General Data Protection Regulation

The General Data Protection Regulation (GDPR) is the European directive concerning the processing and circulation of personal data. Since May 25, 2018, all the websites of the countries of the European Union must comply with it or face penalties.
Note : Even if your site or company is not part of the European Union, it is strongly recommended to comply with the GDPR to better inform and reassure all visitors of your site, including those in Europe.

Starting from its version 7.09, TOWeb offers automation and assistants to help you make and maintain a RGPD compliant web site. To take advantage of these functions in TOWeb, make sure that you use the "Site compliant to the European GDPR" option, enabled by default and located in the "File > Site summary" screen or available when creating a new site.
Note : by disabling this option it will not make any changes to your site but only the behavior of TOWeb that will no longer offer any automation nor assistant related to GDPR.

According to your site, TOWeb systematically offers a last page dedicated to your terms of use or conditions of sales but it may be necessary to create an additional page on your site only dedicated to your privacy policy. If this is the case and you have created one, then you will need to indicate it to TOWeb in "Options > Security & HTML > Users' personal data".

Your site is not a sales site

Unless you need to add objects (images, tables, ...) or need to place your privacy policy on a different page than your terms of use/sales, you can use the "terms of use" page already present on your site for this purpose (choice by default) by giving it the title of "Privacy Policy" and a content appropriate to the users' personal data your site/company collect and process.

Your site is an e-commerce site with online sales

it is recommended to distinguish the rules related to the respect of the private life from those of the general conditions of sales of your site also we advise you to proceed as follows:

1. create on your site a "Privacy Policy" page dedicated to all your explanations on the use of cookies, third-party services as well as your processing related to the personal data of users/customers you collect from your site
2. in your "Terms of Sale" page, include at least one link to your "Privacy Policy" page
3. in the purchase order form of your e-Commerce site (Options > e-Commerce > Order Form) check that you have activated the option to force the buyer to accept your terms and conditions
4. if you use an online payment X on your e-Commerce site for which you have activated the option "Upload customer information to X" then you will have to mention it in your Privacy policy and/or Terms of sale

Privacy policy

When creating a page dedicated to your privacy policy:

• it is not normally necessary to display it in the general menu of your site, so you may want to tick the option "Do not display this topic in the menu". However, as this page must be easily accessible by your visitors/customers at any time, we advise you to add a link to your privacy policy in the page footer of your site, if possible not far from the one pointing to your terms of use or conditions of sales
• remember to specify which topic is containing your privacy policy in the "Options > Security & HTML" screen of TOWeb
• to allow the consultation of your heading, use the field %TW-PRIVACY% in your texts
• Finally, depending on your activity and the content of your site, you may also be required to:
  • add a banner of consent to your cookies and/or acceptance of your privacy policy
  • add a page of introduction and consent prior to the consultation of your site.

The content of your privacy policy depends on your activity, the different data you may collect and subsequent treatments that you perform with them therefore you will have to follow the guidelines of the European regulations but below you will find important information that you need to include to your privacy policy:

• The physical location of the collected data
• Data retention time
• Services with access to personal data files within the company and resell or transmit of any personal data to third parties
• A clear consent explained to the user when completing a form and checking the box for validation of the use of his personal data
• How a user may consult personal data that you stored about him/her 
• The process to modify his/her subscriptions (mailing list)
• The process to request the deletion of his/her data (right to be forgotten)

To be in compliance with the GDPR, the person who gives you his/her email address through your subscribe form must be informed in advance of the use you will made regarding his/her email address: what type(s) of information will he/she receive precisely by email, how often, to which possible third parties will his/her email address will be communicate to and why, which procedure to follow to unsubscribe, etc.
For this reason it is strongly recommended to apply at least 1 of the 2 recommendations below:

1. use the user confirmation required option located in "Options > i-Services > Mailing list > Configure" (or from the "Configure" button located inside the paragraph using a mailing list form) to force the user to read and accept your conditions by a text that you will have written clearly, concisely and positively (no negation in your sentences)
2. add a text next to your subscription form (for example just before and/or just after) to give more explanations, invite the user to consult your privacy policy, explain the procedure to follow to unsubscribe and other important points depending on the treatments you may do with his/her email.

