Europe by night

Recommendations on the GDPR

Measures by customers

The Primer team welcomes the improvements in data protection introduced by the introduction of the GDPR. We look forward to supporting our customers in the best possible way with its implementation. On this page, we have compiled measures that help our customers implement the requirements of the GDPR. If you have any questions or need support, please do not hesitate to contact us.

Proof of consent

In order to prove consent (e.g. if and when a certain person has agreed to receive a newsletter), it is mandatory to use webforms or Mailchimp forms. In the individual form submissions, the IP address, time of submission and email address are stored - and this data helps you to prove when someone has given you consent.

Measures

Review your forms and, if necessary, adapt them so that there is a single form for each individual purpose. In addition, keep a list of where the data in which list comes from, for what purpose it is stored and when it is deleted again. (See Duty of documentation)

Proof of consent in Primer Dokumentation

Valid consent

Consent to use personal data must be given actively and explicitly for each purpose.

In order to obtain active consent, the person themselves must tick the box to give their consent to something. In other words, checkboxes for this purpose may no longer be pre-selected. Consents that originated via a pre-selected checkbox are no longer valid - even retrospectively.

In order to obtain explicit consent, consents may not be mixed with each other or be blanket (e.g. I would like to be kept up to date on exciting news). Consents that are based on such a blanket or mixed declaration of consent (e.g. by signing the petition I agree to receive a newsletter) are no longer valid - even retrospectively.

Measures

Check all forms and adjust them if necessary. If a checkbox is already pre-selected in one of your forms, this can be changed in the form. If a form or checkbox is consent-mixed or blanket, create several new checkboxes to properly reflect the different consents in the future.

If you have such pre-selected or consent-mixed checkboxes/forms, new active consent must be obtained for each purpose in order to continue to use the data already collected.

Document all forms you have, their intended use, and where the data in that form came from.

Valid consent in Primer forms Dokumentation

Withdraw consent

In order for people to be able to withdraw their consent as easily and specifically as they gave it, there should also be an opt-out form for each registration form. This also helps to be able to prove in a data protection-compliant manner until when one had which consents.

Measures

Review your unsubscribe pages. If you previously used forms for a subscription, you must now create an unsubscribe page for those forms. On these unsubscribe pages, you must specify the list from which people can unsubscribe.

Data deletion

The storage period of personal data must be determined in advance and data must be deleted when the retention period has expired, for example, as soon as the event for which someone had registered is over.

In addition, personal data that you currently hold based on consent, but which does not meet the required standard of the GDPR, must also be deleted.

Measures

Check what data you have and how and for what purpose you received it. Delete data for which you do not have permission (anymore). You can try to obtain a GDPR-compliant consent for the use of the data - otherwise the data must be deleted. In addition, create internal guidelines as to when which data must be deleted.

Internal data security

Another obligation of data controllers is the documentation of all processes and measures. The types of data collected and their purpose, the security measures to be taken, usage guidelines, deadlines for the deletion of the various categories of data as well as the process in the event of a data leak should thus be documented.

Measures

Compile and write down all relevant workflows (e.g. when which data is deleted, measures in the event of a data leak, secure transfer of data outside the CRM system, etc.).

These should be accessible to all employees. It is sufficient to keep these documents in electronic form.

Transparency note

You can attach a generic transparency note to each form for the collection of data. A link to the data protection page is mandatory so that users who transfer data can read exactly what happens to their data (intended purpose).

Measures

Create the appropriate transparency note for each form, including a link to the privacy page.

Transparency note in primer forms Dokumentation

Privacy policy

The mandatory privacy statement page must provide detailed information about what data is collected, how it is collected and for what purpose.

This page must be accessible with one (1) click from every form.

Measures

Review your privacy policy and adjust it if necessary. Each service must be listed and it must be described what is done with the data and how long it is kept. It should also explain how individuals can exercise their rights (rectification of data, deletion, transfer, etc.).

Right to information / transferability

In order to be able to provide a person with information about what data you have about them and, if necessary, to hand over this data in an appropriate form, you can export the form transmissions in a readable setup from the Webforms manager.

Measures

If required, export the transmissions from the individual Webform transmissions.

Responsible persons and data protection officers

Data controllers are persons responsible for data collection and data processing. For example, run a petition campaign and determine which data is requested and what happens to it. They are supported and trained (e.g. what does a secure password look like, what data may we collect and when must it be deleted) by the data protection officers.

Measures

Appoint a data protection officer and identify responsible persons in your organisation. These persons should be clearly identified on the website. If there are persons responsible for specific data collections (e.g. per campaign), these should be listed on the form page, with a contact option.

Documentation obligation

Another obligation of data controllers is the documentation of all processes and measures. The types of data collected and their purpose, the security measures to be taken, usage guidelines, deadlines for the deletion of the various categories of data as well as the process in the event of a data leak should thus be documented.

Measures

Compile and write down all relevant workflows (e.g. when which data is deleted, measures in the event of a data leak, secure transfer of data outside the CRM system, etc.).

These should be accessible to all employees. It is sufficient to keep these documents in electronic form.

Rechtlicher Hinweis

Die Informationen auf dieser Seite sind keine verbindlichen Rechtsauskünfte und nicht zu verwechseln mit einer Rechtsberatung durch einen Rechtsanwalt. MD Systems und Kampaweb GmbH übernehmen keine Haftung. Durch die unterschiedlichen Verwendungsmöglichkeiten der Systeme und der Ausprägung verschiedener organisationsspezifischer Prozesse, ist die Konformität zum geltenden Recht individuell zu prüfen.