As you will remember from our previous delivery, the principle of transparency is the legal obligation to include on our website information about what is done with the data of users who visit it, and we must do so publicly, accessible and free.
We will now explain how to comply with this duty from three sides: the what, the where and the how.
In the following list we will detail (including examples) all the points that must be covered in order to comply with this obligation:
Small introduction of why these data are given. Let us remember that it is a legal obligation, therefore it is necessary to mention in this case the LOPD and the RGPD to justify this point. It is also possible to include a list of the information to be detailed.
The identifying data of the data controller, i.e. the company or its representative. For example:
Contact details of the Data Protection Delegate, if necessary to have one assigned (this depends on the type of company).
Purpose, legitimacy and conservation of each of the means by which data are obtained. For example, if you only have one contact form, you only need to report on these three aspects in relation to it, a kind of informative 3x1.
Purpose: What are these collected data going to be used for.
Legitimation: Based on what I can collect these data (all possible are detailed in article 6 of the RGPD).
Conservation: This is the period during which the data will be kept.
An example for a contact form could be:
The consequences of not providing personal data. Although related to the previous point, it will not be necessary to include it for each means of obtaining data, it will suffice to mention it in a general way. For example, if a false name or email address is given, the purpose of contacting and providing information about its services cannot be fulfilled; and if the data were necessary at a legal or contractual level, for example in a purchase process, it will be informed that if the adequate data are not given, the purchase and/or shipment will not be carried out. Another point to mention is the need to indicate which data are mandatory to meet the purpose of the medium used for data collection, for example with an asterisk or highlighted with colors.
The recipient of the data collected. Generally, it will be the company itself, and this is what you should mention, but if you give the data to a third party you should specify it and include links to their privacy policies. A clear example is the "Like" or "Share" buttons on social networks, which will therefore entail the obligation to include the aforementioned links.
The existence of automated data collection and profiling processes. The most common thing is that cookies collect information in this way, so it will be necessary to indicate and add a link to the Policy cookies (more information in future deliveries).
User rights: Information on what they are and how to exercise them. These are the rights of access, rectification, cancellation and opposition, and the right to present a claim to the control authority (in Spain it is the Spanish Data Protection Agency). Here it refers, respectively, to the right of the user to be able to access the data collected, to be able to modify or correct them, to have them deleted, to oppose to the Responsible having them (chapter III of the RGPD), and to claim against the breach of their rights.
Always remembering that this information must be simple to understand for any user, concise in content and easily accessible (articles 12 to 15 of the RGPD). This takes us to where and how to include it.
The simplest and most appropriate, and also complies with the easy availability, is to include a link at the bottom of the page to a specific page and in this include all the information. The RGPD does not say anything about it, so it can be shown in another way or allowing you to download a document with it, but this complicates the process of information and consent to the collection of data (for more information you can consult the rules or go to the website of the Spanish Agency for Data Protection).
Regarding how, the recommended way is to divide it into small groups of information (one for each item mentioned for example), through lists, tables, etc., making it concise and understandable (article 12.1 of the RGPD). Moreover, in this way, it is easily demonstrable that we comply with the regulations (remember the sanctions if we do not).
Another point to take into account is the language used, because if you exceed the use of legal vocabulary, ambiguous expressions, unnecessary details, or technicalities, the duty to inform will not be fulfilled, because even if you are including the information this does not reach the user.
Now you're wondering: layers, what layers? Now this is about heroes? Jokes aside, this is such an important and interesting subject that we'll leave it for the next delivery. And so we give you time to digest all the information in this first delivery.
And so far as for the real first delivery of the fascinating fascicles about online responsibility. If you've been wanting to know more about the layers, don't miss our next post.
**LOPD / LOPDGDD: Ley Orgánica 3/2018, de 5 de diciembre, de Protección de Datos Personales y garantía de los derechos digitales.
***RGPD: Reglamento (UE) 2016/679 del Parlamento Europeo y del Consejo, de 27 de abril de 2016, relativo a la protección de las personas físicas en lo que respecta al tratamiento de datos personales y a la libre circulación de estos datos y por el que se deroga la Directiva 95/46/CE (Reglamento general de protección de datos).
ALERT: This article has been translated with automatic translation software so it may contain errors and inaccuracies. You can read the original article in this link: La Responsabilidad online: Primera entrega