Ensuring the transparency of websites is vital from the perspective of the GDPR. Persons entering a website must be aware of how their personal data will be processed on the site and for what purpose.
According to the Article 29 Working Party Guidelines on Transparency, “Every organisation that maintains a website should publish a privacy statement/notice on the website. A direct link to this privacy statement/notice should be clearly visible on each page of this website under a commonly used term.”
A classic example of a place where personal data of the user are collected on a website is the form through which the user establishes an account on the site. In this context, the following issues should be borne in mind:
- Only personal data essential to create the profile may be collected. Otherwise, it may infringe the principle of data minimisation under the GDPR.
- Consent to processing of personal data is not always required. On registration of an account, the basis for processing in most cases will be a contract.
- The registration form should include the first-layer information clause.
- The user should not be forced to open an account if the transaction can be completed without it. Otherwise it may violate the minimisation principle.
- Information on processing of personal data should be easily accessible from the user level, e.g. upon logging in to the account.
Mechanism for withdrawing consent
Under Art. 7(3) GDPR, persons whose personal data are processed on the basis of consent must be informed of the right to withdraw their consent before they give their consent. Significantly, withdrawal of consent must be just as easy as giving consent. This point was recently addressed by the President of the Personal Data Protection Office in a decision of 16 October 2019. The decision involved a situation where a user clicking on a link for withdrawal of consent was asked to state the reasons for the withdrawal (failure to respond prevented the user from continuing the process of withdrawing consent), and then asked to submit the request to an email address. The supervisory authority found that this model does not meet the criteria for fast and easy withdrawal of consent. Businesses must therefore consider carefully the mechanisms for withdrawal of consent they use on their websites.
Consent and verifiability
Art. 7(1) GDPR provides, “Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.” Thus it is vital from the perspective of demonstrating compliance with the GDPR to implement appropriate technical mechanisms recording who has granted consent, when, and what kind of consent.
If the controller directs information to data subjects using a different language (e.g. operates a website offering services targeted to individual countries), the controller should ensure that users are provided a translation into their language of the notice on data processing.
Social media plugins
Karolina Romanowska, adwokat, Employment practice, Wardyński & Partners