So, you have a website, or maybe you want to have one for yourself or for your company.
Of course, you want to make sure you are sticking to the law and protect the privacy of your visitors – you want to make sure your website is GDPR compliant. But you don’t want to read a book (or, god forbid – the Law!) on the matter. We’ve got your back. This is what you need to know.
To use analytics software such as Google Analytics, you most times need to place cookies. In the pre-GDPR era, businesses that used websites aimed at EU visitors were required to simply give notice about the website using cookies. Since the enforcement of GDPR, this has changed.
So, what is needed to make sure your website is privacy compliant? It needs to:
• Inform visitors about what tracking technologies are used through the website, what data it collects, and for which purposes. You should inform visitors about their rights.
• Only load strictly necessary cookies loading until the visitor has given consent.
•‘Strictly necessary’ means essential to provide a service explicitly requested by the visitor and does not mean essential for your own purposes, like analytics.
• Let visitors reject all but strictly necessary cookies and still use the website.
• Enable visitors to withdraw their consent at any moment.
• Include a log, with all given consents.
You might need consent at other places on your website, such as when asking contact information, sending newsletters or making a purchase. Again, only positive opt-in counts.
Here, you need to:
• Name and contact details of your organisation (and representative/DPO).
• The purposes of the processing.
• Lawful basis for the processing.
• The legitimate interests for the processing (if applicable).
• Categories of personal data obtained (if the personal data is not obtained from the individual it relates to).
• The recipients or categories of recipients of the personal data.
• Details of transfers of the personal data to any third countries (if applicable).
• Retention periods for the personal data (when are you going to delete it?)
• Rights available to individuals in respect of the processing (access, deletion, etc)
• The right to withdraw consent (for instance, for cookies).
• Right to lodge a complaint with a supervisory authority.
• Source of the personal data (if personal data is not obtained from the individual).
• Details of the existence of automated decision-making, including profiling (if applicable).
Hosting, Analytics, CMS, CRM, Payments
First, you need to store and run the files that constitute your website somewhere, don’t you?
You might also need analytical software so your business can collect information for optimizing your website. A Content Managements System (CMS) is an application with which you can manage and publish web content without having to ask a developer. While a Customer Relationship Management (CRM) system helps you manage customer data. Payment software helps you manage… payments. What do these have in common? They are operated by someone else, possibly somewhere else (outside the EEA).
So please be mindful of:
• Would the supplier get access to personal data?
• If so, how will they use this personal data?
• The types of personal data do they have access to?
• Which personal data would they get access to if integrated with other, currently used tools?
• In which country are they from? And where do they store said personal data?
• Will other third parties (such as subcontractors: “subprocessors”) get access to this data?
• If so, where are the third parties from? Where do they store the data?
• Whether any data is handled, stored, or accessed outside the EEA, and do the terms and conditions include the EC Standard Contractual Clauses and other measures? Or is it free to send the data based on an Adequacy Decision?
PrivacyPerfect, is one of the first high-end privacy compliance software providers on the market.
This article does not constitute legal advice.
The opinions expressed in the column above represent the author’s own.
Start managing your legal needs with Zegal today
READ MORE: GDPR: What Are the Changes and How To Keep Your Business Up To Date
FURTHER READING: Schrems II ruling