Approved in 2016, but applied de facto Since May 2018, theGeneral Data Protection Regulation (RGDP) reinforces at European level the rights of the consumer regarding the control of their privacy. The Regulation establishes a legal framework that affects all member states of the Union. To adapt to the new European requirements, the Organic Law for the Protection of Personal Data and guarantee of digital rights (LOPD-GDD), which thus replaced the LOPD of 1999.
For a time the legal situation regarding the IP addresses it was not clear. However, the Court of Justice of the European Union has ruled that establish an association between IP addresses and actual personal data through the Internet provider. Therefore, IP addresses are also considered personal data.
Although, while the collection of data and therefore the writing of a policy of privacy, are easily justifiable for an online store, the situation changes if it is another type of services. Every minute data is automatically collected and stored –a often without the owner of the website realizing it – such as, for example: the IP addresses that web servers save in the log files, the personal data linked to the use of the social buttons and the cookies that store information about the users and their browsing habits. Another sensitive topic is the Analysis tools Web Such as Google Analytics, which are responsible for recording web traffic. This tool of Google is especially problematic in terms of data protection standards, since the Users' IP addresses are stored on servers located in the United States.
To reduce the severity of this problem, those in charge of managing web pages can reduce a IP address to the last range of digits, thereby allowing it to lose the link to any personal information.
We explain these rights more fully below.
Contact details of the controller or his representative
Template for contact information
The responsible for the processing of personal data in accordance with the GDPR is:
Name of the company/responsible/representative
Calle Principal, 1
Contact details of the data protection officer (DPD)
Template for DPO contact details
The data protection delegate according to the RGPD is:
Name of the DPD
Main Street, 1
Lawfulness of data processing
It is the duty of the owners or managers of the web pages to duly inform the user of the lawfulness of the collection and processing of your personal data, which comes determined by the fulfillment of at least one of the conditions described in the article 6 of GDPR :
the interested party gave their consent for the processing of their personal data
for one or more specific purposes;
the treatment is necessary for the execution of a contract in which the
The interested party is a party or for the application at the request of the latter of pre-contractual measures;
processing is necessary for compliance with an applicable legal obligation
to the data controller;
the processing is necessary to protectvital interests of the
interested party or another natural person;
the treatment is necessary for the fulfillment of a mission carried out in
or in the exercise of public powers conferred on the person responsible for the
- the treatment is necessary for the satisfaction of legitimate interests pursued by the data controller or by a third party, provided that said interests are not prevail the interests or the fundamental rights and freedoms of the interested party that require the protection of personal data, in particular when the interested party is a child. […]”
Template to report the legality of data processing
The person responsible for processing the personal data of the interested party informs you that these Data will be treated in accordance with the provisions of current regulations on data protection. personal data, Regulation (EU) 2016/679 of April 27, 2016 (RGPD) and the Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of rights digital, for which the following treatment information is provided:
As long as we have the consent of the interested party for the processing of personal data, governs section a) of point 1) of article 6 of the RGPD as a legal basis.
If the processing of personal data is necessary for the execution of a contract with the interested party or pre-contractual measures governs section b) of the point 1) of article 6 of the RGPD.
If the processing of personal data is a consequence of a obligation legal for our part, we refer to section c) of point 1) of article 6 of the GDPR.
If the processing of personal data is intended to protect the interests vital data of the interested party or of another natural person, we rely on section d) of the point 1) of article 6 of the RGPD.
If the processing of personal data is necessary to fulfill a task of interest public or in the exercise of a public obligation, we refer to section e) of point 1) of article 6 of the RGPD.
As long as the processing of the data is necessary to satisfy the interests legitimate of the person in charge or of a third party without putting at risk the interests, fundamental rights or freedoms of the data subject, the legal basis is established by the section f) of point 1) of article 6 of the RGPD.
Purposes of data processing
In the privacy statement of your project you must add the objectives what do you pursue when collecting and treat the data of your users. For this, and to show transparency, it is advisable to list all the components of your website that collect this type of information, such as:
- contact forms,
- register for the newsletter,
- data entry fields, for example, to indicate bank details at the end of a purchase,
- tracking codes,
- plugins (social buttons),
- third party content (YouTube),
When it comes to integrating foreign content, you have to be very careful, since the RGPD strengthens the need to inform the user before the data collection takes place. Google has already reacted by applying the extended data protection mode in the options of integration of videos from the audiovisual platform. If activated, a code is generated embed that only sends the data when the video starts.
If point 1.f) of article 6 of the RGPD mentioned above is relevant in your case, then you should specify what your legitimate interests are while checking if you are also protecting the interests and fundamental rights of the user. Some of the goals habitual linked to the treatment of the data are the analysis of the behavior in the page of the user for optimization, to design more personalized content or for marketing purposes.
