iProxy provides its clients with a unique infrastructure that enables the creation of their own mobile proxy servers. We strive for maximum convenience and security online for a broad range of users, emphasizing the importance of clients being able to share their proxy accesses.
However, distributing proxy accesses to third parties entails the need to process their personal data. In this article, we will examine the key aspects that every seller should consider when dealing with personal data.
I Don't Collect Any Data, I Don't Even Have a Website – Why Do I Need This Information?
If you are simply providing proxy access to other people and not collecting any information about them, then the requirements of personal data legislation will not apply to you.
However, we strongly recommend not doing this, as it poses significant risks for you. For instance, if someone uses your phone's IP address to commit fraudulent actions, you could face serious problems with law enforcement authorities.
To minimize your risks, we recommend you keep contact details of users, such as email, phone numbers, and logs (read here about why we keep logs).
Next, we will explain how to do this correctly.
Each country has its own legislation concerning personal data, and approaches to regulation can differ significantly from one another. For example, in Europe, unlike in the USA and Russia, where security services have relatively broad access to data, the confidentiality of an individual's personal data is of paramount importance.
It is impossible to cover all approaches, so we will focus on the General Data Protection Regulation (GDPR) of the EU, as it is one of the strictest and covering many users.
GDPR is a document that regulates and standardizes the rules for the protection of personal data, applicable in the European Union (EU). You fall under its jurisdiction if you provide services to EU residents, even if you are located in another country.
The GDPR does not provide a specific list of information that constitutes personal data. Essentially, it is any information that can be used to identify a Data Subject.
Among such data, GDPR identifies special categories of personal data, the processing of which requires additional protection measures. These include information like political and religious beliefs; health status; racial or ethnic origin; genetic and biometric data.
Processing encompasses various actions with personal data – collection, recording, organization, storage, adaptation, alteration, retrieval, use, disclosure, dissemination, erasure, and so forth. Essentially, if you have simply become aware of someone's personal data, its processing has already begun.
Who is Involved in the Processing of Personal Data?
Cases Where You May Process Personal Data:
In any other cases, you cannot process user data.
If you store only contact details and user logs, as we recommend, the basis for processing personal data will be your legitimate interest, which is expressed in protecting against the risk of fraudulent activities by clients.
GDPR mandates that only the minimum necessary information should be stored, so if you need to save any additional information, you must identify a suitable basis for this. However, please note that if you are relying on user consent for the collection and processing of personal data, it must be explicit. A pre-checked box in the field "I agree to the collection and processing of personal data" is considered a violation.
If you do not have a website where this information can be posted, we recommend you do the following:
Create a template message in a messenger app that you can send to users. Briefly outline in it the main information about tariffs and refund terms and conditions.
Include in this message:
You must provide these two documents to your clients before starting work with them, and you also need to obtain explicit consent that they are informed and agree with all these documents.
Every Data Controller is required to maintain a Record of Processing Activities (RoPA). This is usually a table in an Excel format. In RoPA, it is necessary to record, in particular, the purposes of processing, description of the categories of personal data subjects, description of the categories of persons to whom personal data is transferred, etc.
This document will be useful for you to clearly understand what and how you are processing, as well as in case your client requests information about how you store the data.
A Data Protection Agreement (DPA) is a legally binding document entered into between the data controller and the data processor in the context of the processing of personal data. It outlines the scope, nature, and purpose of processing, the rights and obligations of both parties, and compliance measures with applicable data protection laws, most notably the General Data Protection Regulation (GDPR) for entities operating within or dealing with data from the European Union.
If you are distributing proxies created using our infrastructure, please email us at firstname.lastname@example.org, and we, as a data processor, will send you an agreement to sign.
You can store the contact details of your users in any form, for example, in a table. The main requirement is that no one except you should have access to this information.
As data processor, we store anonymized logs of your users on our servers, which are securely protected against leaks.
Under GDPR, it is required to implement technical and organizational measures to prevent information leaks. If a leak is detected, data subjects must be notified without delay.
Personal data can be disclosed only in the following cases:
Please note that selling personal data is permissible only with the direct consent of the client.
For breaching GDPR regulations, companies face a multi-tiered fine system depending on the severity of the violation:
For example, on the first day of the regulation's enforcement, Google and Facebook faced lawsuits totaling $8.8 billion.
Of course, if the scale of your business is smaller than that of Google, the chances of regulatory authorities noticing you are not as high. However, it is never possible to completely rule out the risk of having a client who, for some reason, might complain about you to the authorities, compelling them to investigate your resources.
Proper handling of your clients' personal data is not just a legal requirement, but also a key element for your own safety.
At iProxy, we take this aspect seriously and provide you with all the tools and knowledge you need for effective and secure operations. We strictly adhere to rigorous standards in processing and protecting personal data to ensure that both you and your clients remain safe.
Get front-row industry insights with our monthly newsletter