Click here to get this post in PDF
Watch Our Free Webinar on GDPR: What Is GDPR and What Is Your Host’s Role in It?
Last week we had a webinar with SiteGround’s Senior Legal Advisor – Maya Stoyanova talking about GDPR, what it is and what you need to do about it. We share the video from the webinar here so you can watch it and find out if and how that new European regulation concerns you.
*Please excuse us for the poor quality of the image. As promised, we are posting the replies to the questions we couldn’t answer during the webinar here. Questions
Important: Please note that GDPR is still very new and open to interpretations topic with a lot of vague areas so all answers to your questions should be considered only as an opinion and not as legal advice on the matter.
Ugo: Email data on SiteGround servers, GDPR compliance? SiteGround or customer responsibility? The protection of all personal data, including email addresses stored on SiteGround servers, is a shared responsibility between the client owning that data and SiteGround. SiteGround is responsible for the integrity of the server hosting the data, but the client has to take care of passwords and other access to that data. The Data Processing Agreement that we will provide shortly, aims to explain that responsibility.
Damiano (Posit S.C): Somebody knows about a Magento plugin for GDPR? We haven’t yet managed to test all GDPR plugins for the different CMSs we host so unfortunately, we cannot make a recommendation for a specific plugin, but you may surely check the Magento marketplace for such.
My understanding from reading so far is that a user must be given option to opt in, not out, and that there must be clarity as to how the personally identifiable data will be used (and consequently not misused), but does that mean that user information (e.g. how they’ve operated on the site – usually this has no personally identifiable data) is actually now an issue, and how do we deal with existing mailing lists? Yes, users have to opt in, not opt out, especially for marketing-related activities. If you use your mailing list to send users promotional emails, newsletters or other content that is not directly related to the provisioning of the service you deliver, then you need to have their explicit consent to receive such emails. If you gathered your list without asking for such an explicit consent, it is recommended that you run a re-consent campaign (send an email to ask them and give them option to say Yes or No) and get agreement from your users to use their emails for such purposes.
Oscar: If I have a blog, that only redirects traffic to other companies through affiliate links how does GDPR affect to me? If you do not collect any personal data (and we have to make a lot of assumptions to be sure of that – no IP log, no comments section on the blog that collects email and name, no stats, etc.), then you should worry only about cookies.
Jaimie: Cookie notifications topic, mixing implied and explicit consent in the cookie notification statement for new visitors. Is it ok to mix implied and explicit consent such as “by using this site” for performance/security cookies and an “accept” button for anything else? In general, there is no need to ask for consent for technical cookies that enable the actual functioning of the website. But, you still have to inform them of such cookies in your cookie notice. Then, you need to ask for consent about the other cookies that you use.
Peter: SG is the BEST!!! – if I live in the U.S., does GDPR apply to me? Thanks 🙂 If you have traffic from the EU and you store any personal data about these EU visitors, then the answer is yes.
Jackie O Brien: As a company who only deals with business to business contacts where do we stand with GDPR? Unfortunately, it’s more likely for you to be liable than not, even though you work with businesses and not individuals. For example, you may be collecting IPs, or stats cookies and pixels, or you may be collecting names and emails in your forms – all these cases urge you to be GDPR-compliant. Even if these emails are business emails, they still trace back to an individual so they have to be protected.
Benji: Since WordPress isn’t GDPR complaint yet, would I then explain this in a contract with a a client and if they sign it, would this then cover myself? No, you will not be covered. You need to make sure that the way you use WordPress and all installed plugins and templates for the needs of that client is GDPR-compliant. WordPress is a piece of software that you put on your website and server, but what personal data you collect through that WordPress and what data you share with third parties via the plugins you install, is the main thing you should worry about when deciding if you need to be GDPR-compliant.
Evelia Amos: Please clarify if business need explicit consent when we post on social media platforms sounds or images. Not sure what kind of sounds you mean as music falls under other regulations, but when it comes to images – yes, you need consent, especially if you tag the people on the image. People have the right to withdraw that consent later and you have to oblige and remove the image if they do so. A possible exception is if you paid them for a marketing campaign – you took pictures of models posing to advertise your product and you paid them for that.
Marco: I read that data server must be in the same country of my business activity or in the EU. Which one is the truth? Where are Siteground servers located? Having the servers in the same country where your business comes from is not part of the GDPR regulations. We are aware that for accounting and other purposes, clients from some countries prefer to have such a convenience. I would recommend you to check with your local authorities for more information on that matter. As to our data centers, we have servers in Chicago, Singapoore, Amsterdam, and London and you may choose where your data to be hosted.
Akin Ladapo: But IP addresses can be temporary and from various servers if traffic is rerouted. So the IP address identify a user? In many European countries, IP addresses are static and can easily lead to an individual, thus they are treated as personal data.
Missy: Collecting visitor information through a website contact form that does not save data to the database but only sends an email to the administrator, does the website owner need to obtain consent? Yes, users have to provide you with an agreement to collect their personal data and need to be aware how you will use that data. Even though you do not store it, you still collect it somewhere (in an inbox or file or else) and could use it.
