Recherche avancée

Sur d’autres sites (8269)

• Understanding Data Processing Agreements and How They Affect GDPR Compliance

  9 octobre 2023, par Erin — GDPR

  The General Data Protection Regulation (GDPR) impacts international organisations that conduct business or handle personal data in the European Union (EU), and they must know how to stay compliant.

  One way of ensuring GDPR compliance is through implementing a data processing agreement (DPA). Most businesses overlook DPAs when considering ways of maintaining user data security. So, what exactly is a DPA’s role in ensuring GDPR compliance ?

  In this article, we’ll discuss DPAs, their advantages, which data protection laws require them and the clauses that make up a DPA. We’ll also discuss the consequences of non-compliance and how you can maintain GDPR compliance using Matomo.

  What is a data processing agreement ?

  A data processing agreement, data protection agreement or data processing addendum is a contractual agreement between a data controller (a company) and a data processor (a third-party service provider.) It defines each party’s rights and obligations regarding data protection.

  A DPA also defines the responsibilities of the controller and the processor and sets out the terms they’ll use for data processing. For instance, when MHP/Team SI sought the services of Matomo (a data processor) to get reliable and compliant web analytics, a DPA helped to outline their responsibilities and liabilities.

  A DPA is one of the basic requirements for GDPR compliance. The GDPR is an EU regulation concerning personal data protection and security. The GDPR is binding on any company that actively collects data from EU residents or citizens, regardless of their location.

  As a business, you need to know what goes into a DPA to identify possible liabilities that may arise if you don’t comply with European data protection laws. For example, having a recurrent security incident can lead to data breaches as you process customer personal data.

  The average data breach cost for 2023 is $4.45 million. This amount includes regulatory fines, containment costs and business losses. As such, a DPA can help you assess the organisational security measures of your data processing methods and define the protocol for reporting a data breach.

  Why is a DPA essential for your business ?

  If your company processes personal data from your customers, such as contact details, you need a DPA to ensure compliance with data security laws like GDPR. You’ll also need a DPA to hire a third party to process your data, e.g., through web analytics or cloud storage.

  But what are the benefits of having a DPA in place ?

  

  A key benefit of signing a DPA is it outlines business terms with a third-party data processor and guarantees compliance with the relevant data privacy laws. A DPA also helps to create an accountability framework between you and your data processor by establishing contractual obligations.

  Additionally, a DPA helps to minimise the risk of unauthorised access to sensitive data. A DPA defines organisational measures that help protect the rights of individuals and safeguard personal data against unauthorised disclosure. Overall, before choosing a data processor, having a DPA ensures that they are capable, compliant and qualified.

  More than 120 countries have already adopted some form of international data protection laws to protect their citizens and their data better. Hence, knowing which laws require a DPA and how you can better ensure compliance is important.

  Which data protection laws require a DPA ?

  Regulatory bodies enact data protection laws to grant consumers greater control over their data and how businesses use it. These laws ensure transparency in data processing and compliance for businesses.

  

  The following are some of the relevant data privacy laws that require you to have a DPA :

  • UK GDPR
  • Brazil LGPD
  • EU GDPR
  • Dubai PDPA
  • Colorado CPA
  • California CCPA/CPRA
  • Virginia VCDPA
  • Connecticut DPA
  • South African POPIA
  • Thailand PDPA

  Companies that don’t adhere to these data protection obligations usually face liabilities such as fines and penalties. With a DPA, you can set clear expectations regarding data processing between you and your customers.

  Review and update any DPAs with third-party processors to ensure compliance with GDPR and the laws we mentioned above. Additionally, confirm that all the relevant clauses are present for compliance with relevant data privacy laws. 

  So, what key data processing clauses should you have in your DPA ? Let’s take a closer look in the next section.

  Key clauses in a data processing agreement

  GDPR provides some general recommendations for what you should state in a DPA.

  

  Here are the elements you should include :

  Data processing specifications

  Your DPA should address the specific business purposes for data processing, the duration of processing and the categories of data under processing. It should also clearly state the party responsible for maintaining GDPR compliance and who the data subjects are, including their location and nationality.

  Your DPA should also address the data processor and controller’s responsibilities concerning data deletion and contract termination.

  Role of processor

  Your DPA should clearly state what your data processor is responsible for and liable for. Some key responsibilities include record keeping, reporting breaches and maintaining data security.

  Other roles of your data processor include providing you with audit opportunities and cooperating with data protection authorities during inquiries. If you decide to end your contract, the data processor is responsible for deleting or returning data, depending on your agreement.

  Role of controller

  Your DPA should inform the responsibilities of the data controller, which typically include issuing processing instructions to the data processor and directing them on how to handle data processing.

  Your DPA should let you define the lawful data processes the data processor should follow and how you’ll uphold the data protection rights of individuals’ sensitive data.

