What the law says
The law is designed to protect sensitive data from users as well as website administrators from any violation. For example, the so-called “computer and freedoms” law deals with personal data in particular in Article 34, where it is stipulated that “the processor is required to take all necessary precautions, given the nature of the data and the risks presented by the processing, to preserve the security of the data and, in particular, to prevent it from being distorted, damaged, or from having unauthorized third parties have access to it.”
Note the non-compulsory aspect of the law (“is required”), which still encourages actors to read it. These conditions are primarily aimed at securing the sites and avoiding possible trouble caused by unscrupulous Internet users. On the other hand, failure to comply with this duty of security is punishable by law. For this reason, it is recommended that all site administrators write the terms and conditions of their site.
While the role of data collection on online shops is easily understandable and the need for the data protection statement obvious, the situation is completely different for many other websites. Many data are collected and recorded automatically and often, without the user’s knowledge: web servers record IP addresses in log files, built-in social media buttons transmit personal data to social networks, and cookies also back up information about users and their browsing behavior. Another even hotter topic is website analytics tools like Google Analytics, which records data traffic. The Google tool is particularly problematic from the point of view of the data protection law, because the IP address of users is stored on a server in the United States.
In order to at least partially mitigate this problem, website users can shorten the IP address of the latest set of numbers, resulting in the loss of personal data.
What are the standards?
- Legal mentions: these are mandatory and have been addressed in the article of the same name
- Access to the site: how to use it
- Intellectual property rules: a ban on copying the content of the site without citing the source
- Personal data rules: This is your statement to the CNIL, which is responsible for protecting your data
- Responsibility: This party determines and delineates the responsibilities of each party
The special case of e-commerce sites
As mentioned earlier, online shops are particularly targeted by this regulation. They are encouraged to draft terms and conditions of sale to clarify the responsibility of each party in the transactions.
Here is a general conditions generator (paying) that can help you: Termsfeed.
Generators and templates are a good way to write a data protection statement for your own website. However, you should also not blindly trust the result. Models represent a base that often needs to be modified individually. If this sounds too complicated to you or if you are not sure that your data protection statement is correct and understandable, we recommend that you receive expert advice.
What are the penalties?
If these data protection obligations are not met, the penalties vary, ranging from a simple warning to a five-year prison sentence and a $200,000 dollars fine.
To illustrate this point, we could cite the case of the site entreparticuliers.com. The site had been the subject of a complaint by a client whose data had been disclosed without his consent. The CNIL was then seized and found that the web page had not defined any policy for the retention of all data, giving way to malfunctions with regard to banking information. Following this complaint, the CNIL issued a public warning and demanded compliance with the computer law and freedoms.
It is also to be expected that the still incoherent legal interpretation will soon come to an end, as soon as the new General Data Protection Regulation (GDPR) is incorporated as a basis factor in future legal decisions. The regulation not only limits the scope of the scope in terms of reporting obligations for data protection and formulation, but also increases the scope of possible fines up to 20 million euros or 4% of annual turnover worldwide (the highest amount being withheld).
Tips for data protection reporting: models and generators
On the Internet, you’ll find many free offers that help you create the data protection statement for your website. Look for existing models that are relevant to your site. There are both ready-to-use models for the general statement regarding the collection and protection of users’ data as well as special categories such as social networks (Facebook, Twitter, etc.), cookies, contact forms or sending newsletters. In this way, you also receive the data protection statement for Google Analytics or other analysis tools in form form, including a link for all users who do not agree with the collection and transmission of their data.
In addition to various examples, some websites also offer free data protection statement generators, examples of required texts and their shaping. The result is often available as text and HTML.