As the world becomes more dependent on digital products and services, data privacy has increasingly become a top priority for many countries and regions. As a result, many regions have put in place robust and enforceable data regulations by which businesses are expected to comply.
In most cases, non-compliance with these regulations can not only lead to major financial consequences, but it can also lead to significant and lasting damage to public trust and the reputation of your organization. It is, therefore, important to ensure that your business meets its legal obligations.
General Legal Requirements
This privacy information must be up-to-date, understandable, unambiguous, and easily accessible throughout the website or app. Some component requirements may vary based on the type of processing activity, region, user age or business type. It is, therefore, worth noting that in addition to the general points outlined here, you may have further responsibilities depending on your law of reference. You can read more situation specific information in the sections below.
In general, users need to be informed of:
Website/app owner details
Your notification process for policy changes
What data is being collected
Third-party access to their data (who the third-parties are and what data they’re collecting)
Their rights in regards to their data.
You may be further responsible for making additional disclosures to users, third-parties and the supervisory authority depending on your law of reference.
One such law the US’s upcoming California Consumer Privacy Act (CCPA). Under the CCPA, users will need to be informed, in particular, of the possibility of their data being sold ( you can think “sold” here as “shared with third parties for any profit, monetary or otherwise”). The disclosure will need to be visible from the homepage of the site and must include an opt-out (DNSMPI) link. You can read more about the CCPA and when it applies here.
Consent here refers to the informed voluntary agreement of an individual to engage in a particular event or process.
Broadly speaking, users need to be able to decline, withdraw or give (depending on the regional law) consent. Consent may be acquired using any method that would require the user to take a direct and verifiable affirmative action; these can include checkboxes, text fields, toggle buttons, sending an email in confirmation etc.
Determining your law of reference
Generally, the laws of a particular region apply if:
You base your operations there; or
You use processing services or servers based in the region; or
Your service targets users from that region
This effectively means that regional regulations may apply to you and/or your business whether you’re located in the region or not. For that reason, it’s always advisable that you approach your data processing activities with the strictest applicable regulations in mind. You can read more about which laws apply to you here.
In the US, there is no single comprehensive national body of data regulations; there are, however, various laws on a state level as well as industry guidelines and specific federal laws in place. Since online site/app activity is rarely limited to just one state, it’s always best to adhere to the strictest applicable regulations. With this in mind, the most robust data law framework is implemented by the state of California. The California Online Privacy Protection Act (CalOPPA), implemented in 2004, was the first state law to make privacy policies mandatory and it applies to person or company whose website/app processes the personal data of California residents.
Notify affected users in the occurrence of security breaches that impact their data
In regards to consent, US law generally requires that you give users a clear option for withdrawing consent (opt-out). Different rules apply, however, in cases involving “sensitive data” (e.g. health information, credit reports, student data, personal information of children under 13). In such cases, there must be a verifiable opt-in action such as checking a box or some other affirmative action.
Special Care Regarding Children
If your service is knowingly collecting, using, or disclosing personal information from children under 13, then special regulations apply to those data processing activities.
Children’s Online Privacy Protection Act (COPPA) is a US federal law implemented to better protect the personal data and rights of children under 13 years of age. Under this law, if you operate a website or online service which is directed to children under 13, or you have actual knowledge that you’re collecting personal information from children under 13, you must give notice to parents and get their verifiable consent before collecting, using, or disclosing the information, and must keep the information collected secure. “Verifiable” here means using a method of attaining consent that is not easily faked by a child and that is demonstrably likely to be given by an adult (e.g. checking a form of government-issued ID against an applicable database).
What is meant by the “personal information” of children
“Personal information” within this context refers to the child’s:
Name or ID information (eg. social security number)
Location info including physical address, geolocation data or IP address
Any contact information including phone numbers and email addresses
Media containing the child’s image or voice, including photos, videos or audio files
In the EU the General Data Protection Regulation (GDPR) was introduced in an effort to centralize data protection for people in the EU and become fully enforceable in May 2018. At its most basic, it specifies how personal data should be lawfully processed (including how it’s collected, used, protected or interacted with in general).
