Do you own a platform, an online shop or a mobile app? Or even a simple showcase site/blog where various articles are posted?

Without making an exhaustive analysis of all the legal provisions, in this article, you will see the main aspects provided by the GDPR that you should take into account when you own/operate a platform as a service (PaaS), an online shop, a mobile app or even a simple showcase site/blog (which we will generally call " site/mobile app").

The phrase “GDPR compliance” is increasingly used in discussions about technology and personal data protection. If you are developing or have already developed a site/mobile app, you have probably “run into” the “GDPR issue”.

But what does this GDPR mean and what should you do?

GDPR is a European regulation that regulates how personal data can be processed.

Specifically, the GDPR sets out several obligations on those who process personal data, such as the obligation to inform users, the obligation to obtain consent to send marketing messages etc.

1. Privacy policy

A first step in complying with GDPR is to publish a personal data processing policy (i.e., privacy policy) on the site/mobile app. The role of this policy is to inform users about how you collect and further process their data.

What does a privacy policy contain?

This policy must contain a series of mandatory information according to the GDPR, including:

• data about your company (company name, identification and contact details);
• what are the purposes and legal grounds on which you process the data;
• whether and to whom you transfer the data (e.g., you transfer the data to the courier company that delivers the products to the user);
• for how long you store the data (the length of time is determined on a case-by-case basis, but it must be a minimum length of time that you can justify);
• the rights of the user (which are provided by the GDPR) and how to exercise them.

How should the privacy policy be published?

The privacy policy should be easily accessible to users:

• for sites, the policy should be available on every page of the site (e.g. in the footer);
• for mobile apps, the policy should be available “two clicks away”.

Tick for privacy policy

The privacy policy is intended to inform users. Thus, being only an information on data processing, it is not necessary for the user to agree to the privacy policy, but only to confirm that they have read and understood it.

Example: with a check-box (which users must tick) and with a text such as “I have read and understood the privacy policy”.

Note: do not confuse the privacy policy tick with the user consent tick when used as a basis for processing - they are different.

User marketing consent

Apart from ticking the privacy policy box, you should note that in order to send marketing messages you need the user’s express prior consent - the so-called subscribe.

How do you do that? With a tick and a text like “I agree to receive messages with promotions and other useful information”.

Good to know:

• you can place the tick and text anywhere in the site/mobile app, multiple times, including in the onboarding flow;
• the tick should not be pre-ticked (user should be able to tick it);
• the tick should be optional.

2. Cookie Policy

When you use cookies, you should inform the user about this, which in practice is done through the cookie policy.

What should be included in the cookie policy?

Typically, the cookie policy contains the following information:

• data about your company (company name, identification and contact details);
• data about the categories of used cookies, their purpose and lifetime;
• data on how the user can manage the use of cookies;
• information about your own cookies and cookies used by third parties.

Where should the cookie policy be published?

Similar to the privacy policy, the cookie policy should also be easily accessible to users - for example, you can include a link to it in the footer.

Do you need to ask for user consent to use cookies?

A distinction must be made between cookies that are strictly necessary for the proper functioning of the platform and other cookies that are not strictly necessary (such as analytics or marketing cookies).

For strictly necessary cookies you do NOT need to obtain user consent.

For the other categories of cookies you need to obtain prior consent. Usually, obtaining consent is done by implementing a pop-up banner, which must have both an “accept” and “decline” button.

Here’s what you should consider when using a pop-up banner:

• it should not be pre-ticked as regards cookies that are not necessary - in other words, to obtain valid consent, you must tick the appropriate boxes yourself;
• you should obtain users’ consent for each distinct category of used cookies - i.e., the user must tick separately for analytical cookies, marketing cookies etc.;
• the pop-up banner should be accessible to the user so that they have the possibility to change their cookie choice at any time.

What else to consider about cookies that are not strictly necessary

Until the user accepts cookies that are not strictly necessary, you should not use such cookies. Likewise, you cannot use these cookies if the user refuses them.

Also, you should not make the use of the platform conditional on accepting cookies that are not strictly necessary.

3. Other obligations under GDPR

Okay, now that you’ve seen the main documents you need to publish on your site/mobile app, you should bear in mind that GDPR also sets out several other equally important obligations. Thus, you should also pay attention to the following aspects:

• data minimisation - collect only that personal data that is necessary for the purpose of processing; in other words, be clear about what data you need and do not collect data that is not strictly necessary;
• duration of storage - data must be stored for a minimum period, i.e., only as long as it is necessary to fulfil the processing purposes;
• data transfer - if you transfer data to other parties, including if, for example, you use hosting services from US providers, you should enter into transfer agreements with those parties that govern their obligations with respect to the data they receive;
• data security - implement security measures to protect against unauthorised or unlawful processing, loss or destruction (encrypt data, audit systems regularly etc.);
• privacy by design and by default - you need to take GDPR requirements into account at all times, from the development stage of the site/mobile app, including by taking technical and organisational measures to ensure the implementation of data protection principles and the necessary safeguards to protect users’ rights;
• internal policies - GDPR compliance also involves establishing policies and procedures internally, such as: internal data processing policy (which is distinct from the privacy policy informing users), data storage policy, security and incident management policy etc.

Personal data protection is one of the main issues you need to consider if you operate a site/ mobile app.

Another equally important aspect is the regulation of the relationship with the users of the site/mobile app, which is usually done through the terms and conditions of the site/mobile app. Find out what to look out for in the terms and conditions in our article here .