Keep a record of all 3rd parties on websites?

In this blogpost we ask if website owners must keep a record of all 3rd parties on their websites.

We will explain how Trackerdetect automatically detects and builds a record of 3rd parties on your website to help you meet the record keeping requirements in GDPR Article 30.1.

In the following it is assumed that

• you have 3rd parties on your site, and
• the personal data of your website visitors are disclosed to the 3rd parties on your site.

Processing Record

If you are a website owner, you can ask yourself

“Must I keep a record of my website processing activities?”

The answer is yes.

This is the main rule in GDPR Article 30.1.

Site owners must “maintain a record of processing activities under their responsibility.”

Having 3rd parties on a site would fall under the scope of the site owner’s processing activities, and, thus, under the site owner’s responsibility.

However, whether the site owner and the 3rd parties on the site owner’s site are separately or jointly responsible for their processing of the personal data of the site owner’s website visitors depend on the processing activity. This needs to be determined in order to define which information to include in the processing record of the site owner and the 3rd parties on the site, respectively.

Record of 3rd parties

If you also ask yourself

“Must I in the processing record include information about 3rd parties on my website?”

The answer is yes.

Site owners must include in the processing record categories of recipients of website visitors’ personal data.

This is the main rule in GDPR Article 30.1(d).

How can Trackerdetect help?

With Trackerdetect you can automatically detect 3rd parties on your site

• at a given time by manual clicks
• at given intervals, e.g. each 6th hour
• from a given location
• and store the information about the 3rd parties in a record with Signatu
• include such information in your Privacy Policy, Consent request and Access Request information
• and export data about the detection and each 3rd party

Record of all categories of 3rd parties

If you additionally ask yourself

“Must I in the processing record include information about all categories of 3rd parties on my website?”

The answer is yes.

Site owners must include in the processing record the recipient of website visitors’ personal data.

The term “recipient” (GDPR Article 4.9) includes

• data controllers
• joint controllers
• processors to whom data is transferred or disclosed
• third party recipients

This is the main rule in GDPR Article 30.1(d).

Record of all unauthorised 3rd parties

If you also ask yourself

"Must I in the record include all 3rd parties to which the personal data of my website visitors are disclosed without my authorisation?"

The answer is yes.

This is the rule in GDPR Article 33.5.

How can Trackerdetect help?

With Trackerdetect you can automatically detect all 3rd parties on your site including information about

• legal entity
• contact details
• categorization of each 3rd party
• description of each 3rd party's service
• links to website privacy policy of each 3rd party, service policy and cookie policy with date it went into effect or date of last version (if any)
• links to opt-out method(s) (if any)
• etc.

Record information: recipients

If you also ask yourself

“Must I in the processing record include details about 3rd parties on my website?”

The answer is that the record shall contain information about “the categories of recipients”.

This is the main rule in GDPR Article 30.1(d).

The wording of GDPR Article 30.1(d)) does no require that you in the processing record include information on the actual named recipients of website visitors’ personal data.

The WP29, has concerning the same expression (“the categories of recipients”) in GDPR Article 13.(e) and 14.1(e) said that where one opts only to provide the categories of recipients the information on the categories of recipients should be as specific as possible by indicating the type of recipient, i.e. by reference to

• the activities it carries out
• the industry
• sector
• sub-sector
• the location of the recipients

The reasoning behind the record keeping requirements (GDPR Article 30.1(d)) and the transparency requirements (GDPR Article 13.(e) and 14.1(e)) is different, but the information requirement may be the same.

How can Trackerdetect help?

With Trackerdetect

• you can find out what the detected 3rd parties typically do,
• the detected 3rd parties are grouped together under categories made by signatu, such as website analytics, marketing etc.

Record information: use purposes

If you ask yourself,

“Must I in the processing record include information about the purpose for which I use 3rd parties on my website?”

The answer is yes.

Site owners must include in the processing record “the purposes of the processing”. This includes the purpose for which you use 3rd parties on your website, e.g. websites analytics.

This is the main rule in GDPR Article 30.1(b).

How can Trackerdetect help?

With Trackerdetect you can find out why you typically use a detected 3rd party.

Record information: transfers outside EU

If you ask yourself,

“Must I in the processing record include information about the transfer of my website visitors’ personal data to a country outside the EU where the 3rd parties on my website are?”

The answer is yes.

Site owners must include in the processing record “transfers of personal data to a third country or an international organisation, including the identifi­cation of that third country or international organisation.”