Where it applies
The GDPR can apply where:
An entity’s base of operations is in the EU (this applies whether the processing takes place in the EU or not);
An entity not established in the EU offers goods or services (even if the offer is for free) to people in the EU. The entity can be government agencies, private/public companies, individuals and non-profits;
An entity is not established in the EU but it monitors the behaviour of people who are in the EU, provided that such behaviour takes place in the EU.
This scope effectively covers almost all companies and, therefore, means that the GDPR can apply to you whether your organization is based in the EU or not.
Note: The protections of the GDPR also extend to users outside the EU if the data controller is EU based. Therefore, if you are an EU-based data controller you must, by default, apply GDPR standards to ALL your users.
Where it does not apply
The conditions of applicability of the GDPR are set from a material and a territorial point of view. To determine, whether or not a specific processing activity is exempt from its applicability, we have to consider both aspects.
Material point of view
The GDPR applies to the processing of personal data. Therefore, it does not apply to company data, such as a company name and address. Be careful here, however, because normally “natural persons” work in a company, any data referring to them would, therefore, be deemed “personal”, regardless of whether they are processed in a Business to Customer (B2C) or Business to Business (B2B) context.
Furthermore, personal data may not fall under the scope of the GDPR in several other scenarios including where they are processed by a natural person for a purely personal or household activity. You can read more about this in the dedicated guide here.
Territorial point of view
In addition to and notwithstanding the above, we’ve already mentioned under which conditions the GDPR applies. Consequently, for a processing activity not to be subjected to the GDPR from a territorial point of view, the following must apply cumulatively:
the controller (or processor) is not based within the EU. Note: Always remember that the controller (or processor) could also be an EU-branch office of a non-EU corporation: in that case, even if the branch office were to have no legal personality, the GDPR would fully apply;
the processing does not relate to the offering of goods or services (even for free) to data subjects in the Union or the monitoring of their behavior as far as it takes place within the Union;
the controller is not based in an extra-EU place, where EU law applies due to international public law.
View live demos and have your questions answered in real time by attending one of our free English webinars. They are all practical and designed to really help you with understanding and achieving compliance for your websites or apps.
Have a lawful basis. The GDPR requires that you have at least one lawful basis for processing user data. There are 6 lawful bases outlined under the GDPR.
Aquire verifiable consent. Under the GDPR, consent is one of several legal/ lawful bases for processing user data and as such, it must be “freely given, specific, informed and explicit”. This means that the mechanism for acquiring consent must be unambiguous and involve a clear “opt-in” action (the regulation specifically forbids pre-ticked boxes and similar “opt-out” mechanisms).
The GDPR also gives users a specific right to withdraw consent and, therefore, it must be as easy to withdraw consent as it is to give it. Because consent under the GDPR is such an important issue, it’s vital that you document and keep clear records related to the consent.
Records of consent should at least contain the following information:
The identity of the user giving consent;
When they consented;
What disclosures were made (what they were told) at the time they consented;
Methods used for obtaining consent (e.g., newsletter form, during checkout etc.);
Whether they have withdrawn consent or not
Consent is not the ONLY reason that an organization can process user data; it is only one of the “legal bases”, therefore companies can apply other lawful (within the scope of GDPR) bases for data processing activity. With that said, there will always be data processing activities where consent is the only or best option.
Data Subjects’ rights Under the GDPR users have statutory rights in regards to their data. Not only must you as the controller honor those rights, but you must also inform users about them. Such rights include:
The right to be informed In addition to the generally required disclosures outlined above, the GDPR further requires that you ensure that your privacy notices are concise, easy-to-understand and easily accessible throughout your website/app.
The right of access Users have the right to access to their personal data and information about how their personal data is being processed.
The right to rectification Users have the right to have their personal data rectified if it is inaccurate or incomplete.
The right to object Under the GDPR, users have the right to object to certain activities in relation to their personal data.