  Organisational and technical specifications

  Your DPA should define specifications such as how third-party processors encrypt, access and test personal data. It should also include specifications on how the data processor and controller will maintain ongoing data security through various factors such as :

  • State of the technology : Do ‌third-party processors have reliable technology, and can they ensure data security within their systems ?
  • Costs of implementation : Does the data controller’s budget allow them to seek third-party services from industry-leading providers who can guarantee a certain level of security ?
  • Variances in users’ personal freedom : Are there privacy policies and opt-out forms for users to express how they want companies to use their sensitive data ?

  Moreover, your DPA should define how you and your data processor will ensure the confidentiality, availability and integrity of data processing services and systems.

  What are the penalties for DPA GDPR non-compliance ?

  Regulators use GDPR’s stiff fines to encourage data controllers and third-party processors to follow‌ best data security practices. One way of maintaining compliance is through drafting up a DPA with your data processor.

  The DPA should clearly outline the necessary legal requirements and include all the relevant clauses mentioned above. Understand what goes into this agreement since data protection authorities can hold your business accountable for a breach — even if a processor’s error caused it.

  Data protection authorities can issue penalties now that the GDPR is in place. For example, according to Article 83 of the GDPR, penalties for data or privacy breaches or non-compliance can amount to up to €20 million or 4% of your annual revenue.

  There are two tiers of fines : tier one and tier two. Violations related to data processors typically attract fines on the tier-one level. Tier one fines can cost your business €10 million or 2% of your company’s global revenue.

  Tier-two fines result from infringement of the right to forget and the right to privacy of your consumer. Tier-two fines can cost your business up to €20 million or 4% of your company’s global revenue.

  GDPR fines make non-compliance an expensive mistake for businesses of all sizes. As such, signing a DPA with any party that acts as a data processor for your business can help you remain GDPR-compliant.

  How a DPA can help your business remain GDPR compliant

  A DPA can help your business define and adhere to lawful data processes.

  

  So, in what other ways can a DPA help you to remain compliant with GDPR ? Let’s take a look !

  1. Assess data processor’s compliance

  Having a DPA helps ensure that the data processor you are working with is GDPR-compliant. You should check if they have a DPA and confirm the processor’s terms of service and legal basis.

  For example, if you want an alternative to Google Analytics that’s GDPR compliant, then you can opt for Matomo. Matomo features a DPA, which you can agree to when you sign up for web analytics services or later.

  2. Establish lawful data processes

  A DPA can also help you review your data processes to ensure they’re GDPR compliant. For example, by defining lawful data processes, you better understand personally identifiable information (PII) and how it relates to data privacy.

  Further, you can allow users to opt out of sharing their data. As such, Matomo can help you to enable Do Not Track preferences on your website.

  

  With this feature, users are given the option to opt in or out of tracking via a toggle in their respective browsers.

  Indeed, establishing lawful data processes helps you define the specific business purposes for collecting and processing personal data. By doing so, you get to notify your users why you need their data and get their consent to process it by including a GDPR-compliant privacy policy on your website.

  3. Anonymise your data

  Global privacy laws like GDPR and ePrivacy mandate companies to display cookie banners or seek consent before tracking visitors’ data. You can either include a cookie consent banner on your site or stop tracking cookies to follow the applicable regulations.

  Further, you can enable cookie-less tracking or easily let users opt out. For example, you can use Matomo without a cookie consent banner, exempting it from many countries’ privacy rules.

  Additionally, through a DPA, you can define organisational measures that define how you’ll anonymise all your users’ data. Matomo can help you anonymise IP addresses, and we recommend that you at least anonymise the last two bytes.

  

  As one of the few web analytics tools you can use to collect data without tracking consent, Matomo also has the French Data Protection Authority (CNIL) approval.

  4. Assess the processor’s bandwidth

  Having a DPA can help you implement data retention policies that show clear retention periods. Such policies are useful when ending a contract with a third-party service provider and determining how they should handle your data.

  A DPA also helps you ensure the processor has the necessary technology to store personal data securely. You can conduct an audit to understand possible vulnerabilities and your data processor’s technological capacity.

  5. Obtain legal counsel

  When drafting a DPA, it’s important to get a consultation on what is needed to ensure complete compliance. Obtaining legal counsel points you in the right direction so you don’t make any mistakes that may lead to non-compliance.

  Conclusion

  Businesses that process users’ data are subject to several DPA contract requirements under GDPR. One of the most important is having DPAs with every third-party provider that helps them perform data processing.

  It’s important to stay updated on GDPR requirements for compliance. As such, Matomo can help you maintain lawful data processes. Matomo gives you complete control over your data and complies with GDPR requirements.

  To get started with Matomo, you can sign up for a 21-day free trial. No credit card required.

