Questions & Answers (Q&A)
Which data protection laws or guidelines are supported by fccDataPrivacy?
fccDataPrivacy mainly refers to the EU-DSGVO but also supports other international data protection laws and guidelines. And more will follow.
The California Consumer Privacy Act (CCPA) is a federal law designed to improve the rights to privacy and consumer protection for California residents in the United States. The law was passed by the California legislature and signed by Jerry Brown, Governor of California, on June 28, 2018 to amend Part 4 of Section 3 of the California Civil Code. It has been in force since January 1, 2020. Source and further information: WIKIPEDIA.
The Data Protection Basic Regulation (GDPR) is a European Union regulation that harmonises the rules on the processing of personal data by most data processors, both private and public, throughout the EU. This is intended to ensure, on the one hand, the protection of personal data within the European Union and, on the other hand, the free movement of data within the European internal market. The Regulation replaces Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data, which dates from 1995. Together with the so-called JHA Directive for data protection in the police and judicial sectors, the GDPR has formed the common data protection framework in the European Union since May 25, 2018. Source and further information: WIKIPEDIA.
The Federal Act on Data Protection (FADP) is Switzerland's data protection law. Its purpose is to protect the personality and fundamental rights of natural and legal persons about whom data is processed. The ordinance has been in force since 1993 and is currently undergoing a total revision.
The Directive on Privacy and Electronic Communications (also: ePrivacy Directive) is a European Community Directive adopted in 2002 that sets binding minimum standards for data protection in telecommunications. The directive was amended in 2009 and since then has been referred to primarily as the Cookie Law. One of the amendments in the amendment requires, for example, that users give their consent for some types of cookies on websites. This is intended to ensure "that data and media companies no longer record what users search, read or buy on the internet without their consent". The ePrivacy Directive is not to be confused with the ePrivacy Regulation (ePrivVO), which was intended to replace the ePrivacy Directive, but failed in the European legislative process at the end of 2019 for the time being because the Member States could not agree on a common text. The Directive and the national transpositions will continue to apply after the entry into force of the basic data protection regulation (Art. 95 DS-GVO). They are to be replaced by a regulation. Source and further information: WIKIPEDIA.
Privacy Policy and Cookie Policy
The law requires any website/app that collects personal information to disclose relevant information to users through specific privacy and cookie notices. The Privacy Policy must contain certain basic elements that are specific to your particular processing activities, including: The Cookie Policy expressly describes the different types of cookies that are installed through the Site, any third parties to which these cookies relate - including a link to the relevant documents and opt-out forms - and the purposes of processing.
It is not possible to use generic documents because your policy must describe the specific data processing of your website/app in detail and must also include the specific details of the third-party technologies you specifically use (e.g. Facebook Like Buttons or Google Maps).
It should be noted that still many organisations that do not have a website or do their accounting or membership administration manually on paper or with a spreadsheet. The same rules apply to them: they process personal data of natural persons and are therefore subject to GDPR.
It is very difficult for a website not to process any data. A simple contact form or traffic analysis system such as Google Analytics is sufficient to trigger a commitment to create and display a privacy and cookie policy.
Cookies are small files that are used to store or track certain information while a user visits a website. With regard to data protection, a distinction is made between session cookies and tracking cookies. Today, session cookies are indispensable for the smooth functioning of a website, while tracking cookies analyse the behaviour of users (e.g. Google Analytics). Tracking cookies require the consent of the user (cookie banner).
In addition to providing an easily accessible and accurate cookie policy, in order to adapt a Web site to the Cookie Law, it is also necessary to display an informative cookie banner that refers to a detailed cookie policy on each user's first visit and gives the user the opportunity to decline to install cookies or consent to the installation. Most types of cookies, including those issued by tools such as social sharing buttons, should not be released until the user has given valid consent. In addition, many third-party networks may limit advertising reachability if you do not have a cookie management system that meets industry standards - which could affect your ability to generate advertising revenue.
Consent
If your user has to enter personal data directly on the website/app, e.g. by filling out a contact form, a service registration or a newsletter subscription, it is necessary to obtain a freely given, specific and informed consent. It is also necessary to keep clear records to prove that a valid consent has been obtained.
You must obtain consent for any particular processing purpose - for example, consent to the sending of newsletters and further consent to the sending of advertising material on behalf of third parties. Consent can be requested by setting up one or more checkboxes that are not pre-selected, mandatory or enforced (voluntarily specified) and accompanied by appropriate disclosures that will make it clear to the user how their data will be used.
Each time a user completes a form on your website/app, a variety of information needs to be collected. This information includes a unique user identification code, the content of the accepted privacy statement, a copy of the form submitted by the user, and a record of the opt-in mechanism used.
Unfortunately, it is not sufficient because some information is missing that is necessary to reconstruct the suitability of the procedure for obtaining consent, such as a copy of the form actually completed by the user and the version of the privacy documents available to the user at the time of obtaining consent.
Security of Processing
Part of GDPR is dedicated to the technical protection of personal data of natural persons (GDPR Art. 32: Security of processing). This includes, for example, protection against unauthorised access, maintaining confidentiality, the availability of data and much more. GDPR requires appropriate technical and organisational measures to ensure this protection.
We use various technical and organizational measures at different levels to protect the personal data of our customers in the best possible way:
Is my CMS ready for fccDataPrivacy?
Some CMS do not support all technologies necessary for the proper operation of fccDataPrivacy and need sone additional implementation effort.