The right to data portability Under certain conditions, users have the right to obtain (in a machine-readable format) and use their personal data for their own purposes.
The right to erasure When data is no longer relevant to its original purpose or where users have withdrawn consent, users have the right to request that their data be erased and all dissemination ceased.
The right to restrict processing Users have the right to restrict the processing of their personal data in specific cases.
Rights related to automated decision making and profiling Users have the right to not be subjected to a decision when it is based on automated processing or profiling, and it produces a legal or a similarly significant effect on the user.
Meet specific requirements if transferring data outside of the EAA. The GDPR permits data transfers of EU resident data outside of the European Economic Area (EEA) only when in compliance with set conditions.
Implement privacy by design and default. Under the GDPR, data protection should be included from the onset of design and development of the business processes and infrastructure.
Disclose security breaches. Under the GDPR, you are required to inform the supervisory authority of security breaches involving user data within 72 hours of becoming aware of it. In many cases you’re also required to inform affected users.
Appoint a DPO (where certain conditions are met). Under certain conditions, you may be required to appoint a Data Protection Officer, who will have the task to oversee all processing activities and monitor compliance with applicable law. Cases for mandatory appointment include situations where large-scale, systematic processing of user data occurs and where special categories of data (i.e. sensitive data) are being processed.
Maintain records of processing activities. As stipulated in Article 30, the GDPR requires that you keep and maintain “full and extensive” up-to-date records of the particular data processing activities. Full and extensive records of processing are expressly required in cases where your data processing activities are not occasional, where they could result in a risk to the rights and freedoms of others, where they involve the handling of “special categories of data” or where your organization has more than 250 employees — this effectively covers almost all data controllers and processors. However, even if your processing activities somehow fall outside of these situations, your information duties to users make it necessary for you to keep basic records relating to which data you collect, its purpose, all parties involved in its processing and the data retention period — this is mandatory for everyone. Read more about how to maintain compliant records for controllers and processor in our GDPR guide.
Carry out a DPIA (where certain conditions are met). In cases where the data processing activity is likely to result in a high risk to users, the GDPR requires that a Data Protection Impact Assessment (DPIA) be carried out.
Because using cookies means both processing user data and installing files that could be used for tracking, it is a major point of concern when it comes to user data privacy rights. The ePrivacy Directive (or Cookie Law) was implemented to address this concern.
Cookie consent vs. “regular” consent
As mentioned above, “consent” is one of the six legal bases admitted by the GDPR and must be expressed and documented in very specific ways in order to be deemed valid.
If the answer were “yes”, this would mean that you’d have to comply with all the extensive requirements for consent validity even when placing cookies, however, at the moment, most commentators agree that this would be both unfeasible and not what is intended by the EU legislator. Therefore, the simplified consent requirements under the ePrivacy Directive are still thought to be primarily applicable to the placing of cookies, due largely in part to the provision of GDPR-Article 95. However, please be aware that this is a hotly debated issue. This issue will only truly be resolved when the planned ePrivacy Regulation, currently still under development, is adopted.
The banner must:
briefly explain the purpose of the installation of cookies that the site uses;
be sufficiently conspicuous so as to make to make it noticeable;
clearly state which actions will indicate consent.
describe in detail the purpose of installation of cookies;
inform the user of how they can exercise their right to refuse/withdraw consent.
Blocking cookies before consent. In compliance with the general principles of privacy legislation, which prevent processing before consent, the cookie law does not allow the installation of cookies before obtaining user consent. In practice, this means that you may have to employ a form of script blocking prior to user consent.
Consent to cookies can be provided by several actions. Subject to the local authority, these actions may include continued browsing, clicking on links or scrolling the page. In many cases, clicking on “ok”, closing the banner or continued navigation of a cookie-installing website can be considered active consent to the placing of cookies — provided that users had been previously and clearly informed about this consequence.
Technical cookies strictly necessary for the provision of the service. These include preference cookies, session cookies, load balancing, etc.
