Iubenda logo

Documentation

Table of Contents

GDPR treatment of services that do not collect personal data

Some software, services, and widgets do not collect personal data. Should these services still be included in your privacy policy? What about the cookie policy? In this post, we answer these questions and take a look at how the GDPR and ePrivacy relate to services that do not process personal data.

Some popular services of various kinds (such as for analytics or heat mapping purposes) make the claim that their services do not collect personal data. This means that whenever users navigate a website or use an app that such services are integrated into, their personal data is not collected and processed by that service.

When these claims are usually made in two distinct cases:

  • Where these services actually do not collect any personal data at all.
  • Where the personal data is anonymized before it’s collected in such a way that it doesn’t allow the user to be identified. This anonymization can be done in various ways, for example, by hashing.

Hashing is a procedure by which given data (such as an e-mail address or an IP address) is processed automatically via an algorithm into a unique sequence of values (numbers and letters). These cryptographic hash functions cannot be reversed: once the hashed output is generated, there is virtually no way to invert the function in order to re-generate the source information. If you’d to know more technical details about this, you can read Opinion 05/2014 on Anonymisation Techniques released by the former Article 29 Data Protection Working Party.

Let’s take a look at how these cases are treated by the GDPR and ePrivacy below.

Must I mention services that do not collect personal data in my privacy policy?

There is no need to mention these services in your privacy policy. Articles 13 & 14 of the GDPR (which establish what information controllers must provide to data subjects within their privacy policy) only apply when personal data is collected. Therefore, services that do not collect personal data must not be mentioned.

Furthermore, considering the general principle of transparency (via Articles 5 & 12 of the GDPR), services that do not collect personal data should not be mentioned – as this could mislead users into thinking that those services do collect and process personal data.

With consideration to the above, we’ve adopted a policy of not adding such services to the generator. To clarify, these services can still be added as a custom service if you’d like, but we do not offer them as standard (pre-built) integration.

Which services fall within this category?

Currently, we’ve determined that the following services fall under this policy:

Must I mention services that do not collect personal data in my cookie policy?

The above reasoning does not equally apply to cookie policies. In this case, EU law requires website or app providers to disclose any cookies or similar tracking technologies, regardless of whether they collect and process personal data or not. This approach has been confirmed most recently by the European Court of Justice in its Planet49 decision.

Therefore, technologies that must be mentioned inside the cookie policy are not just cookies but also similar technologies* that allow for the accessing or storing of information on the user’s device, including – but not limited to -tracking pixels, installed fonts etc.

Therefore, when using iubenda to generate a cookie policy you will have the option to include such services regardless of whether or not they process personal data.


*Not sure what cookie “similar technologies” are? Read what the UK’s Data Protection Authority has to say about them here.

Everything you need to know about
compliance in one course!

In our free Intro to Online Compliance email course you’ll learn:

  • Online Compliance basics
  • Which laws apply to you
  • How to comply

This easy-to-understand course is suitable
for all knowledge levels.

Sign up for the 5-part series below.

No strings attached. Unsubscribe anytime.