The final version of the provision is now being prepared and will be published in the coming weeks. The issues that link the two topics concern the “duties and obligations” of the data controller and the methods of acquiring data consent.
So, let us see what changed compared to the past and what changes we must make both with reference to the websites we own and in the process of acquiring consent for the collection, storage, and processing of our customers’ data.
The subject is particularly dear to us, first of all, for the information activity that we have been promoting for years now, for the benefit of all of you who follow us, and secondly for the care we devote to making the Qualitando solutions totally GDPR compliant.
We talk about it, once again, with one of the leading experts on the subject, the lawyer Marco Maglio.
Lawyer Maglio let’s start from the basics: some definition is necessary and dutiful to make reading easier even for newbies on the subject.
Let’s start by saying that a Regulation on personal data has been applied for three years in all European Union countries – the General Data Protection Regulation often defined by its acronym GDPR – which, despite not having changed the regulations relating to cookies and other tracking tools, has strengthened the power of control of people, focusing both on the “unambiguous” character of consent to the processing of personal data, and on the implementation of data protection principles from the design stage and for default settings. Therefore, this made some clarifications necessary on the correct ways to provide online information to network users and acquire their consent when necessary.
Trying to provide a map with the essential information to move in the territory of personal data with awareness, I can say that cookies are a tool that allows you to collect personal data, that is information referring directly or indirectly to natural persons. Whoever collects this data and establishes the purposes and means with which to process them is called the Data Controller. If to carry out these activities you use a supplier who processes the data on your behalf, according to the law, you must designate this subject as Data Processor and give him written instructions with a binding legal act.
What has changed compared to the past?
In general terms, it is necessary to evaluate in advance, therefore before collecting the data, what are the risks for the persons to whom the data refer – which the law calls “data subjects” – in case of improper use of such information and it is necessary to prevent these risks.
What must we do to adapt the cookies policy of our websites?
What changes in the data acquisition and storage process?
Adequate technical tools must be used to safely manage these two aspects:
a) the blocking banner, which requires the user to choose
b) the consents that the interested parties will express.
Therefore, it is likely that technical interventions must be made on the websites to correctly manage these aspects with tools that detect these choices and document the consents expressed to use them also when subsequent visits by users to that site. There are several solutions on the market that allow you to manage these new obligations easily.
Those who manage websites will therefore have to organize themselves to define how to manage this new need, being able to choose whether to use outsourced services, through the so-called “consent management tools”, or whether to use internal solutions and functions present on the website itself.
Management of access to the wi-fi network, newsletter subscription forms, pre-check-in forms, mimeographs that we offer to customers upon arrival for the collection and storage of their data: any recommendations? What can we not continue to do as in the past? What should we pay attention to when choosing the software that manage these touch points with customers on our behalf?
The new rules will concern cookies and online tracking tools, therefore all data collections that take place without the knowledge of the interested parties, without filling out forms and questionnaires. For other activities based on the conscious provision of data — as is usually the case for subscribing to newsletters, for pre-check-in and for registering users – the rules we should be used to apply: it is necessary to give adequate information, indicate what are the purposes of the processing and the legal bases that legitimize the use of the data and, in cases where it is necessary, it is necessary to ask for specific and express consent to the processing of such information.
I can say that the more time passes from the date of the first application of the 2016/679 EU Regulation, the more essential it becomes to adopt information that is understandable, linear, easy to read and not misleading. Be aware that respecting the data requires respecting the people to whom the data refers. So, it is necessary to turn to these people to obtain their trust and therefore also their data.
I would say that the time of data collection without the knowledge of the interested parties is over and there is no longer room for hypotheses in which data is collected for one purpose and then used for another. This is a rule that has existed since the nineties, to be honest, but now, with the current Regulation, the violation of these principles is directly punishable.
Data retention times: the owner is obliged to determine and establish them. Could you explain us better?
Any processing of personal data must take place in compliance with the principles established by Regulation (EU) 2016/679 and, in particular, the conservation limitation criterion must be respected: that is, it is necessary to provide for the conservation of data for a time not exceeding that necessary with respect for the purposes for which the processing was carried out. Currently, there are no predefined criteria aimed at uniformly establishing methods and times for storing personal data. The Data Controller must independently decide these retention times in relation to the purposes for which he collected such data.
A concrete analysis must also be carried out by defining the security measures to be taken to prevent the risk that during data storage some improper use may occur to the detriment of the data subjects. It is then necessary to define operational criteria to manage these retention times and then proceed with the scheduled and automatic deletion of the data upon expiry of the retention period.
Of course, it is not a simple management activity, but the Data Controller must be aware that processing the data requires making responsible decisions, thus also evaluating the storage time as one of the choices that the Data Controller, responsibly, must take in full autonomy and evaluating the risks that its choice entails for the rights of the interested parties.
We thank the lawyer Marco Maglio for his availability, reminding that he is also President of the European Observatory on Data Protection and founder of Lucerne Iuris, an International Legal Network made up of law firms specializing in marketing and communication law.
See you on Friday 21st May at11:00am for our Live Webinar.