In this article
The legislator established the protection of users’ online privacy as the primary objective for every blog or website manager.
What is GDPR?
The General Data Protection Regulation 2016/679 (a.k.a. GDPR) governs and harmonizes all European laws on the subject through 99 articles and 173 “recitals”. Every State of the Union must, therefore, implement it without margins of freedom. The Regulation was published in the Official Journal of the European Union on May 4, 2016 and entered into force on May 25, 2018. Since this date, GDPR compliance has thus become mandatory for all EU states.
The regulation establishes that data must be processed exclusively after the informed consent of the interested party who must know how they’re collected and used, as well as the possible risks associated with their processing. It’s not just a matter of right to the protection of personal data, which has already been established by Directive 95/46. Rather, it entails a proprietary vision of data where informative self-determination is the cardinal principle.
The information is meant to inform the user about the purposes and methods of data processing carried out by the owner. Therefore, it must be clear, exhaustive, and as detailed as possible. It must be divided into paragraphs indicating the controller of the data processing, the user’s rights, the type of data processed, their conservation, the place and purpose of the processing, the cookies issued by the site, and the links to external content (plus ways to change settings).
Ensuring transparency and correctness of the processing, from collection to management, is a duty of the data controller who must also demonstrate that he/she can do so at any time.
- the data controller and the data protection officer
- the personal data subject to processing
- place and purpose of the processing
- legal basis for processing
- the recipients
- transfers of personal data (especially if to non-EU countries)
- methods and period of conservation
- rights of the data subject
- complaint procedure
- cookies involved
- links to external content
- how to change settings
In the case of e-commerce sites, the GDPR expressly provides that each owner is responsible for the processing and must demonstrate its security to the control body through the processing records.
The information must be as relevant as possible to the specific case, i.e. customized on the website and not “copied”. This is why it’s advisable to rely on professionals regarding the subject.
Until a few years ago, the perspective of obligations regarding personal data was that of collection abuse. Today, it’s rather about the obligation to manage privacy and process a record system that’s regularly updated and compliant with the GDPR.
This is the logic of accountability, i.e. the correct organization and mandatory traceability of the tracking activities. Anyone who fails to ensure proper data collection and management incurs penalties (regardless of abuse).
The user who considers his/her own privacy right violated shall transmit a request for immediate cessation of the unlawful behavior to the data controller. If the answer does not arrive within 30 days or if the interested party considers it insufficient, then he/she can send an appeal, a complaint, or a report to the Guarantor.
The GDPR even provides penalties of up to 20 million euros in case of personal data breach. In order to verify compliance with the legislation, it has created the figure of the Data Protection Officer (DPO).
Sanctions are divided into two brackets. They’re triggered according to the severity of the misconduct:
- the first reaches up to a maximum of 10 million euros or 2% of turnover if this is higher;
- the second up to a maximum of 20 million or 4% of turnover.
In the event that the violation has also damaged the data subject, then a compensation must be included.
Cookies are often mentioned in the context of personal data. What are cookies on websites?
In short, they can be represented as small text files saved in the browser while visiting the site. They are divided into two types:
- first-party cookies, which are stored on the domain browsed by the user
- third-party cookies, which are stored on another domain
Third-party cookies make it possible to track the behavior of a user on the web, so his/her habits and interests.
On the privacy side, the spotlight is precisely on third-party cookies. This has prompted major browsers like Firefox, Edge, and Safari to abandon them, while Google Chrome has proposed a gradual process of elimination, ending in 2023.
- the categories of personal data being processed
- the personal data source
To conclude, we can’t underestimate the importance of adhering to the European regulation on privacy — nor panic.