top of page
This site was designed with the
.com
website builder. Create your website today.Start Now

Privacy Policy Statement

REGULATORY COMPLIANCE: PROTECTION OF PERSONAL DATA IN THE GDPR

NORMATIVE

REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and the free movement of these data and repealing the Directive 95/46 / EC (General data protection regulation)

NOTE

Right to compensation and liability that appears in article 82 of the RGPD: “Any person who has suffered material or immaterial damages as a consequence of an infraction of these Regulations shall have the right to receive compensation from the controller or data controller for damages and damages suffered.”

Compensations increase the figures of a possible sanction by having to pay, in addition to the amount to the controlling body, another to the affected party as well as compensation for damages.

PREVENTIONS WHEN PURCHASING A SOFTWARE FOR DATA PROCESSING

1. Investigate if the servers where the software is hosted are located in Europe. Data protection regulations are different outside the European environment, so a server located outside of Europe may not comply with the GDPR security standards.

2. Find a software provider that, in principle, has subcontracted the hosting service to a Spanish company.

3. The RGPD holds, above all, the person responsible for the treatment. The controller must choose a software provider that offers sufficient guarantees regarding the implementation and maintenance of the appropriate technical and organizational measures, in accordance with the provisions of the RGPD, and that guarantees the protection of the rights of the people affected. . Therefore, there is a duty of diligence in choosing the software company.

4. In this understanding, it is the responsibility of the data controller to carry out a risk assessment to determine the appropriate security measures to guarantee the security of the information processed and the rights of the people affected. It is the responsibility of the software provider to evaluate the possible risks derived from the treatment, taking into account the means used (technologies, resources, etc.) and other circumstances that may affect security, considering the state of the art, application costs and nature, scope, context and the purposes of the treatment, as well as the risks of variable probability and gravity for the rights and freedoms of natural persons, both the controller and the processor (software provider) will establish the appropriate technical and organizational measures to guarantee the level security appropriate to the existing risk.

5. The software must guarantee its user, that is, the team that manages it, security, taking into account the following:


a) The software settings must restrict user access solely and exclusively to the information they will need.

b) The program must allow establishing a mechanism that allows the unequivocal and personalized identification of all those users who try to access the information system and verify that they are authorized.

c) The system must allow passwords to be stored unintelligibly.

d) The system must allow a mechanism to be established that limits the possibility of repeatedly trying unauthorized access to the information system, and must allow maintaining an access log.

e) The information system must allow data encryption, or anonymization.

HOW SHOULD THE COMPANY ACT ACCORDING TO THE GDPR?

1. Privacy must be introduced from the beginning, that is, from the design and by default (Recital 78 RGPD). In practice, this takes the form of a council: from now on, always invite your LOPD advisor and the security officer of your company to the preparatory meetings for new projects. They must validate that all the steps that the project will take are in accordance with the RGPD.

2. Carry out a risk assessment in data protection or a PIA (privacy impact assessment), which allows the treatment of data to be described in advance and preventively. It will analyze the category of data to be processed, the proportionality and need for the data processing, the basis of legitimacy of the treatment, the purposes of the treatment, the risks and the mitigation of those risks.

3. Keep a register of treatment activities (RAT) that indicates how the software uses personal data and will contain the following information: the controller, the purposes of the treatment, description of the categories of interested parties, the storage period and the data accessibility.

4. The principles relating to the processing of personal data set out in article 5 of the RGPD must be strictly followed.

5. The consent of the users must be obtained to process the data. Consent must be given through a clear affirmative act that reflects a manifestation of free, specific, informed, and unequivocal will of the interested party to accept the processing of personal data. Therefore, silence, boxes already checked or inaction do not constitute consent. Consent must be given for all treatment activities carried out for the same or the same purposes. When the treatment has several purposes, consent must be given for all of them. If the consent of the interested party is to be given as a result of a request by electronic means, the request must be clear, concise and not unnecessarily disturb the use of the service for which it is provided.

LEGAL ASPECTS IN THE DEVELOPMENT OF A WEBSITE

1. The need to obtain explicit, unequivocal, informed and verifiable consent from users or clients to manage their data, with new mechanisms to obtain and accredit it.

2. The need to offer users and clients complete information in advance, on the use of their own information in accordance with the RGPD.

3. The need to guarantee easy access for all those who provide their personal data to the information that concerns them.

4. Guarantee the right of deletion (right to be forgotten) and the right to oppose the treatment, including the use of personal data for automated decisions, for the purposes of profiling.

