In this blogpost we ask if website owners must notify all 3rd parties on their websites of website visitors' requests to rectify or erase personal data or restrict processing.
We will explain how Trackerdetect automatically detects and builds information about 3rd parties on your website to help you identify all 3rd parties on your website to whom you have a duty to communicate your website visitors' requests to rectify or erase personal data or restrict processing, as required in GDPR Article 19.
In the following it is assumed that
- you have 3rd parties on your site,
- the personal data of your website visitors are disclosed to the 3rd parties on your site, and
- your website visitors request to rectify or erase personal data or restrict processing with regard to their interaction data with your site, in accordance with GDPR Article 16, Article 17(1) and Article 18.
Notification to Recipients
If you are a website owner, you can ask yourself
“Must I communicate to 3rd parties on my website that my website visitors request to rectify or erase their personal data or restrict processing of their personal data?”
The answer is yes.
Site owners must communicate to each recipient to whom the personal data have been disclosed that their website visitors request to rectify or erase personal data or restrict processing, in accordance with GDPR Article 16, Article 17(1) and Article 18. The term “recipient” (GDPR Article 4.9) includes
- data controllers
- joint controllers
- processors to whom data is transferred or disclosed
- third party recipients
This is the main rule in GDPR Article 19.
How can Trackerdetect help?
With Trackerdetect you can automatically detect all 3rd parties on your site
- at a given time by manual clicks
- at given intervals, e.g. each 6th hour
- from a given location
- and store the information about the 3rd parties in a record with Signatu
- including information about their
- legal entity
- contact details
- etc
Hence, Trackerdetect will enable you to identify 3rd parties that are on your site and equip you with their contact details so you can communicate to those 3rd parties that your website visitors request to exercise their rights.
Exemption from main rule
You may ask yourself
“Can I be exempted from the duty to communicate to 3rd parties on my website that my website visitors request (with regard to their interaction data with my website) to rectify or erase their personal data or restrict processing of their personal data?”
The answer is yes.
GDPR Article 19 exempts from the main rule - to communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with Article 16, Article 17(1) and Article 18 to each recipient to whom the personal data have been disclosed - if this proves impossible or involves disproportionate effort.
However, Trackerdetect
- identifies 3rd parties on your site expediently
- provided you with the contact details of the 3rd parties on your site
- is easy-to-use
- is available for a low subscription fee
Hence, you may find it difficult to prove that such communication to 3rd parties on your site is impossible or involves disproportionate effort.
Other blogposts on Trackerdetect
In other blogposts about Trackerdetect on
- Oh heck, do I have a lot of 3rd parties on my website?
- Keep a record of all 3rd parties on websites?
- Inform about all 3rd parties on websites in Privacy Policy?
- Inform about 3rd parties on websites in Access Request response?
- Notify 3rd parties on websites of site visitors' request to exercise rights?
- Classify 3rd parties on websites as Controllers, Processors etc?
- Assess risk of having 3rd parties on websites?
- Internal policies for having 3rd parties on websites?
- Is having unauthorised 3rd parties on a website a personal data breach?
- Must I have a tool to identify and record 3rd parties on my website?
we have explained reasons why you should become aware of 3rd parties on your site and how Trackerdetect automatically detects and builds a record of 3rd parties that are on your website to
- help you meet the record keeping requirements in GDPR Article 30.1.
- help you meet the information and transparency requirements in GDPR Article 13.
- help you respond to your website visitor's Access Request in GDPR Article 15.
- equip you with their contact details so you can communicate to those 3rd parties that your website visitor requests to exercise his/her right.
- enable you to classify 3rd parties to determine whether or not you are required to enter into an agreement with the detected 3rd parties, as required in GDPR (data processing agreement (GDPR Article 28), joint controller agreement (GDPR Article 26), controller to controller agreement).
- help you identify all 3rd parties on your website so that you can assess whether your website-3rd parties' processing operations pose risks to the rights and freedoms of your website visitors and whether a DPIA is necessary, in accordance with GDPR.
- help you understand how 3rd parties appear on your website so that you can adopt internal data protection policies for having 3rd parties on your website, as required by GDPR Article 24.
- help you to identify whether unauthorised disclosure of your website visitors’ personal data have occurred and whether you need to notify the personal data breach to the supervisory authority and your website visitors.
- help you to be able to demonstrate that you have the technological measures to detect and record 3rd parties on websites, as required by the GDPR Articles 24.1, 30.1(d) and Recital 87.
Reach out to us
If you have an interest in Trackerdetect, please send us an email to hello@signatu.com.