Guilherme: You said that we should use IP address to know that the user is from Europe, but what about tourists. For example, a Brazilian visiting or living in Europe does he fit in the GPDR? And what about an European that lives in Brazil? In general, the best way to be sure where a client is from is when they provide you with country and address for billing or other purposes (on your registration or order form). If you have that information, regardless what the IP says, you treat the user as an EU individual if their country is in the EU. But, if you do not have that information, then you work with the IP – if their IP is from the EU you treat them as EU individuals. You do not need to know if they are Brazilians and just pass through the EU as tourists or vice versa. You work with the data you can record about them.
Jaidev Kesavan: If the payment system on a website is handled by a 3rd party service provider, such as Paypal or Razorpay (Indian service provider), is it the job of the payment service provider to protect data privacy, or the website owner’s, considering that the payment gateway service collects customer information and not the website owner? Even though you don’t store the data on your site, you are the owner of it – clients authorise you to collect it and by the letter of the law you are “controller” of that data. It is your responsibility to inform the client that their data will be collected and for what purposes and by which partners of yours. You also have to make sure your processors are GDPR-compliant.
Bart: Is “anything that can identify an individual” an accurate definition? because this would also include info like: preferences, webbrowser, language, and most troublesome mobile Yes, “anything” is accurate, but have in mind that some of that data serves as identifier only if used together with other data. Just language or browser used does not identify a person, but if you also have something else about the user, then you may be able to profile them and thus you may need to be GDPR-compliant.
PeachPerfectWeddings: Hi guys, apart from GDPR, is there a good overview list of such things (legal requirments etc.) that a small business has to ensure, which is based in EU, but serves clients from all over the world? As in not directly selling online, but just website with our services. Unfortunately, no. But in this webinar we have covered the basics and this is a good start for any business.
Sandra Eversberg: I use Joomla, have installed google analytics and a facebook pixel and wonder if there is any plugin for Joomla which allows the user to opt in/opt out from those services with a click of a button. Do you know any of those? Unfortunately, we cannot recommend a plugin for that purpose. The good news is that the EU wants to make it possible for users to be able to opt out by changing their browser settings. It will take time before that gets applied though.
Melissa: I am under the impression that if our website is only US based & we don’t do any business in the UK that this will not be an issue. Is that the case? I have a local (one state) directory. If you do not get ANY traffic from the EU (any EU IPs) or users signing up with country in the EU, then you have nothing to worry about. Yet, please make sure you are really not collecting any personal data from EU citizens before you take a final decision on how to proceed.
Trisha Torrey: I am located in the US, run a membership site, and 99.9% of my membership is located in the US and Canada. Do I need to set up for GDPR compliance? Maybe I should just restrict membership to the US and Canada only? If you could sacrifice the 0.1% of the traffic, then the easiest solution is to restrict membership. Otherwise you have to become GDPR-compliant.
Ellen rothwax: what are the consequences if you do not comply? how will this be enforced? The fines are really heavy and they vary per country. There are authorities in every country that will monitor and enforce sanctions. These authorities will make checks on companies for compliance or will take action when they are alerted by a complaint.
Kunal Khanna: What is the scope of this compliance? Does it apply to only personal email IDs (Like gmail / hotmail etc.) OR it also includes official email IDs The compliance aims to protect individuals and their personal data. However, an individual’s business email may also be considered as personal data as it allows you to identify who that person is and also send them promotional emails for example.
Spafford: Can you review the implications and complications of Facebook or Google pixels on the website. For example, is is legal? There is no law that forbids you to use Facebook and Google pixels, but if you use them, the GDPR requires you to disclose that to your users so that they are informed that their data is collected and used.
Luigi: What about the Documentation requirement of GDPR? Is that necessary for running a website? Check with local authorities if you need any additional paperwork, but the most essential documentation required is all the contracts between you and your clients and you and your partners that cover the use of personal data of your clients. These are items you prepare if you collect and store personal data and place on your website or keep on file in case you get investigated.
Lisa: Is the cookie law separate and still needed in addition to the GDPR? Yes, it is still there and now you have to not only ask for consent, but also give the user the option to opt out from getting cookies and still be able to browse your site.
Manuel: What about when you just receive your customer’s name, email and phone through the contact form in your website. Does the customer have to be inform of the use of that info right before he sends the message? Or is it enough with the terms accepted by the user when entering the website for the first time? Depends on how you got their agreement in the first place, but in general we recommend you to get explicit consent on the form before send button.
Ulrika: What does the GDPR state about crowdfunding, newsletters and donating/sponsoring clients? It doesn’t matter why people are giving you their data, it only matters that you collect such data. Clients donating you money through a crowdfunding campaign are still vulnerable and are protected by the GDPR. As to the newsletters that you will be sending them, you need to ask for their explicit and separate consent.
Njoki: We have donors from both Europe and America, will the GDPR affect all inclusive and how do I ensure that all in the database are covered. We have a database of over 20,000 people. All EU donors need to be aware what data you collect about them and how you use it and if you use it to market services to them, you need to ask for explicit consent. Additionally, you need to make sure that the access to this database is secure and as few people as possible have access to it and those people are aware of their liability if that data is abused. Hristo Pandjarov Product Development – Technical Enthusiastic about all Open Source applications you can think of, but mostly about WordPress. Add a pinch of love for web design, new technologies, search engine optimisation and you are pretty much there! Share: