GDPR is a regulation that requires businesses to protect the personal data and privacy of EU citizens for transactions that occur within EU member states. Companies that collect data on citizens in European Union (EU) countries will need to comply with strict new rules around protecting customer data by May 25 2018.
It is recommended that you read this article carefully, and that you make sure to take the necessary actions as detailed in this article.
At the bottom of this article you will find an example privacy policy that you may want to use as a starting point for your own website’s privacy policy.
Xpertise-ICT BV (our company name) is referred to as Xpertise in this article.
Online resources about GDPR
- The home page of EU GDPR (www.eugdpr.org)
- GDPR requirements article on CSOonline.com (www.csoonline.com)
What constitutes personal data according to GDPR?
Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.
What types of privacy data does the GDPR protect?
- Basic identity information such as name, address and ID numbers *
- Web data such as location, IP address, cookie data and RFID tags *
- Health and genetic data **
- Biometric data **
- Racial or ethnic data **
- Political opinions **
- Sexual orientation **
* Infradox websites do store this data (with the exception of RFID tags).
** Infradox websites do not store such data (unless you add such data yourself in custom fields, notes or other non-standard data fields).
What data is stored for use with Infradox websites
Registered users
Infradox websites require users to be logged in to be able to use certain website functions, such as using lightboxes, creating orders and downloading files. So users (your clients) must create an account by registering on your website. The information that your website requires and stores about the user can be configured but the system requires the user’s full name, e-mail address and a password at the minimum. Passwords are stored encrypted, other information is stored in “clear text”.
Besides user account information (name, address, contact information et cetera) Infradox websites furthermore store the following information about users:
- what permissions does the user have (e.g. the user may download without waiting for a staff member’s approval)
- does the user want to receive marketing/promotion information
- what did the user search for
- which files did the user view larger (previews)
- which files did the user download as comping image
- when did the user last log in
- what browser and what operating system is used to access the website
- what is the user’s ip address (to be able to determine the country and best suitable user interface language)
- which lightboxes does the user’s have and which files are in the lightboxes
- which lightboxes did the user send and to which e-mail addresses
- which page links did the user send and to which e-mail addresses
- which files are still in the user’s cart (i.e. orders still in progress / not completed)
- quote requests *
- search requests *
- orders *
- downloads *
- in-site messages *
- reservations and/or restrictions *
- usage confirmations *
- invoices *
* If such functions are available and enabled on your website. Some functions are available with certain versions of XS only or may require an optional module to be bought.
XS lets you (as website owner) store additional information in user account custom fields and notes, and in other database tables such as website orders, invoices, quote requests and so on. XS also lets you store information about contact moments (e.g. phone calls and so on).
Guests/Unknown users
Data is also logged for users that are not logged in (provided that your website is configured to allow website use without being logged in). This data is anonymous (not linked to any user account):
- what browser and what operating system is used to access the website
- what is the visitor’s ip address (to be able to determine the country and best suitable user interface language)
- what did the visitor search for
- which files did the visitor view larger (previews)
- quote requests *
- search requests *
* If you have enabled such functions for guests on your website.
Cookies on Infradox websites
Infradox websites use cookies. These cookies contain no personal information. Cookies do contain the user’s login name so that the user doesn’t have to enter the login name (just the password) the next time the user visits your website. The cookies are used to remember “user state” when moving from page to page, i.e. is the user logged in, which page was the user last on, what lightbox is active, which files are in the user’s cart and so on.
Privacy by Design
Privacy by design as a concept has existed for years now, but it is only just becoming part of a legal requirement with the GDPR. At its core, privacy by design calls for the inclusion of data protection from the onset of the designing of systems, rather than an addition. More specifically – ‘The controller shall..implement appropriate technical and organisational measures..in an effective way.. in order to meet the requirements of this Regulation and protect the rights of data subjects’. Article 23 calls for controllers to hold and process only the data absolutely necessary for the completion of its duties (data minimisation), as well as limiting the access to personal data to those needing to act out the processing.
Breach Notification
Under the GDPR, breach notification will become mandatory in all member states where a data breach is likely to “result in a risk for the rights and freedoms of individuals”. This must be done within 72 hours of first having become aware of the breach. Data processors will also be required to notify their customers, the controllers, “without undue delay” after first becoming aware of a data breach.
- Xpertise
1) If Xpertise finds out about unauthorised access to your website and/or data, Xpertise will immediately notify you of such an event so that you can take the necessary actions.
2) The sysadmin account of Infradox websites is protected with both a password and a double log in procedure requiring a pin code.
3) The superadmin account of Infradox websites is protected with both a password and a double log in procedure requiring a pin code.
4) Infradox websites allow a user account to be logged in from a single computer at a time only, for additional security.
5) Our data center runs firewalls to protect your data.
6) Our servers have anti virus software installed.
7) Our servers have intrusion-detection software installed.
8) Our servers have software installed to automatically deny access from IP addresses if marked as suspicious/malicious. - Action
1) Staff member accounts (besides the sysadmin- and superadmin accounts) should also be protected with a pin code. If this is not active on your website, then contact us to have this option enabled and tell us the pin code that you want to use.
2) Logging in with user accounts can be restricted to specific IP addresses for an extra layer of security. It is recommended that you enable this for all staff member accounts. You can enter allowed IP addresses on the permissions tabsheet of the user properties dialog.
3) Infradox websites can be configured to send e-mail about possible security related issues such as intrusion detection, failed login attempts causing an IP address to be temporarily blocked and so on. You should enable this function.
4) Infradox websites can be hosted on SSL (Secure Sockets Layer) / HTTPS. If your website is not yet using SSL then contact us to have this installed.
5) Infradox websites offer functions that you can use to monitor website activity. It is your responsibility to monitor the logs and to notify Xpertise of suspicious activity to allow Xpertise to take any necessary actions.
Right to Access
Part of the expanded rights of data subjects outlined by the GDPR is the right for data subjects to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed, where and for what purpose. Further, the controller shall provide a copy of the personal data, free of charge, in an electronic format. This change is a dramatic shift to data transparency and empowerment of data subjects.
- Action
You should clearly tell your website users (e.g. by adding such information to your privacy policy, on the my account page and on the registration page) that they can contact you if they want to receive a copy of all personal data that you store.
Right to be Forgotten
Also known as Data Erasure, the right to be forgotten entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data. The conditions for erasure, as outlined in article 17, include the data no longer being relevant to original purposes for processing, or a data subjects withdrawing consent. It should also be noted that this right requires controllers to compare the subjects’ rights to “the public interest in the availability of the data” when considering such requests.
- Action
You should clearly tell your website users (e.g. by adding such information to your privacy policy, on the my account page and on the registration page) that they can contact you if they want their account and all associated data deleted. Note that you can delete user accounts via the user management pages. However, although such accounts are no longer visible and can no longer be used – such accounts remain in the database because there may be orders, invoices and so on attached to it. Deleting a user account and all associated information would mean that you are not able to e.g. pay your contributors if there were sales. A future update will make it possible to anonymize such accounts, meaning that the user record remains in the database but with all personal data removed. Until then, you can contact Xpertise to do this for you.
Data Portability
GDPR introduces data portability – the right for a data subject to receive the personal data concerning them, which they have previously provided in a ‘commonly use and machine readable format‘ and have the right to transmit that data to another controller.
- Action
You can grant users access to their details via the My account page as described in this article. You can furthermore use the job server function to export user data as a CSV file that you can then send to the data subject.
Other actions you should take
- You are required to tell your website users that your website uses cookies.
If you have not enabled the cookie message function, then enable it via Site configuration, Home page settings, General settings. You can create a custom message too, which is explained in the article Custom Cookie messages. - Users with an account must be able to change their address data.
If you have not enabled this function, then you can do so via Site configuration, Website forms, My account form. Check the button “Users can change and save their details”. - Users must be able to view the information that you store about them.
You can allow your users to view their account details, their most recent searches, files in the cart, lightboxes, messages, orders, invoices, quote requests, search requests, reservations/restrictions. Links to such pages can be shown on the user’s “My account” page and/or in the menu’s et cetera. Users don’t have access to other logged information as described above. You should make your website users aware of this by telling them in your privacy policy or elsewhere. - Your website must tell users what information you store before they register to create an account on your website.
Edit the text on the registration page to explain what data is stored and how you use such data. - Users under the age of 16.
Parental consent will be required to process the personal data of children under the age of 16 for online services; member states may legislate for a lower age of consent but this will not be below the age of 13.
On the registration page, you should state that one must be 16 years or older to create an account. - Your website must have a privacy policy.
If you have not written a privacy policy and/or if you have not made this available on your website, then you must do so. The default url to the privacy policy is /privacy. Go to that page and add your text there.
Example privacy policy
Below is an example privacy policy that you can use as a starting point for your own policy.
- [company name] appreciates your business and we fully respect your right to privacy. Please read our Privacy policy to address issues which may be of concern to you regarding the information and data you provide to us, or we obtain about you, as a result of your use of our website:
- How your IP address is used
We use your IP address to help diagnose problems with our servers, and to administer our website. Your IP address is used to help identify you and your orders, and will be matched with demographic information you have provided already held by us. Your IP address is also used to let us know where you are based, which we need to know as some files may not be available in your territory. - Why we need your e-mail address
As an extra layer of security, our website will send you a confirmation e-mail when you register on our website. This e-mail contains a link that you must click to activate your account. Without a valid e-mail address you will not be able to activate your account. - The use of Cookies on our website
Cookies are small text files placed on your hard drive by web page servers, they are commonly used by websites to provide identification and they pose no hazard to your computer. Our website uses cookies to keep track of “user state” within the context of our own website only, and the cookies that we write do not contain any personal information. Our cookies do however store your login name to make it easier for you to log in when you return to our website. When you visit our website, a unique ID is created and stored in your cookies. When you move from page to page on our website, the software on our servers reads this ID to know whether or not you are logged in, what lightboxes you have, what files you have in your cart and so on. The cookie your computer accepts from us is uniquely yours, and it can only be read by the server that gave it to you. To use our website, you will need to use a browser that supports cookies. - Your financial Information
We collect certain financial information from you in order to bill you for our products and services. - What data do we store about you
When you are logged in, our web server stores data to tell us what content is popular, how we can optimise our website for certain browsers and/or operating systems, to know which files are/are not available to you, and to add extra layers of security. Our database may contain data about your searches, when you logged in, what browser/operating system you used, your IP address, which files you viewed larger, which files you have in your cart and lightbox(es), which lightboxes you have shared by e-mail and with whom you shared these lightboxes (e-mail address). Furthermore, we may store information about the files that you ordered, about files for which we have created reservations or restrictions for you, quotations that you have asked for, search requests that you have asked us to work on for you, contact moments, agreements between you and us regarding prices, the use of files and so on. You can access your information via My Account in the menu. If there’s information that you want that is not accessible on our website, then contact us by e-mail and tell us what you need. - How you can change your address details and/or contact information
Our website lets you change your contact information via My Account in the menu. You can not change your log in name (which may be your e-mail address) because log in names must be unique within our system. If you want to use a different log in name, then you can send an e-mail to [your e-mail address] and we will change it for you. - How you can be removed from our database
If you no longer want to have an account on our website then please send an e-mail to [your e-mail address] and we will remove your account and all associated data, provided that there are no unpaid invoices linked to your account. - How old must you be
You must be 13 years or older if you want to create an account on our website. If you are younger than 16, then you will need parental consent. When you register on our website, you confirm that you are 16 years or older. If you are not, then you must contact us to confirm that you have parental consent before you create an account by registering. - How we use your contact information
Our website’s registration form requires you to give us certain contact information such as your name, email and address. We use this customer contact information from the registration form to confirm and deliver orders. This contact information may also used by us to contact you periodically about [our website name] but only if you have given us permissions to do so when you registered or otherwise. You may opt-out of receiving future notifications and mailings from us via My Account or by contacting us by e-mail. - How We Use Security Measures
Our website has security measures in place to protect against the loss, misuse and alteration of the information under our control. Your log in name and password are known only to yourself. Passwords are encrypted and can not be read even by website administrators. Your personal information will not be given out to anyone else at anytime. Regular security reviews are held by us to ensure that the website remains safe and secure for your protection. - How to Find Out More
If you have any questions about this Privacy policy or either the practices with this website or your experiences with it, you may contact [your e-mail address]. If you want to receive an export of data that we have stored about you, then contact us by sending an e-mail to [your e-mail address].