Statistical cookies managed directly by you (not third-parties), providing that the data is not used for profiling*
Anonymized statistical third-party cookies (e.g. Google Analytics)*
*This exemption is may not be applicable for all regions and is therefore subject to specific local regulations.
The exemption to the consent requirement only clearly applies to non-tracking technical cookies strictly necessary for the functioning of services that were expressly requested by the user. A real-world example of this would be an e-commerce site that allows users to “hold” items in their cart while they’re using the site or for the duration of a session. In this scenario, the technical cookies are both necessary for the functioning of the purchasing service and are explicitly requested by the user when they indicate that they would like to add the item to the cart. Do note, however, that these session-based technical cookies are not tracking cookies.
Other examples of these technical cookies would be user-centric session-based cookies used to detect authentication abuses, load-balancing session cookies, and Multimedia player session cookies related to and necessary for the provision of services requested by the user.
So does this mean that I don’t need to have a Cookie Banner in such cases?
In future, the ePrivacy Directive will be replaced by the ePrivacy Regulation and as such, will work alongside the GDPR. The upcoming regulation is expected to still uphold the same values as the directive.
In addition to the disclosures and requirements outlined above (and subject to your law of reference), if operating an e-commerce website or app, you’re further subject to the applicable commercial laws and industry rules.
Regarding B2B commerce
Generally, those involved in B2B commercial transactions will be subject to whichever contract, industry and national guidelines are applicable. However, participating in B2B commerce often requires that personal data be processed (be it that of employees or otherwise), in such cases, and where the processing falls within its scope, the GDPR applies and takes precedence.
Regarding B2C commerce
Under most countries’ consumer laws, when selling to consumers, in addition to the default required privacy disclosures, you’ll need to inform customers of the following:
Warranty/ Guarantee information (where applicable);
Safety information, including instructions for proper use (where applicable);
Terms of delivery of product/ service;
Identifying information such as a legal address and business name;
In the US, there is no one national law in regards to returns/refunds for purchases made online as in most cases, this is implemented on a state-by-state basis, however, under several state-laws, if no refund or return notice was made visible to consumers before purchase, consumers are automatically granted extended return/refund rights. In cases where the item purchased is defective, an implied warranty may apply in lieu of a written warranty. Written warranties should at least adhere to industry standards of fairness.
While e-commerce disclosure requirements remain largely enforceable on a state-by-state basis in the US, it is standard in many cases to include this information via the Terms and Conditions document; returns and refund disclosures, are often also included on dedicated site/ app content areas that are easily accessible from the product description page.
EU consumer law applies to contracts or other legal relationships between consumers (on one side) and professionals, businesses, companies on the other (B2C). It does not apply to B2B (e.g. a supermarket places an order with its fruit supplier) or C2C relationships (e.g. I sell my old bike over eBay).
Among other things, under EU consumer law, consumers have an unconditional right to withdraw (“cooling off period”) of 14 days. This means that consumers may cancel or withdraw from distance contract (sales occurring online, over the phone, mail order) for any or no reason for 14 days after receiving the product (in the cases involving goods). It’s worth noting that 14 days is the statutory minimum; in specific countries, national rules may extend this period, or single providers may extend is contractually.
This right to withdraw does not apply in all situations.
Some common exemptions are:
Event and travel tickets & car rental reservations, but more in general any contract related to leisure activities, if the it provides for a specific date or period of performance;
Sealed media items such as CDs which have been unsealed by the recipient;
Digital content as soon as it’s downloaded by the consumer;
Made to order or distinctly personalized items (eg. a tailored dress);
Under some additional conditions, any contract about the delivery of a service, etc.
Consumers located in the EU are also protected by a default legal 2 year guarantee on products purchased at no additional cost. Here again: 2-years is the statutory minimum; in specific countries, national rules may extend this period, and it can be extended also contractually. These rules usually apply to any company selling to EU residents but may vary for international sellers on a case-by-case basis. It is worth noting, however, that in recent cases US courts have chosen to uphold the applicable EU law.
So what’s the difference between returning a product on the grounds of withdrawal and returning it on the grounds of a guarantee?
