Internal policies for having 3rd parties on websites?

In this blogpost we ask if website owners must adopt internal policies, for the protection of the personal data of their website visitors, when having 3rd parties on their websites.

We will explain how Trackerdetect automatically detects and builds information about 3rd parties on your website to help you understand how 3rd parties appear on your website so that you can adopt internal data protection policies for having 3rd parties on your website, as required by GDPR Article 24.

In the following it is assumed that

• you have 3rd parties on your site
• the personal data of your website visitors are disclosed to the 3rd parties on your site

Internal policies

If you are a website owner, you can ask yourself

“Must I adopt internal policies for the protection of the personal data of my website visitors when I have 3rd parties on my website?”

The answer is, yes, most probably.

This is the rule in GDPR Article 24.1 and 24.2 (and Recital 78, second sentence).

If having 3rd parties on the site owner's site is likely to result in a high risk to the rights and freedoms of the website visitors,
then it is proportionate that site owners must “implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with [the GDPR]” (GDPR Article 24.1).

Such measures include “the implementation of appropriate data protection policies by the [site owner]” (GDPR Article 24.2).

Internal policies about what?

If you also ask yourself

“Which internal policies on personal data protection must I adopt to ensure and be able to demonstrate that having 3rd parties on my site is in accordance with the GDPR?”

The, answers are partly provided

• in my previous blogposts, mentioned above, on Trackerdetect.
• in how site owners adopt policies on how to use Trackerdetect, e.g. whether site owners use Trackerdetect to detect 3rd parties
  • on some or all URLs
  • at a given time by manual clicks
  • at given intervals, e.g. each 6th hour
  • from a given location
  • define conditions to approve or disapprove a detected 3rd party
  • assign employees, DPO etc to acts on tasks to to approve or disapprove a detected 3rd party
  • etc

Review and update of internal policies?

If you additionally ask yourself

““Must I review and update internal policies for the protection of the personal data of my website visitors when I have 3rd parties on my website?”

Then, the answer is maybe.

This is the rule in GDPR Article 24.1, second sentence.

Those internal data protection policies “shall be reviewed and updated where necessary”.

Data Protection Officer monitors compliance with internal policies?

If you have a Data Protection Officer, you may also ask yourself

“Must my Data Protection Officer monitor my compliance of my internal policies for the protection of the personal data of my website visitors when I have 3rd parties on my website?”

The answer is yes.

This is the rule in GDPR Article 39.1(b).

The Data Protection Officer shall “monitor compliance with … the policies of the controller ... in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits”.

Other blogposts on Trackerdetect

In other blogposts about Trackerdetect on

• Oh heck, do I have a lot of 3rd parties on my website?
• Keep a record of all 3rd parties on websites?
• Inform about all 3rd parties on websites in Privacy Policy?
• Inform about 3rd parties on websites in Access Request response?
• Notify 3rd parties on websites of site visitors' request to exercise rights?
• Classify 3rd parties on websites as Controllers, Processors etc?
• Assess risk of having 3rd parties on websites?
• Internal policies for having 3rd parties on websites?
• Is having unauthorised 3rd parties on a website a personal data breach?
• Must I have a tool to identify and record 3rd parties on my website?

we have explained reasons why you should become aware of 3rd parties on your site and how Trackerdetect automatically detects and builds a record of 3rd parties that are on your website to

• help you meet the record keeping requirements in GDPR Article 30.1.
• help you meet the information and transparency requirements in GDPR Article 13.
• help you respond to your website visitor's Access Request in GDPR Article 15.
• equip you with their contact details so you can communicate to those 3rd parties that your website visitor requests to exercise his/her right.
• enable you to classify 3rd parties to determine whether or not you are required to enter into an agreement with the detected 3rd parties, as required in GDPR (data processing agreement (GDPR Article 28), joint controller agreement (GDPR Article 26), controller to controller agreement).
• help you identify all 3rd parties on your website so that you can assess whether your website-3rd parties' processing operations pose risks to the rights and freedoms of your website visitors and whether a DPIA is necessary, in accordance with GDPR.
• help you understand how 3rd parties appear on your website so that you can adopt internal data protection policies for having 3rd parties on your website, as required by GDPR Article 24.
• help you to identify whether unauthorised disclosure of your website visitors’ personal data have occurred and whether you need to notify the personal data breach to the supervisory authority and your website visitors.
• help you to be able to demonstrate that you have the technological measures to detect and record 3rd parties on websites, as required by the GDPR Articles 24.1, 30.1(d) and Recital 87.

Reach out to us

If you have an interest in Trackerdetect, please send us an email to hello@signatu.com.