In the case of transfers outside the EU to a country that has no adequacy decision (pursuant to GDPR Article 45(3)) or has no appropriate safeguards (pursuant to GDPR Article 46) and the website visitor
consents to the transfer, site owners must include in the processing record the documentation of suitable safeguards.

This is the main rule in GDPR Article 30.1(e).

How can Trackerdetect help?

With Trackerdetect you can find out the URL of the 3rd party and determine the physical location of the IP address of the 3rd party URL domain name. From the transmission of website visitors' data (between the URL of the website and the URL of the 3rd party) it may be inferred that website visitors' data are transferred or not transferred between countries as well as from the EU to a third country.

We could go on and comment about other information requirements for the processing record (GDPR Article 30.1(c), 30.1(f), 30.1(g), however the main point in the above is to describe how Trackerdetect can assist you in making a record of 3rd parties on your site, as required by GDPR Article 30.1.

Record frequency

If you ask yourself,

“How often must I maintain the processing record with information about 3rd parties on my site?”

The answer is not so certain.

The main rule in GDPR Article 30.1 imposes a duty on site owners to “maintain” a record of 3rd parties on your site.

The term “maintain” is in the present tense.
Present tense expresses an action that is currently going on or habitually performed, or a state that currently or generally exists.
Hence, according to a literal understanding, site owners must continuously or constantly maintain the processing record with information about 3rd parties on the website.

Data Protection Authorities have published guidelines saying that the frequency of updating the information must be carried out from time to time.

How can Trackerdetect help?

With Trackerdetect you can automatically detect 3rd parties on your site

• by manual clicks
• by automatic intervals, e.g. each 6th hour

Exemption from main rule

You may ask yourself

“Can I be exempted from the requirement to record processing activities?”

The answer is yes.

GDPR Article 30.5 exempts from the main rule - to maintain a record of processing activities - if an enterprise or an organisation employs fewer than 250 persons.

However, GDPR Article 30.5 says that the main rule applies if

• the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects,
• the processing is not occasional, or
• the processing includes special categories of data as referred to in Article 9(1) or
• personal data relating to criminal convictions and offences referred to in Article 10.

Then you can ask yourself

“Will having 3rd parties on my site fall under the scope of any of these rules that trigger the application of the main rule?”

Finally, you may ask yourself

“Are there situations when I always must record the presence of 3rd parties on my site?”

This will be covered in an upcoming blogpost on Consent Record Keeping.

Other blogposts on Trackerdetect

In other blogposts about Trackerdetect on

• Oh heck, do I have a lot of 3rd parties on my website?
• Keep a record of all 3rd parties on websites?
• Inform about all 3rd parties on websites in Privacy Policy?
• Inform about 3rd parties on websites in Access Request response?
• Notify 3rd parties on websites of site visitors' request to exercise rights?
• Classify 3rd parties on websites as Controllers, Processors etc?
• Assess risk of having 3rd parties on websites?
• Internal policies for having 3rd parties on websites?
• Is having unauthorised 3rd parties on a website a personal data breach?
• Must I have a tool to identify and record 3rd parties on my website?

we have explained reasons why you should become aware of 3rd parties on your site and how Trackerdetect automatically detects and builds a record of 3rd parties that are on your website to

• help you meet the record keeping requirements in GDPR Article 30.1.
• help you meet the information and transparency requirements in GDPR Article 13.
• help you respond to your website visitor's Access Request in GDPR Article 15.
• equip you with their contact details so you can communicate to those 3rd parties that your website visitor requests to exercise his/her right.
• enable you to classify 3rd parties to determine whether or not you are required to enter into an agreement with the detected 3rd parties, as required in GDPR (data processing agreement (GDPR Article 28), joint controller agreement (GDPR Article 26), controller to controller agreement).
• help you identify all 3rd parties on your website so that you can assess whether your website-3rd parties' processing operations pose risks to the rights and freedoms of your website visitors and whether a DPIA is necessary, in accordance with GDPR.
• help you understand how 3rd parties appear on your website so that you can adopt internal data protection policies for having 3rd parties on your website, as required by GDPR Article 24.
• help you to identify whether unauthorised disclosure of your website visitors’ personal data have occurred and whether you need to notify the personal data breach to the supervisory authority and your website visitors.
• help you to be able to demonstrate that you have the technological measures to detect and record 3rd parties on websites, as required by the GDPR Articles 24.1, 30.1(d) and Recital 87.

Reach out to us

If you have an interest in Trackerdetect, please send us an email to hello@signatu.com.