General Data Protection Regulation
Site compliant with the European GDPR
The General Data Protection Regulation (GDPR) is the European directive concerning the processing and circulation of personal data. Since May 25, 2018, all the websites of the countries of the European Union must comply with it or face penalties.
Note : Even if your site or company is not part of the European Union, it is strongly recommended to comply with the GDPR to better inform and reassure all visitors of your site, including those in Europe.
Starting from its version 7.09, TOWeb offers automation and assistants to help you make and maintain a RGPD compliant web site. To take advantage of these functions in TOWeb, make sure that you use the "Site compliant to the European GDPR" option, enabled by default and located in the "File > Site summary" screen or available when creating a new site.
Note : by disabling this option it will not make any changes to your site but only the behavior of TOWeb that will no longer offer any automation nor assistant related to GDPR.
Your site is not a sales site
Your site is an e-commerce site with online sales
it is recommended to distinguish the rules related to the respect of the private life from those of the general conditions of sales of your site also we advise you to proceed as follows:
- in the purchase order form of your e-Commerce site (Options > e-Commerce > Order Form) check that you have activated the option to force the buyer to accept your terms and conditions
- to allow the consultation of your heading, use the field %TW-PRIVACY% in your texts
- Finally, depending on your activity and the content of your site, you may also be required to:
- add a page of introduction and consent prior to the consultation of your site.
- The physical location of the collected data
- Data retention time
- Services with access to personal data files within the company and resell or transmit of any personal data to third parties
- A clear consent explained to the user when completing a form and checking the box for validation of the use of his personal data
- How a user may consult personal data that you stored about him/her
- The process to modify his/her subscriptions (mailing list)
- The process to request the deletion of his/her data (right to be forgotten)
Your site uses a mailing list
To be in compliance with the GDPR, the person who gives you his/her email address through your subscribe form must be informed in advance of the use you will made regarding his/her email address: what type(s) of information will he/she receive precisely by email, how often, to which possible third parties will his/her email address will be communicate to and why, which procedure to follow to unsubscribe, etc.
For this reason it is strongly recommended to apply at least 1 of the 2 recommendations below:
- use the user confirmation required option located in "Options > i-Services > Mailing list > Configure" (or from the "Configure" button located inside the paragraph using a mailing list form) to force the user to read and accept your conditions by a text that you will have written clearly, concisely and positively (no negation in your sentences)
Example of subscribe form compliant with the RGPD :
- The presence of a mandatory confirmation by a check box may sometimes not be mandatory in a form (a single text may be sufficient) but it is generally strongly recommended to be sure that the person has read and accepted your conditions
- The acceptance text of your conditions can be lightened and moved before (or after) your form (as is the case above in the example to inform about the unsubscription possibility) but this should not be to the detriment of the clarity of your message and, in a general way, it is better to inform the user just before the validation button
Your site uses forms
Creation of a new form
Modification and compliance of an existing form
If, in your TOWeb site, you have already existing forms you want compliant with the GDPR then you can click on the button called "User personal data consent..." located below the list of fields of each form. TOWeb will tell you then the status of your form and offer you an option to make it compliant by the automatic adding of a "Confirmation" field that you may customize (see the example of a subscribe form). You can also manually add one or more "confirmation" fields to your form via the add new field button located below the list of fields on your form.
TOWeb assists you and advises you but it is up to you to decide which status you want to set to each form of your site. For example, if your form only collects anonymous data (an anonymous survey, a collection of improvement suggestions on your site from users, ...) then you can change its status to compliant, even if TOWeb signals you that it is "may not be". And conversely, TOWeb "can" detect your form as seemingly conform to the GDPR but if you know it is not (for example because you are not fully satisfied with the wording you used or because your policy confidentiality has not been updated yet regarding some new fields) then in such case you can force his status into "not yet compliant".
Marking the status of a form as compliant or not is a simple indicator to help you in your compliance task; it has no effect on your website or its true compliance with the GDPR. Here are different rules of good conduct you need to follow :
- Clarify the consent act: no interpretation should be possible. The wording must be positive (no negation).
- Distinguish consent from general conditions: consent can not be a prerequisite for registration to a service
- Collect consent through positive action: The opt-in is mandatory. Pre-checked box (opt-out) is no longer valid
- Facilitating the break-up of consent: It must be "as easy" to give consent as it is to withdraw it according to the RGPD. The right to be forgotten (and personal data deleted) must be mentioned in the immediate vicinity of the form
The predefined field %TW-PRIVACY%
By indicating the name of the field %TW- PRIVACY% inside the text of a paragraphs or inside labels of a form, TOWeb will automatically replace them with a link to the privacy page of your site (the one you have defined in "Options > Security & HTML").
The text used by default for this link can be modified and replaced by the one you want, and this for each language of your site from "Options > Languages > Translate predefined texts".
If your %TW- PRIVACY% field is placed inside texts located in your topics (forms, paragraphs, ...) then the link will open over your current topic (meaning that users will be able to read your policy without leaving your topic). On the other hand, if your %TW-PRIVACY% field is placed inside the footer of your theme (and therefore is common to all the pages of your site) then this link will open normally.
Your site uses third party services or partners