GDPR: Check-list for checking the website/application

Recently, we have been contacted by more and more clients who need to check whether their GDPR settings match what should be on the website. And perhaps this question has occurred to you too. Websites often host e-shops, SaaS applications, or the application is uploaded on different platforms (Google Play, App Store). Collectively, we can call them "apps" (apologies to all the engineers, developers and the others in the industry, it's really just to simplify!).

These apps often contain registration forms, contact forms, newsletter sign-ups, cookie bars. They may also collect other data in the background that the user is not aware of.

However, not all app or website operators are thinking enough about the right settings in terms of GDPR and other privacy regulations. Some app operators believe that all they need to do is to write "some documents" and put them on the web and everything will be "OK". Unfortunately, that is not the case.

Grindr is a great example

GDPR na webu

An example from which lessons can be learned is the Grindr app.

The Norwegian watchdog intends to fine the app more than EUR 10 million. It is an app with more than 13 million active users that is used for location-based dating (similar to the well-known Tinder app). It should be noted that the Grindr app is used for dating gay, bi or trans people. This app shares GPS location, user data and the very information that a particular person is on that app with third parties for marketing purposes. The Norwegian authority concluded that this information alone, that the user is using the app, is information about the sexual orientation of the person, which is a special category of personal data.

In order to share data with third parties for marketing and advertising purposes in the case of profiling and the storage of location information, consent to the processing of personal data is undoubtedly required. Similarly, this will also apply to the sharing of information relating to the sexual orientation of data subjects.

Such consent must be free, specific, informed and unambiguous.

We have discussed what such consent should look like in one of our articles on our website.

Now on to the problem that happened to the Grindr application.

The user had to agree to a "Privacy Policy" when downloading and launching the app, and the app did not specifically ask the user if they wanted the data to be shared with third parties for advertising and marketing purposes. At the same time, this fact was not even properly communicated in the Privacy Policy. Thus, users were not free to decide whether or not they wanted to share data with third parties.

What to check the website from a GDPR perspective?

The above example is just one of many that can happen. However, it is a common offence of app operators. Forcing consent is simply not possible and the user must freely decide whether or not to give it. It certainly cannot be associated with a check-box, through which the user has consented to the processing of personal data for other purposes and legal grounds.

Try checking these areas on your app/website:

✅ The wording of the "Privacy policy"

Do you have an up-to-date version of the information document that informs users about how you handle personal data? The elements it must contain are set out in Articles 13 and 14 of the GDPR.

You can find inspiration on virtually any website. This is a very widespread document. But beware! Do not copy! And at the same time don't rely on "This is a big player in the market, he must have it right."

You can see how we write the Privacy Policy in this article: GDPR documentation: Privacy Policy

✅ Check-boxes

Do you allow registration? What check-boxes do you have when completing registration? Practically, you can divide them into two basic types - mandatory and optional.

From a data protection perspective, a mandatory check-box is needed for the "Privacy policy". The reason for this is so that you are able to prove that the user has actually read this document and knows how their data is handled.

Optional check-boxes will then typically be - consents to the processing of personal data (e.g. just for sharing for marketing purposes, storing sensitive data, etc.). Furthermore, it is common to have an optional check-box for "opt-out of receiving commercial communications".

You might ask: "What  do you mean objections to receiving commercial communications"?

✅ Commercial communications

If you register your customers on the website/app, you can send them commercial communications (newsletters, or as a wonderful client of ours once said, "marketing small talk in your email"). Sending commercial communications to your customers is also possible without consent (there is a legitimate interest for direct marketing). However, only similar products and services must be offered. In addition, you must allow them to opt-out before sending the first communication.

That is what this optional check-box should be used for. Simply, if a user "clicks" it, they don't want to receive marketing stories. But if they don't "click" it, you can do so. However, you must allow him to opt-out in every email.

✅ Cookie settings

Are you dealing with them? Do you know when you need consent to store them and when you don't? For example, you don't need consent for technical cookies, but you still need to inform the user about them. Where? Anywhere on the site, preferably maybe in the footer, but take note you mustn't hide the document under thousands of clicks.

For other cookies (e.g. analytics, marketing cookies) the situation is more complicated. For these, it is no longer sufficient to simply inform. There are countless articles on the web about how the Czech legislator got the law wrong and it allows cookies to be stored until the user gives his/her objection. This option is probably possible for now (the Data Protection Authority is a bit vague about it).

On the other hand, we may soon be facing an amendment to the Electronic Communications Act, which should already set the rules correctly, i.e. require active consent for storing cookies. In addition, the ePrivacy regulation, which also provides for active consent, is probably coming next year.

All things in the list checked?

Congratulations, you are most likely thinking about data protection and privacy on the Internet. However, the above are only the most common issues and any specifics of your application can only add to the obligations.

For example if you store someone else's content. In that case you should absolutely read this article: Responsibility for content on websites, or how not to end up like Piratebay?

You don't have everything done or you are not sure?

Drop us a line then! Together we will review your website/application and set up GDPR on the website/application.

If you are interested in a full check of your website, we can provide that as well. As part of the site check:

  • We will check all forms
  • We will take a look at the wording of all check-boxes
  • We will check the wording of your "Privacy policy"
  • We'll take a look at how you handle cookies on your site and give you specific recommendations
  • We will test how newsletter sign-up works on your website

As an output from us, you will receive a summary document that simply tells you what you have and don't have right on the site, including recommendations on how to fix the problem.