This document describes:
Do site owners have a duty to use a tool to detect and monitor Trackers on their sites?
Yes.
Site owners must technically ensure and be able to demonstrate to process site visitors’ personal data as required by the GDPR.
Site owners can achieve lawful use of Trackers on their sites and demonstrate it only if site owners first
Legal reference: GDPR Article 24.1, 1st sentence.
What to do? Use Trackerdetect.
Do site owners have a duty to have internal policies for using Trackers on their sites?
Site owners may be obliged to adopt internal policies for using Trackers on their sites.
Such policies should tell employees etc the rules for whether, when, where, how to classify, authorise and manage Trackers on their sites.
Legal reference: GDPR Article 24.2 and 24.1.
What to do? Ask us for a policy template !
Do site owners (and Trackers) have a duty to classify themselves and each other as a “controller”, “joint controller” or “processor”?
Yes.
Site owners and Trackers have a duty to classify themselves and each other to count as a “controller”, “joint controller” or “processor”.
The reason is that these notions trigger different legal duties that regulate
Who is (not) a (joint) controller with regard to what?
Site owners count as “controllers” in relation to their site visitors.
Trackers may - depending on the circumstances - count as
Site owners and Trackers may count as a joint controllers.
What to do? Assess in which capacity/role site owners and Trackers process site visitors’ personal data.
Do site owners have a duty to use only Trackers that provide sufficient guarantees for GDPR compliant processing of site owners’ website visitors’ personal data?
Yes.
Site owners must assess if Trackers provide sufficient measures for GDPR compliant processing of site owners’ website visitors’ personal data, in particular in terms of:
Legal reference: GDPR Article 28.1 and 32.
Do site owners have a duty to enter into a Data Processing Agreement (DPA) with site Trackers?
Yes.
Legal reference: GDPR Article 28.3.
Must the Data Processing Agreement (DPA) have a certain content?
Yes.
What to do? Ask us for a DPA template!
Legal reference: GDPR Article 28.3.
Can site owners use Trackerdetect to indicate whether a Data Processing Agreement (DPAs) is signed with each Tracker?
Yes, in the Tracker Dashboard of Trackerdetect.
Can site owners use Signatu’s Consent technology to enter into a Data Processing Agreement (DPAs) with Trackers electronically?
Yes.
What to do? Contact us!
Do site owners have additional duties if Trackers share site owner’s website visitors’ personal data to 1) a 3rd party controller, 2) Trackers’ own sub-processor, 3) site owner’s other processors, or 4) a 3rd party processor?
Yes.
Such sharing must be based on the instructions of the site owner.
Legal reference: GDPR Article 28.2 and 28.4.
Is the disclosure of site owners’ website visitors’ personal data to Trackers unauthorised and therefore a data breach if no Data Processing Agreement (DPA) is signed between the site owner and the Trackers?
Yes.
Legal reference: GDPR Art 4(12).
Do site owners have a duty to enter into a Joint Controller Agreement (JCA) site Trackers?
Yes.
Legal reference: GDPR Article 26.
Must the Joint Controller Agreement (JCA) have a certain content?
Yes.
Joint controllers must determine their respective responsibilities for compliance with the GDPR, in particular as regards the site visitors’ exercise of rights, and the joint controllers’ respective duties to inform site visitors as required in GDPR Articles 13 and 14, by means of an arrangement between them. The arrangement may designate a contact point for site visitors.
What to do? Ask us for a JCA template!
Legal reference: GDPR Article 26.1.
Must site owners and Trackers inform site visitors about the respective roles and relationships of the joint controllers vis-à-vis the site visitors?
Yes.
What to do? Contact us! We enable you to inform site visitors appropriately.
Legal reference: GDPR Article 26.2.
Can site owners use Trackerdetect to indicate whether a Joint Controller Agreement (JCA) is signed with each Tracker?
Yes, in the Tracker Dashboard of Trackerdetect.
Can site owners use Signatu’s Consent technology to enter into a Joint Controller Agreement (JCA) with Trackers electronically?
Yes.
What to do? Contact us!
Is the disclosure of site owners’ website visitors’ personal data to Trackers unauthorised and therefore a data breach if no Joint Controller Agreement (JCA) is signed between the site owner and the Trackers?
Yes.
Legal reference: GDPR Articles 26.1 and 4(12).
Is the disclosure of site owners’ website visitors’ personal data to Trackers unauthorised and therefore a data breach if legal basis for the processing purpose lacks?
Yes.
Legal reference: GDPR Articles 6 and 4(12).
Can site owners be responsible towards site visitors for Trackers’ breach of site visitors’ rights?
Yes.
Legal reference: GDPR Article 26.3.
For which stage of the processing are the site owner and Tracker jointly responsible?
The EU General Advocate says in his Opinion in the Fashion ID case that:
Site owners and Trackers are jointly responsible for the stage of the processing that concerns the collection and transfer to Trackers (but not further downstream) of site visitors’ personal data (e.g. IP address, browser string etc) caused by the Tracker resources that provide the parameters of the data to be collected and transferred if
Legal reference: Fashion ID case
Must site owners and Trackers have legal basis for their purpose to collect and transfer site visitors’ personal data to Trackers?
Yes.
Is it the site owners or Trackers who have a duty to request, receive and record site visitors’ consent?