  Disclaimer

  We are not lawyers and don’t claim to be. The information provided here is to help give an introduction to GDPR. We encourage every business and website to take data privacy seriously and discuss these issues with your lawyer if you have any concerns.

• How should I write my privacy notice for Matomo Analytics under GDPR ?

  24 avril 2018, par InnoCraft

  Important note : this blog post has been written by digital analysts, not lawyers. The purpose of this article is to show you an example of a privacy notice for Matomo under GDPR. This work comes from our interpretation of the UK privacy commission : ICO. It cannot be considered as professional legal advice. So as GDPR, this information is subject to change. We strongly advise you to have a look at the different privacy authorities in order to have up to date information.

  A basic rule of thumb is that if you are not processing personal data, then you do not need to show any privacy notice. But if you are doing so, such as processing full IP addresses, then a privacy notice is required at the time of the data collection. Please note that personal data may also be hidden, for example, in page titles or page URLs.

  In this blog post, we will define what a privacy notice is according to GDPR and how to write it if you are using Matomo and you are processing personal data.

  What is a privacy notice under GDPR ?

  One of the most important rights that a data subject has under GDPR, is the right to be informed about the collection and use of their personal data.

  Here is what ICO is saying about the privacy notice :

  “You must provide individuals with information including : your purposes for processing their personal data, your retention periods for that personal data, and who it will be shared with. We call this ‘privacy information’.”

  “When you collect personal data from the individual it relates to, you must provide them with privacy information at the time you obtain their data.”

  Note that a privacy notice is different from a privacy policy.

  The privacy notice has to include :

  • the reasons why you are processing the personal data
  • for how long
  • who the different parties you are going to share them with are

  So whatever lawful basis you are using (explicit consent or legitimate interest), you need to have a privacy notice if you collect personal data.

  What does this privacy notice look like ?

  ICO is providing best practices in order to display the information :

  • a layered approach
  • dashboards
  • just-in-time notices
  • icons
  • mobile and smart device functionalities

  Once more, it really depends on the data you are processing with Matomo. If you wish to track personal data on the entire website, you will probably have an upper or footer privacy notice such as :

  

  If you wish to process specific data, you could also insert just-in-time notices such as :

  

  What is the information you need to disclose to the final user ?

  To us, there are two things to distinguish between the privacy notice and the privacy policy.

  According to ICO, the privacy notice needs to include the 3 following elements :

  • the reasons why you are processing the personal data
  • for how long
  • who are the different parties you are going to share them with

  But you also need to inform them about :

  • The name and contact details of your organisation.
  • The name and contact details of your representative (if applicable).
  • The contact details of your data protection officer (if applicable).
  • The purposes of the processing.
  • The lawful basis for the processing.
  • The legitimate interests for the processing (if applicable).
  • The categories of personal data obtained (if the personal data is not obtained from the individual it relates to).
  • The recipients or categories of recipients of the personal data.
  • The details of transfers of the personal data to any third countries or international organisations (if applicable).
  • The retention periods for the personal data.
  • The rights available to individuals in respect of the processing.
  • The right to withdraw consent (if applicable).
  • The right to lodge a complaint with a supervisory authority.
  • The source of the personal data (if the personal data is not obtained from the individual it relates to).
  • The details of whether individuals are under a statutory or contractual obligation to provide the personal data (if applicable, and if the personal data is collected from the individual it relates to).
  • The details of the existence of automated decision-making, including profiling (if applicable).

  Pretty long, don’t you think ? In order to reduce it, you can either adopt a layered approach where your “pop-up” window will act as a drop down menu. Or from what we understood, page 5 of this document provided by ICO, a privacy notice can link to a more detailed document, such as a privacy policy page.

  Examples

  Let’s take the example of a website which tracks the non-anonymised full IP address, and using User ID functionality to keep track of logged-in users. Under GDPR, the owner of the website will have to choose either to process personal data based on “Legitimate interests” or on “Consent”. Here is how it will look like :

  Example of a privacy notice under GDPR Legitimate interests

  This site uses Matomo to analyze traffic and help us to improve your user experience.

  We process your email address and IP address and cookies are stored on your browser for 13 months. This data is only processed by us and our web hosting platform. Please read our Privacy Policy to learn more.

  Example of a privacy notice under GDPR Consent

  This site uses Matomo to analyze traffic and help us to improve your user experience.

  We process your email address and IP address and cookies are stored on your browser for 13 months. This data is only processed by us and our web hosting platform.

  [Accept] or [Opt-out]

  Please read our Privacy Policy to learn more.

  Once that information is provided to the user, you can then link it to your privacy policy where you will provide more details about it. Soon we will issue a blog post dealing with how to write a privacy policy page for Matomo.

