChat store their data in secure data centres in both Frankfurt, Germany and Texas, USA, with transmission under protection from the Privacy Shield. We’re able to offer EU hosting for new dedicated teams and are working with LiveChat to migrate all data to the EU.

HubSpot CRM:

We use our HubSpot CRM to help us keep our relationships with you strong. Like any good CRM, it’s used sparingly and updated with only the most relevant information on contracts and communications. None of your customers’ data is ever stored here; this one’s just for The Chat Shop and clients. Currently, the primary HubSpot infrastructure is hosted with Amazon Web Services in the US-East-1 region.

Amending data, Security programme & Other privacy requests

Everyone who provides his or her contact information to The Chat Shop has the right to request that they not be contacted or that their information be corrected. Our privacy team can be reached at and is dedicated to ensuring that The Chat Shop continues to be a positive influence for our clients. Information about The Chat Shop’s current approach to privacy is also available in our Privacy Policy.

LI Creatives

Looking Ahead

We hope this has provided you a Quantum of Solace regarding the GDPR. Look out for more James Bond-tinged communications from us in the future! If you have any urgent questions, or just want to tell us who your favourite James Bond is, get in touch with your account manager directly or email our privacy team at

We’re always happy to chat.

Find out more about our secure live chat outsourcing

Subscribe to Expert Insights

The best source of information for customer service, sales tips, guides, and industry best practices. Join us.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

By clicking the ‘Subscribe’ button you confirm that you have read and understood our Privacy Policy

Get the content now

The best source of information for customer service, sales tips, guides, and industry best practices. Join us.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

By clicking the Get the content now button you confirm that you have read and understood our Privacy Policy

In case you hadn't noticed chat is very much our thing.

So why not put us through our conversational paces and get in touch?