Example of subscribe form compliant with the RGPD :

Remarks:

• The presence of a mandatory confirmation by a check box may sometimes not be mandatory in a form (a single text may be sufficient) but it is generally strongly recommended to be sure that the person has read and accepted your conditions
• The acceptance text of your conditions can be lightened and moved before (or after) your form (as is the case above in the example to inform about the unsubscription possibility) but this should not be to the detriment of the clarity of your message and, in a general way, it is better to inform the user just before the validation button
• A link to your privacy policy is strongly advised with an overlay opening so that users do not leave the form. For this you can use the pre-defined field %TW-PRIVACY%.

If one or more web forms of your site allows to collect personal information of users (such as their name, address, email, date of birth, ...) then your forms will have to request explicit consent from these people regarding the use you make of their data. This consent to your privacy policy should not be implicit (do not put a check box activated by default for example) or formulated with a negation but expressed clearly, without ambiguity on its purpose. Users should be aware of this at the level of your forms, if possible with a link pointing to your privacy policy placed inside or near your form (usually at the end, before the submit form button).

Creation of a new form

Whether via the wizard to add a new paragraph containing a form or by adding a form object directly inside an existing paragraph or via the wizard to add a new topic containing a form, TOWeb will systematically add by default a "confirmation" field at the end of your new forms to make them compliant with the European GDPR (if this option is activated on your site)). Depending on the content of your form, your activity and your privacy policy, you can modify them thereafter.

Modification and compliance of an existing form

If, in your TOWeb site, you have already existing forms you want compliant with the GDPR then you can click on the button called "User personal data consent..." located below the list of fields of each form. TOWeb will tell you then the status of your form and offer you an option to make it compliant by the automatic adding of a "Confirmation" field that you may customize (see the example of a subscribe form). You can also manually add one or more "confirmation" fields to your form via the add new field button located below the list of fields on your form.
TOWeb assists you and advises you but it is up to you to decide which status you want to set to each form of your site. For example, if your form only collects anonymous data (an anonymous survey, a collection of improvement suggestions on your site from users, ...) then you can change its status to compliant, even if TOWeb signals you that it is "may not be". And conversely, TOWeb "can" detect your form as seemingly conform to the GDPR but if you know it is not (for example because you are not fully satisfied with the wording you used or because your policy confidentiality has not been updated yet regarding some new fields) then in such case you can force his status into "not yet compliant".
Marking the status of a form as compliant or not is a simple indicator to help you in your compliance task; it has no effect on your website or its true compliance with the GDPR. Here are different rules of good conduct you need to follow :

1. Clarify the consent act: no interpretation should be possible. The wording must be positive (no negation).
2. Distinguish consent from general conditions: consent can not be a prerequisite for registration to a service
3. Collect consent through positive action: The opt-in is mandatory. Pre-checked box (opt-out) is no longer valid
4. Facilitating the break-up of consent: It must be "as easy" to give consent as it is to withdraw it according to the RGPD. The right to be forgotten (and personal data deleted) must be mentioned in the immediate vicinity of the form
5. When you add a new form to your site or when you change one of your forms to add one or more new fields, it is important to systematically ask the question "does this change and new information I collect require any update on my privacy policy page ? "
6. The data you collect must be justified and the purpose of their collection clearly explained in your privacy policy (do not ask for eg a date of birth if this information does not make sense with respect to the service or the request related to your form)

By indicating the name of the field %TW- PRIVACY% inside the text of a paragraphs or inside labels of a form, TOWeb will automatically replace them with a link to the privacy page of your site (the one you have defined in "Options > Security & HTML").
The text used by default for this link can be modified and replaced by the one you want, and this for each language of your site from "Options > Languages > Translate predefined texts".
If your %TW- PRIVACY% field is placed inside texts located in your topics (forms, paragraphs, ...) then the link will open over your current topic (meaning that users will be able to read your policy without leaving your topic). On the other hand, if your %TW-PRIVACY% field is placed inside the footer of your theme (and therefore is common to all the pages of your site) then this link will open normally.

If your site uses third-party services that may collect personal information from your users (such as for example Google Analytics or via scripts that you may have added to your site), you will need to list them in your cookies & privacy data consent and indicate how to disable them if users do not wish them when browsing your site (like for example by user the private mode of their browser, disabling JavaScript or any other appropriate options or plugins in their web browser).
In general, if you have scripts or partner services running on your site that use cookies or social networks then you should also be transparent by listing them and indicating which user information you communicate to these third parties, for what purposes. Depending on your needs, the use of a consent banner on your site or an introductory page of your site may also considered.