Recommendations concerning the GDPR

The General Data Protection Regulation (GDPR) came into force on 25 May 2018 and affects, on the one hand, all organisations that are based in the EU and, on the other hand, all organisations that process personal data of individuals who are based in the EU. The new guidelines give users new rights in relation to the handling of their personal data, for example user data on a website.

The players

Data source

Users from who data is collected

Responsibility holder

In charge of the collection and use of data

Data processing

MD Systems / Kampaweb

Legal notice

The information on this page is not binding legal information and should not be confused with legal advice from a lawyer. MD Systems and Kampaweb GmbH do not assume any liability. Due to the different possible uses of the systems and the different organisation-specific processes, the conformity to the applicable law must be checked individually.

New laws and obligations

The new regulation also applies retroactively to data already collected, which must therefore be reinterpreted.

Duty to inform

Individuals must be informed before personal data may be collected. In addition, the exact purpose of use (collection, sharing, exploitation) of the data must be disclosed, as well as if the data leaves the EU area.

Consent

Consent for the use of personal data must be given ACTIVELY for each individual purpose. Consent must be just as easy to withdraw as it is to give.

Right to information

Individuals have the right to request information about what information has been collected about them and how it is being used. Upon request, a copy of this data shall be provided to the person.

Transferability

Individuals have the right to request to receive their personal data in a structured and machine-readable format. It may also be required to hand over the data to a third party.

Authorization

Individuals have the right to have their personal data corrected or completed.

Deletion

Individuals may request the deletion of their personal data at any time. The deletion of personal data must take place in a timely manner.

DO's

Unsubscribe options in emails and on the website

Consents must be able to be withdrawn as easily as they were given.

Cookie pop-up

You also need consent to use cookies. It must be ensured that no data is collected before the website visitor gives their OK.

Short forms

Forms should only request data that is really needed for the respective purpose.

Person responsible

Every organization needs a person who is responsible for data protection. This person must be listed on the website and be easy to contact.

DONT's

Email dispatch to all contacts

For each (email) communication explicit consent is required, e.g. by selecting the option "I wish to be kept informed about campaign XY" under a petition.

Pre-selected checkboxes

Pre-selected checkboxes do not constitute active consent.

Commingling of consents

Consents must not be linked (e.g. by submitting the petition form you agree to be kept informed about this campaign). Each consent must be separate.

Primer is ready for GDPR

MD Systems and Kampaweb GmbH have dealt intensively with the topic of GDPR in recent months. Primer meets all the technical requirements so that you can set up your website in compliance with GDPR.

Here are the most important ones at a glance:

https - Secure data transmission

To ensure secure data transmission, all Primer websites are already on https / SSL. With Let's Encrypt, there are no recurring costs for certificates these days. In addition, Google also favors secure sites in the search results.

Cookie consent

With the start of the GDPR, consent must also be obtained for web tracking before it starts. This means that every website needs an element where the website visitor is given the opportunity to explicitly agree to the tracking or to reject it.

Transparency notice on forms

In order to comply with the information obligation, there must be a notice on each form stating what happens to the data collected. We create a generic text that is attached to each form. The text can be adapted by the customer per form if necessary.

Information & concrete initiatives

On this page, we compile information for customers and develop approaches for the GDPR-compliant use of Primer. We do our best to ensure that this information covers the most important areas of the GDPR. However, please note the legal notice.

Customization & Support

We are happy to implement even more extensive, customer-specific measures for individual customers. We also offer support in the development of individual solution proposals.

Proof of consent

Consents must be verifiable.

Right of access & data portability

Forms in Primer have an export function to help customers comply with the right of access and the right to data portability.

Recommendations on the GDPR - Measures by customers

Here you can find the measures we recommend to our customers with regard to the DSVGO. If you have any questions that are not answered in this catalogue of measures, please contact us at [email protected] / 044 500 45 95.

Frequently asked questions

When is the GDPR enforced?

The GDPR is already enforced since 24 May 2016 and its application is mandatory from 25 May 2018.

Is the regulation even relevant to our organization?

If you process data of European users on your website (cookie tracking) or in your CRM, you must comply with the EU GDPR.

Will a double opt-in be mandatory?

No. So far, double opt-in is not mandatory. What is prescribed, however, is a clear, active and informed consent.

In the GDPR, this reads as follows:

"Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject's consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided."

Will data have to be stored in the EU in the future?

No, data may continue to leave the EU area. Under the GDPR, the rules regarding the transfer of personal data outside the EU do not change. As long as personal data is "adequately protected", it can also be transferred outside the EU. However, the person transferring the data must be informed about a transfer of the data.

Where can I find more information?

Reform of the EU data protection rules 2018 - Official website of the EU

Federal Data Protection and Information Commissioner (FDPIC)

Evaluation grid for early detection of data protection risks

Basic Data Protection Regulation