Template to explain why personal data is processed
To make your visit as pleasant as possible and to offer you all the functions available, we collect a series of data about the device that you are using at the time of visiting us. Is about:
- IP address,
- operating system,
- browser type and version,
- date and time of visit,
This data is not processed for marketing purposes.
Recipients or categories of recipients of the data
This is also the section where cookie implementations and extensions third parties , whose use is always linked to a delivery of personal data. It's time to name the tracking codes and the social buttons. In In both cases, the person in charge can justify its use with a legitimate interest, but it is advisable to do so with the explicit consent of the user. In the case of social buttons, it must be considered also the application of a procedure compliant with data protection as a solution in two clicks.
Some advertising services such as Google AdSense or AdWords must also be mention as recipients of data if they are used to finance the project.
Template to inform the recipients of the data (example: plugin of Facebook)
This website uses a Facebook social plugin developed and operated by Facebook Inc. (1 Hacker Way, Menlo Park, California 94025 USA) and that can be recognized by the Facebook logo. This plugin creates a direct connection between your browser and the facebook servers as soon as it is activated by pressing the button. On the type and amount of data that is sent to Facebook by this method does not we have no influence. In the following link you can read the explanation of the company to the respect: www.facebook.com/help/186325668085084.
If you intend to send personal data to a third country or to a international organization, this section is the place to indicate it.
Data retention period
Other information with which you will be able to give transparency to your data processing is related to the time during which you will store the data. If you can't formulate it exactly, you can do reference to the criteria that impact the conservation period. You can, for example, do reference to the period that you have configured for the automatic removal of IP addresses (anonymised) from the log files. If you work with cookies that allow you to identify the user for the duration of their session, the period of conservation of their data will be closely linked to the duration of the session.
Template to inform about the term of conservation of the data
All personal data we collect through session cookies during your visit are automatically deleted as soon as the reason for such collection has been fulfilled. Of In this mode, the session data will be saved until you end your session leaving or closing the page.
If you store the personal data of your users on servers outside the EU, you have to indicate explicitly by referring to possible differences in the regulation of the data protection.
Reference to the rights of the interested party
The users or interested parties whose data is collected have rights over them. The right to information (or right to access as stated in article 13 of the LOPD-GDD) collected in the article 15 guarantees that the user can find out about the objectives of processing your data, its possible recipients, the term of its conservation and its origin. Users would also have the right to rectification, as stated in the article 16 and, even, depending on the circumstances, to the deletion of your data, with the right of deletion contained in the artículo 17.
Template to inform of the rights of the interested parties
In accordance with the RGPD, the person whose personal data is processed is considered interested, which is why you can benefit from the rights recognized by this fundamental directive on data protection, which are: the right to information (art. 15), of rectification (art. 16), of suppression (art. 17), to the limitation of treatment (art. 18), of opposition (art. 21), a presentaclaim in view of anauthority of control (art. 77) and the portability (art. 20).
Legal or contractual duty to collect data
If it is essential to have personal data due to legal imperative or because it is required by the execution of a contract, the user must be duly informed, as well as the consequences that would result from not having them.
Template to explain the obligation to collect personal data
The collection of your personal data is necessary in order to enter into a contract and comply with the obligations and benefits that this contract implies, so that if we do not have your consent we cannot enter into the contract or provide the services agreed.
Explanation on the use of automated individual decisions (including profiling)
If on your page you make decisions based on the automated processing of data that affect the interested, including the elaboration of user profiles, you are obliged to explain in detail the underlying logic . It is above all about explaining the effects and the scope that these processes have on the interested party, because your user has the fundamental right “not to be the subject of a decision based solely on automated processing, including profiling, that produces legal effects on him or significantly affects him similarly.”, as explained in the article 22. But this right does not apply when the automated process is necessary to enter into or perform a contract, is authorized by the Law of the Union or of the Member States or has the consent of the username.
Template to warn about automated decisions (profiling)
Before closing the contract we carry out a credit analysis to confirm your solvency.
¿Qué sacamos en claro del RGPD?
Naturally, these are not by far the only aspects that distinguish the new policies from web privacy in accordance with the RGPD compared to the old model. Now more than ever, those responsible They have the mission of explaining why and for what purpose the data is processed and of make it clear enough to be easily understood and leave no questions unclear. Y If necessary, either the person in charge of the website or the person in charge of protection must attend to the Username. The Regulation also highlights that information should be provided as soon as before , specifically before collecting the data.
Are you an IONOS customer? Here is a list of requirements with all the information that website operators have to take into account so that their web pages comply with the GDPR.
On the Internet there is a large number of free tools with which it is possible to create a policy Of privacy. Here it is essential to find a template that adapts to the services offered by the website and the needs of users. It is common to find general templates for the collection of data and others for special categories, such as social networks (Facebook, Twitter, etc.), cookies, contact forms or sending newsletters. It is also possible to find templates outlining the requirements for pages that use web analytics tools such as Google Analytics and generally include a link to those users who are not in agreement with the collection and dissemination of your data.