One year of AVG: is your website already AVG Proof?

That every organization in Europe must comply with the General Data Protection Regulation (AVG) is well known by now. The AVG replaced the Personal Data Protection Act (PDPA) on May 25, 2018, with the aim of better protecting personal data and thus the privacy of everyone. The AVG has several implications for having a website.

Legal requirements for processing personal data

An organization may not just process personal data. To process them at all, there are a number of conditions you must meet. A legal basis is needed and, in addition, companies must handle personal data carefully through technical and organizational measures. Data subjects should also be able to exercise control over their personal data, for example, by adjusting settings or being able to delete. Most important, however, is to get the policy right: what do you do with the data?

Inform visitors

The idea is that whoever is responsible for processing personal data is transparent about how the personal data is used. With these statements, the website operator lets visitors know what happens to their personal information, why it is used and what rights can be claimed. Informing visitors to a website through a privacy and cookie statement is required by law if personal data is processed directly. Examples include obtaining IP addresses for Google Adwords, storing cookies to track your visitors’ browsing habits and sending newsletters.

The privacy statement

With the privacy statement, you are informing the website visitor. Does the privacy statement on your website include the company name, address and contact information, and Chamber of Commerce registration number? Write down what data you keep, why you keep it, and how long you keep it. The point is that visitors know to whom they can inquire about what happens to their personal data.
Another important issue is consent. Is it clearly stated on the website what your visitors are giving permission for? Also check that visitors to your website can make an explicit and conscious choice about the collection of personal data in the case of the privacy statement, cookie statement and newsletter. Consent must be given by a clear action, such as clicking a box on the website and is coupled with clear information about the purpose of the data collection. Tacit consent is not enough for valid user consent. Moreover, the consent given is given only for the purposes described.

The cookie statement

What kind of cookies does your website collect? Functional cookies are allowed, analytical cookies are allowed if they have little or no impact on visitors, but other cookies may only be placed if prior explicit consent is obtained from the visitor. After all, it is not allowed to “just track” the browsing habits of your website visitors. You are also required to explain what cookies are and why you use them.
On March 7, 2019, the Personal Data Authority published the cookie wall standards explanation. A websites does not comply with the AVG if it allows visitors to access their site only if they agree to the placement of so-called tracking cookies or other similar ways of tracking and recording behavior through software or other digital methods.

Newsletter

Does your website offer the ability to sign up for a newsletter? Then pay close attention to whether the visitor gives explicit permission in doing so, and file this registration properly. In addition, subscribers should be able to unsubscribe in each newsletter. This can easily be added by an additional link at the bottom of the newsletter. State it explicitly if you use a mailing service with servers outside Europe, for example Mailchimp.

Plan, Do, Check, Act

Are you looking for a well-organized tool where you can efficiently manage all activities around personal data protection? Consider, for example, the (potentially) mandatory processing register and appropriate technical and organizational measures. Privacy Control Center gives you a clear overview of processing activities, risks, management measures and controls. Not only is PCC ISO 27001 certified, but PCC also has a consulting practice that includes a group of experts available to advise organizations on drafting or establishing robust privacy policies.

Contact us for a free online demonstration by calling 071 8200 363 or sign up directly for a trial account at www.privacycontrolcenter.com.

Ashley Moes
Privacy Professional at Privacy Control Center