Applies for 14 days after receipt of the product or signing of the contract
Applies for 24 months after receiving the product
You don’t need to have any reason for exercising this right — you can simply change your mind
You may only return a product on guarantee grounds because it’s faulty or otherwise unsuitable for the purposes it has been sold and purchased for
You may have to bear the costs of returning the product (but it must be specified)
You may not be required to bear any cost (it’s “the seller’s fault” if the product is faulty)
Applies with some exceptions (some of which are mentioned above)
Always applies to products, never applies to services
EU law also mandatorily requires that sellers inform consumers of the European Online Dispute Resolution (ODR) platform via direct link. The ODR, or “online dispute resolution” is a process that allows consumers based in the EU to easily file complaints (in regards to online sales) against companies also established in the EU. This means that ODR requirements can also apply to US companies that have any kind of physical presence in the EU.
Generally, privately owned websites (or similarly private social network profiles, blogs etc.) that merely have a private and personal purpose are not subject to additional regulations, however, various EU and national acts require online commercial operators to disclose certain information.
In order to be deemed “commercial”, it is not necessary that you actually “sell” anything — a personal website may easily be considered commercial if, for instance, it generates considerable traffic an thereby creates relevant advertising revenue (e.g influencers) — however, if you do “sell” products or services, the information duties increase.
If you sell directly to consumers (B2C), you’ll face additional information duties including but not limited to those listed above, as well as linking to the EU online resolution platform for consumers, listing precise delivery times, making disclosures regarding prices and applicable taxes as outlined in Directive 83/2011/EU.
Emails and Newsletters
An e-mail address is considered personal data. Therefore, whenever dealing with e-mail addresses, privacy law is triggered. As we have mentioned already, under most legislations you’re required to inform extensively about the processing activities, their purposes and the rights of users.
Generally, such legislations apply to any service targeting residents of the region, which effectively means that they may apply to your business whether it’s located in the region or not. This is even more relevant if you’re using a bought email list, as in such a case you may not know the recipient’s country of residence. For this reason, it’s always advisable that you approach your data processing activities with the strictest applicable regulations in mind.
Under the FTC’s CAN-SPAM Act, you do not need consent prior to adding users located in the US to your mailing list or sending them commercial messages, however, it is mandatory that you provide users with a clear means of opting out of further contact.
Under EU law (namely the GDPR) it is mandatory that you obtain the informed consent of the user before subscribing them to the service. Under EU regulations, acquiring consent can be considered a two-part process that includes informing the user and obtaining verifiable consent via an affirmative action.
Children’s Online Privacy Protection Act (COPPA) is a United States federal law which was put in place to better protect the personal data and rights of children under 13 years of age. Under COPPA, operators of websites or online services that are either directed to children under 13, or which have actual knowledge that they are collecting personal information from children under 13 must give notice to parents and get their verifiable consent before collecting, using, or disclosing such personal information and must keep secure the information they collect from children.
Under EU GDPR regulations, consent is one of the lawful bases for processing the data of children. If using this basis for processing the data of children under 13, you must get verifiable consent from a parent or guardian unless the service you offer is a preventative or counseling service.
The T&C document is essentially a legally binding agreement; therefore not only is it important to have one in place, but it’s also necessary to ensure that it meets legal requirements. Generally, standard contract terms will apply and under the most laws, contracts used by traders must be fair. This means that the document must be up-to-date with all applicable regulations, precise, visible and easily understandable so that users can both easily see it and agree to it. The “agreeing action” should be done in an unambiguous way (e.g. clicking a checkbox with a visible link to the document before being able to create an account or use the service).
