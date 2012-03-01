The complete solution to comply with the GDPR
The requirements according to the GDPR
Privacy and Cookie PolicyRequirement
Websites are required to provide a privacy policy and cookie policy. Apps don't generally make use of cookies, but they require a privacy policy anyway.
Policies are invalid if they're missing the right information
In order to be compliant, your policy must describe the personal data collected and the purposes of their collection, list all the third parties the data is shared with and inform users of their rights in relation to their data.
Cookie notice and prior blockingRequirement
Websites need to comply with the EU Cookie Law (as of the ePrivacy directive), which is still valid with the GDPR. In particular:
Display a cookie banner
Acquire consent for installing profiling cookies (e.g. via Google Analytics, Adsense etc.)
Release profiling cookies only when consent has been provided (prior consent)
Proof of consentRequirement
In order to comply with privacy laws, especially the GDPR, companies need to store proof of consent, so that they can demonstrate that consent was collected, being able to retrieve:
When consent was provided
By whom
Which preferences were expressed
Which legal or privacy notice they were presented with at the time
Which form they were presented with at the time
Record of processing activitiesRequirement
In order to comply with privacy laws, especially the GDPR, companies need to keep a record of how they store and use the data they collect from users. In particular, they must document in writing:
Data retention policy for each processing activity
Security measures
Legal basis for processing
Data transfer outside of the EU, if any
The parties that you share the data with, both inside and outside of your organization
FAQ
Who does the GDPR apply to?
Generally speaking, the GDPR can apply in 3 instances:
- Where your base of operations is in the EU (this applies whether the processing takes place in the EU or not);
- where, even though you're not established in the EU, you offer goods or services (even if the offer is for free) to people in the EU;
- or where you're not established in the EU but monitor (track, or process) the behavior of people who are in the EU.
Are there consequences for non-compliance?
The legal consequences for non-compliance can include fines up to EUR 20 million (€20m) or 4% of the annual worldwide turnover (whichever is greater), but perhaps equally as concerning are the other potential sanctions that may be implemented against organizations found to be in violation. These sanctions include official reprimands (for first-time violations), periodic data protection audits (which can result in being barred from using data associated with the violation — including entire email lists) and liability damages.