5. The need to keep a record of internal treatment activities (RAT).

6. The need to prove regulatory compliance by all data processors to whom the data is communicated. (Art. 28 RGPD)

7. The need to apply security measures appropriate to the level of risk.

8. The need to carry out periodic controls to guarantee all the measures and obligations included in the RGPD.

9. The need to have a protocol for detecting and reporting security breaches.

Privacy policies and web forms

1. Update and reinforce all the legal policies of the web (legal notice, privacy policy, cookie policy), have greater precision and clarity when writing them, attending to all the points that the regulation requires you to report. These legal texts must appear in the footer of the web.

2. Check if the forms on your website allow obtaining the consent in an appropriate way, checking that this consent is explicit, unequivocal, specific and verifiable.

3. It must be reported in layers, that implies inserting a visible legal clause in each form that sets out the basic points and that is subject to acceptance by the user, before sending their data.

4. Prepare specific informative clauses for email and sending newsletters; The consent must be revocable and, therefore, in each new communication you must enable a mechanism that allows the user to withdraw from new communications.

5. If personal data is used for direct marketing, it will be necessary to offer a clear and simple way for the user to oppose its treatment.

6. Develop a record of all the consents you have obtained. Remember that you must verify that you have complied with the regulations, in accordance with the principle of proactive responsibility.

7. Prepare personalized treatment order contracts.

8. Enable clear mechanisms so that users and clients can exercise their rights of the interested party in a simple and electronic way; For that you must also have models to exercise these rights and response models.

9. Implement the appropriate security measures at the risk of the treatments carried out on your website.

10. Maintain a system of periodic controls that guarantees real compliance and the principle of active responsibility.

How to obtain express and informed consent?

Concept of consent:

Consent is understood as "any manifestation of free, specific, informed and unequivocal will by which the interested party accepts the processing of personal data concerning him, either by means of a declaration or a clear affirmative action".

With the RGPD, consent must be required when there is no other legal basis that justifies the treatment of the data, such as in the case of a contractual relationship.

If a user comes to your website, fill out a contact form or a subscription form, you must necessarily have the consent to be able to process their data, but not any consent is worth, the consent must:

• Be free: consent should not be a precondition for signing a service, unless it is necessary for it.

• Specific: separate from other terms and conditions.
• Informed: a detailed explanation of why consent for such personal data is being

requested and what its treatment will be.

• Unequivocal: consent must be obtained by means of a declaration or by means of a clear affirmative action and never be deduced for the inaction or omission of the user. The global acceptance of some terms and conditions cannot suppose an unequivocal consent, hence the need for specific clauses.

• Verifiable: records must be kept to demonstrate what the individual consented to and how, including what he said, when and what was reported to him.

• Granular: that is, that you include as many acceptance boxes as you have different purposes.

• Special attention must be paid to minor users, since to validate consent the minimum age of 16 has been established, otherwise the consent must be given by the legal representative or guardian of the minor as ordered by article 8 of the RGPD . The age of the minor to give consent will also depend on each legal system, but can never be less than 13 years.

Duty of information: informed consent

The RGPD includes the obligation to inform the user in a prior, clear and accessible way (arts.12, 13 and 14). To meet this requirement, the European Data Protection authorities recommend the layered information system:

• A first layer with basic information on data protection.

• A second layer with the remaining information.

The Spanish Agency for Data Protection (AEPD), in its “Guide for Compliance with the Duty to Report”, recommends that said information be shown to the interested party prior to the collection of the information and that its visualization within the field of vision is guaranteed. .

In other words, a formula that includes a drop-down, or a scroll that prevents the direct display of that first information layer, would not be valid.

It also recommends that this first layer of information be identified as “Basic Data Protection Information” and that the full or second layer information be referred directly.

Finally, remember that you must be able to prove that you have informed as required by the RGPD.

Therefore, all forms on a website must meet 3 basic requirements:

• Have a first informative layer: the minimum content is: The identity of the data controller and his representative, if applicable; The purpose of the treatment; The possibility of exercising the rights established in articles 15 to 22 of the General Data Protection Regulation (RGPD); An email address or other means that allows easy and immediate access to the remaining information, that is, to the second layer.

• Have a second information layer: The information to include in this second layer will be:

1. Contact details of the data controller and the Data Protection Officer, if we have it (postal address, telephone and email).