While the full content may vary based on the particulars of your business, the Terms and Conditions should at least include the following:
Identification of the business
Description the service that your site/app provides
Information on risk allocation, liability, and disclaimers
Warranty/Guarantee information (where applicable)
The existence of a withdrawal right (if applicable)
Safety information, including instructions for proper use (where applicable)
Terms of delivery of product/service
Rights of use (if applicable)
Conditions of use/ purchase (eg. age requirements, location-based restrictions)
Refund policy/exchange/termination of service and related info
Third-party apps and services also need to follow the law. For this reason, it’s often mandatory that all partners and customers that use their services meet regulatory standards
Another example is that of Amazon. Here’s an excerpt of what they had to say:
We extended the requirement to disclose our affiliate relationship to any means where you may be leveraging Associates’ content.
From time to time third party requirements can change in response to internal or regional regulations. It is, therefore, necessary to ensure that your policies meet the latest requirements in order to avoid potential penalties or interruption of service.
You can read more about Google‘s requirements here, and Amazon‘s here.
Consequences of non-compliance
The legal ramifications of non-compliance include:
Non-compliance with CalOPPA or COPPA may lead to government officials bringing suit or seeking civil penalties against you. In one example, the owners of the Imbee website were fined US$130,000 for COPPA violations of allowing children under 13 to register without parental consent.
Similar fines can apply under other state and federal laws. Non-compliance with GDPR requirements can carry fines up to EUR 20 million (€20m) or 4% annual worldwide turnover (whichever is greater).
Disciplinary measures may be implemented against you if you are found to be in violation of regulations. These measures may include but are not limited to official reprimands (for first-time violations) and periodic data protection audits. The GDPR gives users the explicit right to file a complaint with a supervisory authority if they feel that any processing of their personal data was done in violation of regulations.
So for example, if a report is made to the authority about an instance of regulatory violation, the authority may choose to perform an audit of your data processing operations. If it’s found that some processing activity was done unlawfully, not only is a fine imposed, but you may be forbidden from making further use of the data subject of the inquiry. This means that if the violation use was in regards to email address collection, you risk being barred from using the entire associated email list.
Non-compliance with consumer or competition law (acts of unfair competition) may also entail fines by the competent (mostly national) authorities.
It is a general principle of civil law, that you have to compensate any unjust damage you’ve caused to someone else, in particular by violating a legal prescription. Among other acts, both the GDPR and the CalOPPA grant individual users the right to claim compensation for any damages resulting from a violation of their rights. The same reasoning would apply to any other applicable act or law, such as the EU’s consumer protection provisions.
Remember that liability for damages applies in all relationships: also a business partner may be entitled to compensation if you violated a legal provision. For example, selling counterfeit goods via a partner platform like Amazon might result in the company taking legal action against you alongside the customers who purchased the counterfeit goods.
Loss of services and contractual penalties
Here is an example from Amazon Web Services Partner Network’s Terms and Conditions in regards to consent:
For any Third-Party Data you provide to AWS, you represent and warrant that you have received all necessary consents for (a) you to share the Third Party Data with AWS and its Affiliates, and (b) AWS and its Affiliates to use the Third-Party Data to contact its subject(s) to market our goods and services and the Program.
Lastly, but perhaps most significantly, where certain conditions are met, it’s possible to face consequences via criminal law. If, for instance, you wilfully breach or ignore data protection provisions for commercial purposes (e.g. you sell peoples’ personal data without telling them) you may face severe consequences. However, criminal law is largely a national issue: conditions and consequences must be checked on a case-by-case basis.
How iubenda can help you with compliance
We believe in the importance of a comprehensive approach to data law compliance, for this reason, we keep track of the major legislations and build solutions with the strictest regulations in mind — giving you full options to customize as needed. This way, you can ensure that you meet your legal obligations (regardless of where your customers are located), reduce your risk of litigation and protect your customers, building trust and credibility.
We keep track of the major legislations and build solutions with the strictest regulations in mind
Here’s what you need to get started with full compliance:
As mentioned above, users must be informed about how you use their personal data. As such, privacy policies are legally required almost everywhere in the world. This legal document should state the ways in which your website or app collects, processes, stores, shares and protects user data, the purposes for doing so and the rights of the users in that regard.
Complying with the EU Cookie Law
Because using cookies means both processing user data and installing files used for tracking, it is a major point of concern when it comes to user data privacy rights. For this reason, if you operate in the EU or could potentially have EU users, you need to comply with the Cookie Law.
