Skip to main content
menu_icon.png

Everything you need to switch from Optimizely Classic to X in one place: See the Optimizely X Web Transition Guide.

x
Optimizely Knowledge Base

Request or delete records for EU General Data Protection Regulation (GDPR)

 
relevant products:
  • All

THIS ARTICLE WILL HELP YOU:
  • Submit GDPR Subject Access Requests

Please keep in mind that:

  • Data cannot be recovered once it has been deleted. You should read this article carefully to understand the implications for your account.

  • Data exports we provide you may contain information that your company may consider confidential, such as the change history for a particular project. It is your responsibility to review this information before providing it to the individual.

  • This process covers information that Optimizely processes on behalf of its customers as part of its online SaaS services. If you would like to file a request related to personal data Optimizely controls, you should email legal@optimizely.com.  Please review our Privacy Policy for further information about this type of data and your options.

It is your responsibility to review this information before providing it to the individual.

This article describes how Optimizely can help you respond to an EU data subject’s request for access, rectification, erasure, and portability of their personal data. It applies to the personal data that Optimizely is processing on your behalf as a data processor. Please read this article carefully to understand how we can help you with these requests and the implications for your organization.

Overview

When acting as your service provider, Optimizely processes some data on your behalf relating to two types of data subjects:

  • User data - End users (also known as Collaborators) that are added to the accounts of our customers. A user can be a collaborator on multiple accounts.

  • Visitor data - Visitors who visit or use our customers’ websites, apps and other digital products. Optimizely stores visitor data to calculate experiment results and to tailor content.


This article describes how Optimizely can help our customers respond to a EU data subject’s requests for the data Optimizely is processing on their behalf. To learn more about the data Optimizely is processing, please review our Privacy@Optimizely FAQ .To learn more about the GDPR and your role as a data controller, or for more detail about meeting your obligations for other Optimizely products, see Preparing for the GDPR.

Meeting the access and erasure obligation

Each EU citizen has a right of access. Upon request, you (as the data controller) have an obligation, with certain exceptions, to inform an the individual (often referred to as data subjects under GDPR) where their personal data is being held and for what purposes.

In addition, each EU citizen has a right to erasure (sometimes known as the right to be forgotten). Upon request, you have an obligation, with certain exceptions, to erase the personal data of a data subject.

To make the process easy for customers, Optimizely offers two options for starting the erasure or access process for data it is processing on customers’ behalf:

  • A UI that is easy to use for a small number of requests.

  • A REST API to automatically submit access or erasure requests to Optimizely.

Optimizely only allows requests from users who have an Administrator collaborator role on the account.

Submitting a GDPR Subject Access Request through the Optimizely UI

  1. Log into Optimizely.

  2. Go to Account Settings > Subject Access Requests.

  3. Click Create New Request.

  4. Fill in the following information:

  • Request type:  The type of request access. 

    • Delete - Removes all data within an account that is associated to the identifier defined in the identifier field

    • Access - Finds all data stored in Optimizely systems associated to the identifier defined in the identifier field and exports it to an AWS S3 bucket for you to access.

  • Data type:  The type of data to be accessed or deleted. The two options are:

    • User data - End users (also known as Collaborators) that are added to the accounts of our customers. A user can be a collaborator on multiple accounts.
    • Visitor data - Visitors who visit or use our customers’ websites, apps and other digital products. Optimizely stores visitor data to calculate experiment results and to tailor content.

       

  • Identifier type: User data is identified by the email address used to create the end user account. The form does not display the Identifier type field (see below) if you selected User for Datatype.

    If you selected Visitor for Data type, the form will display these 5 options for personal identifier types:

    • DCP ID - Any ID used to identify targeting records in Optimizely.

    • Email Address - The email address of a visitor.

    • Full Stack ID - The unique identifier used for Full Stack experiments.

    • optimizely_end_user_id - An Optimizely generated user cookie.

    • Other - Any other identifier that was uploaded to Optimizely.

  • Identifier: The identifier value that you would like us to use when searching. If “User” was selected in the previous step, the identifier will be the email address for the user.

    Important Note for Users of DCP and List Attributes: Please submit the primary keys used to identify records in DCP datasources and List Attributes. We require these keys in order to identify relevant records in these datasources; they cannot be searched using other identifiers. You may submit these keys using either DCP ID or Other Data Type. Please note that under our current terms, email addresses and similar personally identifiable information should not be uploaded into DCP. Please see PII: Personally identifiable information in Optimizely for more information.

  1. Click the Submit Request button to submit the form.

This is an example of how to use the UI to submit a request:

clipboard_e4a5aa3b9f7cf5406c40381b0e7065fa6.png

Currently, there is no way to monitor the progress of the request in the UI. We plan to launch the UI for monitoring requests on 15 June 2018. If you need to access requests before that date, contact Optimizely via the support form.

Automating GDPR requests with the Optimizely REST API

Optimizely customers can automate the requests using the REST API. The API endpoints for GDPR are documented on our developer documentation.

The same considerations apply when using the API:

  • Data cannot be retrieved once it is deleted

  • Data exports we provide you may contain information that your company may consider confidential, such as the change history for a particular project

  • Users of DCP must provide the DCP ID to allow us to identify the applicable record. We cannot search these records with other identifier types.

The endpoints that Optimizely offers are:

List all the existing Subject Access Requests

GET https://api.optimizely.com/v2/subject-access-requests

Get an existing Subject Access Request

GET https://api.optimizely.com/v2/subjec...s/{request_id}

Create a new Subject Access Requests

POST https://api.optimizely.com/v2/subject-access-requests

Retrieving the data from a completed access request

Where we receive a data access request, we search the records for the identifiers you provide and place matching records in an Amazon S3 bucket. When an access request is completed, Optimizely will create an Amazon S3 data export bucket and upload all the data to a folder within that bucket. The location of the bucket is in the export_location field returned by the /v2/subject-access-requests/{request_id} REST API and displayed in the UI once an access request is completed. The List all the existing Subject Access Requests and Get an existing Subject Access Request

Each Optimizely account has its own bucket. The URL is formatted like this:

s3://optimizely-export-ng/{account_id}/

To get access to your Optimizely export bucket, follow the steps in the Access Optimizely raw data knowledge base article.

Confirmation of data deletion

Where we receive a data deletion request, we search the records for the identifiers you provide and overwrite any matching data. When the request is completed, you can get the status of your request in the UI or with the REST API.

Rectification Requests

Optimizely users may correct their own data by signing into app.optimizely.com and editing the data in User Settings.

Rectification is not applicable for visitor data because the nature of the requests is records of events for users’ interactions with websites and apps, such as clicking on a button.

Disclaimer

This document is for informational purposes only and does not constitute legal advice. Readers should always seek legal advice before taking any action with respect to the matters discussed herein.