2. Purpose of the treatment: we must complete the information offered in the first layer about the use that we are going to give to that personal data. We will include the data retention period and whether we are going to create profiles or make automated decisions.

3. Basis of legitimation, which can be: - Consent: indicate whether there is an obligation to provide such data, the consequences of not providing it and the possibility of revoking that consent at any time. - Execution of a contract: make a detailed reference to the contract in question. - Legal obligation: indicate the rule that requires the provision of such data and the consequences of not providing it. - Protection of vital interests of the interested party or third parties: indicate the identity of that third party and their relationship with the interested party.

-Public interest or exercise of public powers: indicate the norm that establishes it. - Legitimate interest: indicate what those interests are.

4. Recipients: we must indicate if:

- we will transfer these data to a third party (identity of those third parties)

- We will make international transfers (countries where the data will be transferred and if they offer adequate protection guarantees).

5. Rights of the interested parties: we will explain the way in which the interested parties can exercise the rights indicated in the first layer of information, including forms or models to do so. We will also inform you of your right to complain to the AEPD or the DPO, if we have it.

Note: Link between layers: As previously indicated, in the first layer of information and, in case it is provided electronically, we must add a link to the second layer of information. The link must be visible and easily accessible to those interested, thereby guaranteeing that, in addition to viewing the basic information, they can see, whenever they wish, detailed information about the processing of their personal data.

• Include a check box to collect valid consent, unchecked by default.

How to adapt the comments section of your website to rgpd?

In this, as in any other form, the three requirements must be met; To ensure that you obtain consent, you must enter a check box that you can enter in two ways:

• By code: if you know how to program and know the code, you can do it manually.

• Through plugins: you can use WP Comment Policy Checkbox or WP GDPR Compliance which are plugins suitable to the RGPD.

How to adapt the rest of the forms on your website to the rgpd
Remember that each form requires a first information layer that defines specifically: • The person in charge of the web
• The purpose of the information you collect: each form needs a specific first layer. • The rights that users have: access, rectification, cancellation, limitation, etc.
• Access to the second layer or additional information: your privacy policy.

Documentation you need to adapt your website

• Register of treatment activities (RAT).
• Law exercise protocols, exercise models and response models. • Protocols for declaring security breaches.
• Confidentiality contracts for workers and collaborators.
• Image transfer clauses.
• Contracts for custom treatment with third parties.

• First personalized layers for each form: Specific clauses of information of compulsory use to be included in all forms of capture of personal data depending on the purpose of the information collected.

• Legal Notice, Privacy Policy and Cookies policy. • Table of periodic controls and audits.
• Advice on required security layers.
• User manual.

• Campaign to regularize previous registrations.

Cookies policies

There are several plugins that help to technically adapt your website, but first you must ensure that you have all the necessary elements, that is, your 100% RGPD policies and legal texts.

A plugin does not resolve your adequacy, it only allows you to have the web perform some necessary functions for legal compliance.

The plugins will allow you to:
• Show the cookie warning pop-up.
• Use the pre-installed options for cookie consent.
• Request access or deletion of user information.
• Install the first information layers.
• Notifications in case of data breach.
• View and access privacy policy, legal notices.
• Have notifications for the DPD (Data Protection Officer). • Record consents on different forms.

Cookies and GDPR

Legal aspects of Cookies:

1. Third-party cookies, such as analytical and advertising, cannot be installed without the consent of the user, that is, the user should be asked before downloading the cookies and, if they are not accepted by the user, they should be kept blocked.

2. Regarding the first information layer, that is, the cookie warning pop-up, it must be specific and report the type of cookies that are going to be downloaded.

3. In the second layer is where the list of cookies and all other information should be, that is, you must identify the person responsible for the web, include the concept and purpose of the cookies used by the website and a guide on how to deactivate or delete those cookies.

4. The RGPD introduces regarding cookies, the reinforcement of consent, which must be unequivocal, informed and verifiable; for this reason it is necessary to follow these steps:

- Audit cookies and correctly identify them.
- Report them properly in a first and second layer. - Obtain valid consent and be able to prove it.

Plugins to adapt WordPress forms to the RGPD

They are just examples: • WP Forms Lite
• Gravity Forms
• Contact Form 7

DEVELOPMENT OF MOBILE APPLICATIONS (APP) AND GDPR

In app development we must have the same privacy precautions as on websites, so the warnings described above are applicable to regulatory compliance in the case of apps.

