Since coming into force in May 2018, Bloomreach Engagement has been developing its features with privacy in mind, including compliance to GDPR.

Our Bloomreach Engagement application supports our customers in finding the best ways to be compliant with the GDPR. We have created this section of our Docs to ensure you are informed about our features and how to use them to their best potential.

Our independent Data Protection Officer (DPO) also makes sure that Bloomreach Engagement stays compliant. The DPO is tasked with monitoring compliance with the GDPR and other data protection laws, our data protection policies, GDPR awareness training, and audits.

This series of GDPR guides will explain to you the following:

What is GDPR

GDPR (General Data Protection Regulation) has replaced all existing data protection laws across Europe and now shapes the way in which companies handle, protect, and profit from data.
All businesses and not-for-profit organizations that process personal data concerning employees, customers, or prospects who are in the EU and/or are EU citizens fall within its scope, wherever in the world the company is based and even if the data is processed outside the EU.

Controller vs Processor

In the context of Data Protection laws, you are the controller of your data while Bloomreach Engagement is the Processor. As the Controller, you decide on the purposes and means of all data processing. As the Processor, Bloomreach Engagement acts on the controller’s instruction - you. This distinction is crucial because Controllers and Processors have different responsibilities with regard to compliance.

As a Controller, you bear the responsibility to ensure and demonstrate compliance with GDPR as you are in full control of which data you collect and how you use them. Through the document, there will be multiple references to your particular responsibilities as a controller.


Law 25

Law 25, effective September 22nd, 2023, in Quebec, Canada, is an important consent and compliance regulation. Since this law shares similarities with GDPR, compliance with GDPR can indicate compliance with Law 25.

Transparency: Bloomreach prioritizes transparent data processing, adhering to Law 25's openness and honesty standards.

Legitimate Business Purposes: Bloomreach lawfully processes personal data for specified purposes, in line with Law 25.

Individual Choice and Control: Bloomreach secures individual consent and provides controls regarding processing personal information, aligning with Law 25's focus on individual consent and control over personal data.

Data Minimization: Bloomreach gathers only necessary and relevant personal information, reflecting Law 25's data minimization principle.

Accountability: Bloomreach is accountable for processing personal data, maintaining records and compliance, consistent with Law 25.

Retention/Deletion: Bloomreach ensures timely data deletion, conforming to Law 25's retention and deletion provisions.

Security and Breach Notification: Bloomreach employs security measures and breach notifications as required by Law 25.

International Transfers: Bloomreach takes appropriate steps to protect personal information during international transfers, in line with Law 25.

Privacy by Design: Bloomreach integrates privacy measures, including Privacy Impact Assessments, aligning with Law 25's privacy by design emphasis.

Legal Disclaimer

The information above outlines Bloomreach Engagement's alignment with Quebec's Law 25, based on available documentation and our understanding of the legal landscape.
As regulations can be complex, consult legal experts in privacy law for tailored advice to ensure compliance and address unique organizational considerations.