Facilitating consent — giving the user the information and option to give, refuse or withdraw consent.
Preemptively blocking(prior blocking) cookie-installing scripts prior to obtaining user consent.
Our Cookie Solution complies with provisions of the ePrivacy Directive (Cookie Law). It allows you to easily inform users and obtain their consent while including the option to preemptively block any scripts that install cookies prior to user consent (which is required in many EU countries). It’s easy to run, fast and does not require heavy investments.
Protecting you or your business with proper Terms and Conditions
Though not always legally required, terms & conditions are pragmatically required. It governs the contractual relationship between you and your users and sets the way in which your product, service or content may be used, in a legally binding way. It is therefore vital that this contract be precise and up-to-date with all applicable regulations. It should include the general conditions for use of your service with special attention to “limitation of liability” clauses and disclaimers.
Our Terms & Conditions generator helps you to easily generate and manage Terms and Conditions that are professional, customizable from over 100 clauses, available in 8 languages, drafted by an international legal team and up to date with the main international legislations. It is powerful, precise, and capable of handling even the most complex, individual scenarios and customization needs.
It comes with:
hundreds of possible personalizations;
plug-and-go integrations for popular store platforms such as Shopify and WooCommerce;
pre-defined scenarios: buildable text modules for marketplace, affiliate programs, copyright, e-commerce, mobile, and more.
The solution is optimized for everything from e-commerce, blogs, and apps, to complex scenarios like marketplace and, SaaS.
Getting started is easy. Simply activate the Terms and Conditions (uses 1 Ultra license) within your dashboard and start generating.
For a list of the full features of the Terms and Conditions Generator, click here or read the guide here.
Internal Privacy Management
Meeting GDPR regulations can be a technical challenge to implement in practical terms. This is especially true for internal privacy management. In order to be compliant, you must be able keep track of and to describe:
which data you collect;
for which purposes it was collected;
the legal basis for processing;
data retention policy for each processing activity;
the parties involved (both inside and outside your organization);
data transfer outside of the EU, if any; and
other related details which may apply company-wide, including data of employees.
Our solution helps you to easily record and manage all the data processing activity within your organization so that you can easily comply with requirements and meet your legal obligations. It allows you to create records of processing activity: add processing activities from 700+ pre-made options, divide them by area (sub-divisions within which data processing activities are the same), assign processors and other member roles, and to document legal bases and other GDPR-required records.
Please note: Even if your processing activities somehow fall outside of the situations mentioned previously in this guide, your information duties to users (Articles 13 & 14) make it necessary for you to keep basic records relating to which data you collect, its purpose, all parties involved in its processing and the data retention period — this is mandatory for everyone
Additionally, even though the GDPR is a common reason to put more effort into internal privacy management, our tool is not exclusively made for application under the GDPR. It can also be used for internal privacy management in general, even by companies who do not have any users/customers within the EU.
Managing consent and maintaining detailed records related to it
In order to comply with privacy laws, especially the GDPR, companies need to store proof of consent so that they can demonstrate that consent was collected. These records must show:
when consent was provided;
who provided the consent;
what their preferences were at the time of the collection;
which legal or privacy notice they were presented with at the time of the consent collection;
which consent collection form they were presented with at the time of the collection.
Our Consent Solution simplifies this process by helping you to easily store proof of consent and manage consent and privacy preferences for each of your users. It allows you to track every aspect of consent (including the legal or privacy notice and the consent form that the user was presented with at the time of consent collection) and the related preferences expressed by the user.
To use, simply activate the Consent Solution and get the API key, then install via HTTP API or JS widget and you’re done; you’ll be able to retrieve consents at any time and keep them updated.
Please note that from time to time, laws are amended and updated. It’s therefore important to ensure that your policies meet the latest requirements. For this reason, we use embedding and NOT copy & paste. With this method, you can rest assured that your policy is up to date and being maintained remotely by our legal team.