  The post How should I write my privacy notice for Matomo Analytics under GDPR ? appeared first on Analytics Platform - Matomo.

• 11 ways Piwik Analytics helps you to protect your visitors privacy

  11 janvier 2017, par InnoCraft — Community

  At Piwik and at InnoCraft, we think Privacy matters. From the beginning, Piwik has had a strong focus on privacy and ensures the privacy of your visitors and analytics data. As a result, Piwik has been recommended as a privacy-compliant analytics tool for example by the Independent Center for Privacy Protection in Germany (ULD) and by the Center for Data Privacy Protection in France (CNIL). In France, Piwik is the only web analytics tool that does not require Cookie Consent.

  Here are some ways how you can ensure your users and visitors privacy by using Piwik.

  1. You own the data

  Whether you host Piwik on premise yourself, managed on premise by InnoCraft, or whether you use our Piwik cloud, when you use Piwik, YOU keep control of your data and nobody else. This also means you can decide where your data should be located physically.

  2. Anonymized IP addresses

  For better privacy by default, Piwik will not record the full IP address of your visitors because otherwise the browsing history could be easily tracked across several days and even across websites within the same Piwik server. Some countries even require to anonymize the IP address, considered Personally Identifiable Information (PII).

  To change the IP anonymization settings go to “Administration > Privacy”. Optionally, you can use the full IP to still get for example accurate location data.

  

  3. Delete old visitor logs

  The visitor logs contain information all the collected raw data about every visitor and every action. You can configure Piwik to automatically delete logs from the database. When you delete old logs, only the real time and visitor log reports will no longer work for this old time period, all other aggregated reports will still work.

  For privacy reasons, we highly recommend that you keep the detailed Piwik logs for only 3 to 6 months and delete older log data. This has one other nice side effect : it will free significant database space, which will, in turn, slightly increase performance !

  

  4. Support Do Not Track preference

  Do Not Track enables users to opt out of any tracking by websites they do not visit, including analytics services, advertising networks, and social platforms. By default, Piwik respects users preference and will not track visitors which have specified “I do not want to be tracked” in their web browsers. Get more information about DoNotTrack.

  To make sure Do Not Track is respected, go to “Administration => Privacy”.

  5. Include an Opt-Out Feature on your website or app

  By embedding the Opt-Out feature in your website, you give your visitors the possibility to opt-out of the tracking. When you go to “Administration > Privacy”, you will be able to copy and paste an HTML Iframe code to embed the opt-out feature for example into your privacy policy page or in your ‘Legal’ page. Your users can then click on a link to opt-out.

  On the Piwik Marketplace there are also some plugins available to customize the Opt-Out experience. For example AjaxOptOut and CustomOptOut.

  

  6. Disable Live features

  The Real-Time, Visitor Log and Visitor Profile features give you insights into the tracked raw data by showing you details about every visitor and every action they performed. To protect the privacy of your visitors you may decide to prevent access to such features by disabling the “Live” plugin in “Administration => Plugins”. This way only aggregated reports will be shown in your Piwik.

  7. Disable fingerprinting across websites

  By default, when one of your visitors visits several of your websites, Piwik will create a fingerprint for this user that will be different across the websites to increase the visitors’ privacy. You can make sure that this feature is disabled by going to “Administration => Config file” and verifying that the value of “enable_fingerprinting_across_websites” is set to zero.

  8. Disable tracking cookies

  Piwik uses cookies to store some information about visitors between visits. In some countries, the legislation requires websites to provide a way for users to opt-out of all tracking, in particular tracking cookies. You can disable cookies by adding one line in the Piwik Javascript code.

  9. Custom development

  Piwik is an open platform that lets you extend and customize the tracking, the reporting and the Piwik user interface to your needs and to protect your visitors’ privacy the way you want or need it. Learn more in the Piwik Developer Zone. You may also have a look at our Piwik Marketplace where you can find several free and premium features to extend your Piwik.

  10. Transparency

  By default, all information and all collected data in your Piwik server are protected and nobody can access it. However, Piwik allows you to optionally make your collected data public and you can export any Piwik report including the whole dashboard to embed it into your website. This way you can show your users exactly which information you track. When you decide to make reports public, we do our best to protect privacy and automatically hide any Personally Identifiable Information such as the Visitor Profile and we make sure to not show any Visitor IP address and the Visitor ID.

  11. Privacy policy

  When you use Piwik to track your visitors, we recommend to update your Privacy Policy to explain how Piwik is used and what data it gathers. We provide a Privacy Policy template for Piwik users that you can copy on your site.

  Continuous privacy improvements

  We are always interested in improving the privacy. If you miss any feature or have an idea on how to improve the privacy, please let us know.

  More information about all the Piwik features

  If you want to learn more about all the features in Piwik, have a look at our User Guides and FAQ entries.