In this article we are going to explain what requisite must fulfill your website so that it fulfills the RGPD, previously LOPD.
This prescription is the fruit to adapt the webpages of many of our clients to the protection of data during these last months. Each of them has facilitated us its requirements, elaborated by lawyers or specialized companies, and it has written the present article yet that will serve you to have the very clear ideas.
NOTE: This article does not try nor can replace the consultancy that must make a lawyer in your activity to analyze how you must fulfill the mentioned law, we only try to tell you which is the technical part applicable to the webpages.
These are the points on which we are going to try:
- Legal and Political warning of privacy.
- Forms of collection of data.
- Form of contact.
- Form of subscription to newsletter.
- Form of commentaries of your blog if you use WordPress.
- I have read and acceptable the Policy of privacy.
- Postcript underneath the form.
- Direction IP of the visitor.
- Policy of cookies.
- Audit of cookies.
- Structure. Purpose, proprietor and lapsing.
- Window or warning of cookies.
- Newsletter or bulletins for massive shipment of e-mails.
- Appearance of directions email in our website.
Index of contents
1. Legal and Political warning of privacy
Whenever you have a professional activity and you are constituted legally, or as independent society or, your website must have these two pages: Legal and Political warning of privacy. Almost always usually they are put separately, in different pages, although also we have adapted Webs where they were together, in the same page or URL.
The content of these legal pages must it make a lawyer who has audited your company, I do not recommend to you that you copy and you beat of another website, legally will not serve to you and Google can penalize to you.
Once you have created these pages the law says that they must easily be visible and accessible, without a doubt the best site is I cheeped of page of your website, you will have there to place both I connect. If you use WordPress surely your theme comes with some option for it, not perhaps if it is necessary to modify footer.php manually.
2. Forms of collection of data
The norm is very strict with the collection of personal data of the user. In a standard Web main and normally the only source of collection of data takes place through the contact forms. The forms usually ask for the name, the telephone, email, etc., all of them personal character data.
The form of which a form fulfills the norm consists basically of two very concrete actions:
- It must be in favor unmarked of defect.
- The user must mark it yes or yes to be able to send the form.
- He must include a connection that diriga to this page, recommendably opening it in another window or eyelash of the navigator.
- Legal postcript underneath the form. Sometimes they have solicitd to suppress point to us 1 in exchange for adding a legal postcript that we must place underneath the form. This postcript usually is aesthetically badly because usually she is long apart from which an informative text does not require action of the user and could generate situations ambig¼as in case of litigation. A priori it seems far better option to apply point 1 instead of the 2 since it seems more defensible.
- The form is due to store to the IP of the user when sending. Many proprietors of webpages do not know this detail, do not store the IP of the user, they are limited to apply point 1 but they do not know that before a possible denunciation there is no form to voluntarily demonstrate that to that one stuffed user the form in a certain date and hour. The form to prove it is to know what IP had the user when to send the form, from this IP could be known what operator was the proprietor and therefore the subscriber of the line. Many WordPress pages use plugin Contact Form 7 that does not store the IP, if you need help in this sense contacts with us.
What forms it has in a webpage?
A priori it seems that the contact form is the unique one in a Web but usually it is not thus. If it is a WordPress site exists the form of commentaries and if we have a subscription to a bulletin or newsletter we have another form more. In all of them personal data take shelter, therefore we must apply the rules described in the previous point.
At this point everybody knows what they are the cookies and that practically any webpage must implement a policy of cookies. Then it is not thus, only must be implemented if the page stores cookies in the navigator of the user. We have audited webpages of companies that did not install any cookie to the user since not even they integrated Google Analytics. In these cases a policy of cookies is not necessary, in the rest of cases yes.
In case it is necessary a policy of cookies the ideal requirements are:
- It is necessary to show the warning of cookies nothing else to visit the page for the first time. Until this moment any cookie in the sailed one of the visitor would not be due to have installed.
- Next the option is due to give the user to accept them or to reject them. If he accepts them is no problem, the visitor sails allowing his use. But he says that he does not want cookies are not due to install and there he is where there is to verify that the module of cookies fulfills to the 100% because could have installed some cookie before the visitor has given his consent.
- A information page is necessary on cookies and one on the policy of cookies. This legal text it must prepare somebody skillful one in the matter.
- It is necessary to publish in the policy of cookies a listing of cookies used by the website in the navigator of the visitor. This work must make it somebody technician. For example, those of Google Analytics have the aspect that appears more down. When doing the listing of cookies we must specify the purpose (publicity, analyze behavior of the visitor, etc.), the proprietor (the one of the website) and the lapsing (1 day, 6 months or what corresponds).
If its website sends bulletins you must consider the following thing:
- The form of discharge to the bulletin must fulfill the described thing in point 2.
- If you already had a base of users previous to May of 2018, you must send a mail to them to confirm that they want to follow subscribed your bulletin. Not to do it is a imcumplimiento of the law.
- If beams shipments to a base of users who have not accepted to receive bulletins¦ you are making Spam and failing to fulfill the norm.
5. Appearance of directions email in our website
In an occasion that we implemented the protection of data of a website the lawyer at issue requested something to us really subtle and that can have more feeling than it seems initially. It asked that quitaramos the connections the email addresses who appeared in the page. That is to say, typical firstname.lastname@example.org could appear but the user made click in him did not have to open the mail program because it was not possible to request the consent previously.
Nowadays all the websites must have eliminated any email address to avoid Spam but it continues itself enough seeing with frequency.