Site owners have the duty to request and receive site visitors’ consent.
Site owners are considered to be in a position to provide information in the consent request about
Site owners are considered to be in a position to receive consent since it is when their sites are visited that the collection and transfer of data is triggered.
Site owners are considered to be in a position to record the consent events (that site visitors consent, refuse to consent or withdraws consent).
Legal reference: Fashion ID case
Can site owners use Signatu’s Consent technology to request and receive site visitors’ consent electronically?
Yes.
What to do? Contact us!
Which information must site owners provide to site visitors when requesting site visitors’ consent?
Please see our Consent documentation.
When must site owners request and receive site visitors’ consent?
Site owners must provide information and request and receive site visitors’ consent BEFORE site visitors’ personal data are collected and transferred to Trackers.
How can site owners request and receive site visitors’ consent BEFORE site visitors’ personal data are collected and transferred to Trackers?
Our Tag Manager conditionally loads Tracker resources (e.g. cookies) based on site visitors’ consent.
What to do? Contact us!
Must site visitors be informed about the Legitimate Interest of the site owners only or Trackers only or both?
Both.
In the balancing against the rights of website visitors, it is the Legitimate Interest of both the site owners and the Trackers that have to be taken into account when they both act as joint controllers for the collection and transfer of the data to the Trackers.
Legal reference: Fashion ID case
Is it the site owners or Trackers who have a duty to inform site visitors about the legitime interest?
The site owners that have a duty to inform about their legitimate interest, and most probably also have a duty to inform about the legitimate interest of the Trackers, as in the case with consent (see above).
Legal reference: Fashion ID case
Must site owners provide site visitors with the possibility to opt out automatically of legitimate interest?
Yes.
See our Consent documentation.
What to do? Contact us!
Legal reference: GDPR Articles 21.1 and 21.5.
Must site owners and Trackers have a separate legal basis for transferring site visitors’ personal data outside the EU?
Yes.
Legal reference: GDPR Articles 44-46.
How can site owners know whether site visitors’ personal data are transferred outside the EU?
Trackerdetect detects the location of the server from which the Tracker resources are loaded. Also, Trackerdetect indicate the location of the Tracker address. This can indicate to where site visitors’ personal data are transferred outside.
Must site owners keep a Processing Record with details about Trackers?
Yes, except, says GDPR Article 30.5, if you employ
“fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as referred to in Article 9(1) or personal data relating to criminal convictions and offences referred to in Article 10”.
Legal reference: GDPR Article 30.1 and 30.5.
What to do? Use Trackerdetect.
Which information must the Processing Record show?
The processing record must show:
How often must site owners record that Trackers are on their sites?
Regularly.
If Trackers place cookies on site visitors’ machines, then the Consent Record must show the site visitors’ Consent Events regarding all cookies that require site visitors’ consent. Ideally site owners should use Trackerdetect daily to record that Trackers place cookies on site visitors’ machines and check with the Consent Record whether the cookies are placed on site visitors’ machines without their permission, so site owners quickly can act against the Tracker.
What to do? Use Trackerdetect to scan sites 4 times daily!
Must site owners be able to prove the date of creation of the record and the last update?
Yes.
The Italian Data Protection Authority says that tracking changes to the record is achieved when you can prove the date of creation of the record (sheet) and the last update.
Legal reference: FAQ of the Italian Data Protection Authority regarding GDPR Article 30.
Must site owners show the Processing Record to Data Protection Authorities?
Yes, site owners must make the record available to the Data Protection Authorities on request.
Legal reference: GDPR Article 30.4.
Do site owners have a duty to carry out a documented preliminary risk assessment to determine whether having Trackers on the site will trigger the need to undertake a full DPIA?
Yes, according to Ireland’s Data Protection Authority who in general says
“the data controller needs to go through a methodological process to identify the threats to data subjects and a calculation of the inherent risks involved. Clearly, if a processing operation is not high risk this can be easily recorded alongside the record keeping required for processing operations under Article 30. On the other hand, if a processing operation is complex, then a full scale screening process may be required and it may in fact form the preliminary steps of a DPIA. Other less complex processing operations may not require such an in depth risk analysis. If this analysis step determines in fact that the risks are low and no further work on a DPIA is required then, this can be recorded with other Article 30 records.”
Site owners may be obliged to carry out a Data Protection Impact Assessment (DPIA) of the impact of the collection and transfer of site visitors’ personal data to Trackers, assess if processing is performed in accordance with the DPIA and consult the Data Protection Authority prior to the collection and transfer.
Legal reference: GDPR Articles 35.1, 35.11 and 36.
What to do? Carry out a risk assessment and DPIA.
Must site owners include details about Trackers in their Privacy Policies?
Yes.
The Privacy Policy must include:
Legal reference: GDPR Article 13.
What to do? Generate a Privacy Policy with Signatu and include the Tracker details from Trackerdetect.
Must site owners include details about Trackers in their Access Right Response?
Yes.
The Access Right Response must include:
Legal reference: GDPR Article 15.
What to do? Include the Tracker details from Trackerdetect.
Do site owners have a duty to notify Trackers of site visitors’ request to rectify or erase their personal data or restrict processing?
Yes.
Legal reference: GDPR Article 19.
Contact us if you need help.