Anyway, we will do a little review of the core:

1. To guarantee compliance with the RGPD, the consent of the interested parties (in this case users) must be obtained, which will be the basis for the legitimacy of the data processing, as required by the RGPD in its article 6 section 1 letter a).

2. The consent of the users of a web page or a mobile application (depending on the project) can be obtained through an unmarked acceptance icon and that the user can mark, prior to this and as it is an informed consent , the information established in article 13 of the RGPD must be delivered to the user since the information will be obtained directly from the interested party or user.

3. Special attention must be paid to minor users, since to validate consent in our legal system (Spanish) l the minimum age of 14 has been established, otherwise the consent must be given by the legal representative or guardian of the minor as ordered by article 8 of the RGPD. (<16 years GDPR)

In the case of applications aimed at children, a series of requirements must be met: comply with the minority limits set by national laws, choose the most restrictive method for data processing, with full respect for the principles of data minimization and restriction

of purpose, in no case use the information of minors for commercial purposes, refrain from obtaining information through children about their family and / or friends.

4. All this in practice can be done through the "privacy policies" section of the application or web page, in that tab all the necessary information surrounding the data processing must be indicated, an issue that must be displayed before incorporation of personal data in the application or website,

5. Accepting privacy policies has been interpreted as providing consent, since it is assumed that the user has read and validated the information described in them.

6. It is recommended that the cookie policies are reported in a separate drop-down of the privacy policies, also at the beginning of any activity in the app or website.

Special precautions in app:

Among the permissions that developers must include are the following:

• Mobile device: authorization must be requested so that the app can read the status of the phone, know the number, know the status of the mobile network, make calls, know their history, add voice messages, manage calls and even redirect to another number.

• Direct purchases from the application: This permission allows the App to provide products and upload payments to your Google Play account.

• Device storage or memory: be it external storage such as the SD card or internal storage, the user must be asked to authorize the App to read it or even to store files there.

• Text message: the user must allow the application to send text messages (SMS, MMS or even Push WAP messages), read the saved messages and / or receive new ones.

• Events on the calendar: permission must also be requested if the App accesses the calendar: it allows both reading, editing and creating new events on the calendar.

• Camera: if the app can take photos, edit them, send them or record videos by itself, specific permissions must be required,

• Contacts: If the app allows you to consult the list of contacts, edit it, add new contacts, etc., you must require permission.

• GPS or WiFi geolocation: if the App accesses our location, either through GPS, or through mobile antennas or WiFi, you must necessarily require permission to access this information.

• Microphone: If the app accesses the microphone and the possibility of recording telephone conversations, you must require permission.

• Body sensors: These permits are linked to the use of devices such as activity bracelets. This provides data about our health, that is, specially protected data, and of course, the App must require permission to access this data.

PROCESSING OF SPECIAL CATEGORIES OF PERSONAL DATA

According to article 9 of the RGPD, it establishes that the following are special categories of personal data:

• What reveals ethnic or racial origin.

• Political opinions.

• Religious or philosophical convictions.

• Union membership.

• The processing of genetic data, biometric data aimed at uniquely identifying a natural person.

• Data related to health.
• Data relating to the sexual life or sexual orientation of a natural person.

General rule: Treatment is prohibited. You can only process this data if some requirements are met:

• The first requirement is that the owner of the data gives his explicit consent for the stipulated purpose.

• That this treatment is needed to preserve the life of its owner, in case it was unable to give its consent.

• That the company that processes the data is not religious or union, nor is it for profit or for political or religious purposes.

• When the protester makes these sensitive data public.

• When your treatment is within the legal framework.

• When dealing with data belonging to this category, special attention should be paid to the principle of data minimization, which implies that in each phase of the service, only the data necessary for that phase should be collected. Therefore, the minimum data necessary for the purpose established at each moment of the treatment should be analyzed.

• As a security measure to treat this particularly sensitive data, anonymization is always recommended, one of the mechanisms that most helps protect our privacy. It is the process by which a data of interest is dissociated from a personal data. In this way, the identification or association of a person with sensitive information is prevented in "all means that can be reasonably used." The Spanish Agency for data protection created a guide with which we can know exactly what the anonymization process guarantees: "Guidelines and guarantees in the anonymization procedures of personal data".

• Depending on the case, a privacy impact report or PIA may be required.

By Yasna Bastidas Cid

Data Protection Officer

CHILE - SPAIN

I agree
Privacy Policy Statement: My Work
bottom of page