Setting up my company's website What should I include in the Privacy - PowerPoint PPT Presentation

DiFens - 2017-1-CY02-KA205-000998 Setting up my company's website What should I include in the Privacy Policy, Terms of Use, and the Cookie notifications? Erasmus +

DiFens - 2017-1-CY02-KA205-000998 But first – how to choose a hosting service that is GDPR compliant? Erasmus +

Hosting services and the GDPR How to choose a hosting service for my site? MOST IMPORTANT ASPECTS  The hosting services normally act as data processors and the clients are the data controllers who determine the purposes and means of processing of personal data.  The clients (as controllers) have the responsibility to choose a service that guarantees the application of suitable safeguard measures to protect the personal data. Erasmus + 3

Hosting services and the GDPR Steps when choosing a hosting service  Take a look at the Terms of Use of the services you consider to use and especially at the security safeguards the service claims to apply.  Take a look at the Privacy Policy – you should find information about the country where the personal data is being hosted (including all data centres between which the information may be moved). Why is that important? Erasmus + 4

Country of the hosting service Where is it better for the personal data I process to be stored?  Within the EU or the EEA;  In a country for which the European Commission has issued an Adequacy Decision (they can be found on the EC’s website);  Choosing a hosting service that stores the information in a country for which there is no Adequacy Decision requires you to check if other requirements of the GDPR are fulfilled Erasmus + 5

COOKIES Erasmus + 6

Types of cookies • Session cookies and persistent cookies • First party cookies and third party cookies • Cookies containing personal data and cookies which do not contain personal data What’s a cookie? A small piece of data which is stored on a user’s computer/ phone. It allows the website to “remember” your actions or preferences over time Erasmus + 7

Content of a cookie banner  Let users know that you are using cookies;  Provide a link where they can learn more about the data you gather and how you use it;  Provide a way for users to consent to the use of cookies (explicitly or with actions) Erasmus + 8

Consent to cookies Is only informing the users you use cookies enough if they do not give their consent explicitly? If you have cookies that do not gather YES personal data (the user is not identified or identifiable, i.e. session cookies) If you have cookies which gather personal NO data and the user can be identified (especially when they register for your site) Erasmus + 9

Cookies and the GDPR What measures should I take to make my use of cookies compliant with the GDPR?  If the cookie collects any kind of personal data of identified of identifiable persons, you must gather and store the explicit consent of the users ;  It is better, if possible, to ensure the basic functioning of your website without cookies that gather personal information in case the user does not give their consent;  You should explicitly inform users if the cookies gather information that is processed by third parties (i.e. analytics); Erasmus + 10

Cookies and the GDPR The consent under GDPR must be: • The banner should appear before any personal data for the user Freely given is gathered; before the data is • No pre-ticked boxes should be included in the banner for gathered cookies that gather personal data; • The banner should contain a link to detailed cookie policy that informs on the purposes for gathering the data and the types of Specific, data gathered; informed, unambiguous • It is a good practice to include separate boxes for consenting to the use of every type of cookie. • The user should be able to withdraw their consent at any time Easily withdrawable as easily as they gave it. Erasmus + 11

PRIVACY POLICIES Erasmus + 12

What should I include in the Privacy Policy? 1. Information about you as controller (name of your company), your DPO, if you have one, means of contact 2. Types of personal data you process and purposes for their processing 3. Grounds for processing 4. Third parties to which you disclose personal data 5. Transfers to third countries (if you make such) 6. The rights of the users of the site Erasmus + 13

What should I include in the Privacy Policy? The types of data and the purposes for their processing E E  Username and password – in order X X to proceed with your registration Beware of the  Year of birth – to verify whether A A M M principles of: you age is above the required minimum P P  Credit or debit card details – in L L ꙰ Data minimisation order to execute the payments for E E ꙰ Specified, explicit and the products on our site S S legitimate purposes Erasmus + 14

What should I include in the Privacy Policy? The grounds for processing of data – they are enlisted in Art. 6 of the GDPR and there may be a different basis for every type of personal data: The grounds for gathering information • Consent in websites is most often contract with • Contract to which the user the user. The legitimate interest is also is a party used, but you should be able to prove • Legal obligations that your interest as controller is not • Vital interests of the user overridden by the rights and freedoms • Public interest/exercise of of the users. The consent is better not official authority to be used, except when no other legal • Legitimate interest of the grounds can be justified. controller or a third party Erasmus + 15

What should I include in the Privacy Policy? Third parties to which you disclose data E E  State authorities, court bodies, or officials X X that are competent and authorised to A A request and obtain certain information M M under national or EU law;  P P Data processors acting on behalf of the controller (your company) who fulfill the L L requirements of the European data E E protection legislation S S Erasmus + 16

What should I include in the Privacy Policy? Transfers to third countries You are required to inform the users about transfers to third countries for the EU/international organization and also provide information whether there is an adequacy decision of the European Commission regarding that third country/international organisation or whether there are other safeguards in the absence of an adequacy decision. Erasmus + 17

What should I include in the Privacy Policy? Rights of the data subjects You are obliged to inform the users of their rights under the GDPR:  right of access to their personal data  the right to request erasure, correction, or restriction of processing of their personal data  right to object against the processing of their personal data  right to data portability  right of complaint to a competent authority Erasmus + 18

TERMS OF USE Erasmus + 19

FAQ regarding the Terms of Use Is there a difference between Terms of Use, Terms of Service and Terms and Conditions? • No, the name of the document is up to you. Am I obliged to have Terms of Use? • No, there is no such obligation in EU law, but there is certain information that you must provide if you deal with online services/selling goods online (however, you may include it in separate policies i.e. consumer policies, return policies, shipping policies, etc). Erasmus + 20

FAQ regarding the Terms of Use Why should I have Terms of Use? • The Terms of Use serve you, as you may include rules for your users to follow and determine consequences if they do not do so, such as the termination of their accounts. Also, you may restrict your liability in certain cases. Are the Terms of Use “binding” for me? • Consider them a contract between you and the users of your site. Erasmus + 21

What should I include in the Terms of Use? Rules regarding the original content you publish (i.e. rules for using the content) Rules users should follow – i.e. rules not to use rude language when communication with other users Rules regarding user accounts and registration Restriction of liability – i.e. for content posted by users in certain cases, for content of linked sites Disclaimer – i.e. regarding the provision of content on an "as-is" and "as-available" basis Clauses regarding consequences when users infringe the Terms of Use or perform illegal activities (i.e. deactivation of account) Erasmus + 22

E-COMMERCE Erasmus + 23

Information for the consumers If you manage an e-commerce website, according to the Consumer Rights Directive, you should provide your users with the following information: 1. The main characteristics of the goods or services 2. The identity of the trader (trading name); 3. Your address of establishment/ place of business and your contacts; the address and identity of the trader on whose behalf you are acting; 4. The total price of the goods or services with all costs, charges and taxes; if the cost cannot be reasonably calculated in advance, you should provide the manner in which the cost will be calculated; Erasmus + 24