In this blogpost, we ask if site owners must monitor whether 3rd parties are on their websites without authorisation to be able to identify a personal data breach.
We will explain how Trackerdetect automatically detects and builds information about 3rd parties on your website to help you detect whether 3rd parties appear on your website without your authorisation.
This will help you to identify whether unauthorised disclosure of your website visitors’ personal data have occurred and whether you need to notify the personal data breach to the supervisory authority and your website visitors.
In the following it is assumed that
- you have 3rd parties on your site
- the personal data of your website visitors are disclosed to the 3rd parties on your site
Personal Data Breach
If you are a website owner, you can ask yourself
“Has a personal data breach occurred if 3rd parties are on my site without my authorisation and collect my website visitors' personal data?”
The answer is yes.
This is the rule in GDPR Article 4(12) that defines a “personal data breach” as
“a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.”
WP29 says in its Guidelines on Personal data breach notification under Regulation 2016/679 (wp250rev.01) that
" ... unauthorised or unlawful processing may include disclosure of personal data to (or access by) recipients who are not authorised to receive (or access) the data or any other form of processing which violates the GDPR."
WP29 says in its Opinion 03/2014 on breach notification that it is a “confidentiality breach” where there is an unauthorised or accidental disclosure of, or access to, personal data.
Unauthorised
You can also ask yourself
“What does “unauthorised” mean?”
The GDPR does not define the term “unauthorised” in GDPR Article 4(12).
Literally, the term “unauthorised” means not permitted.
Hence, if there is no permission for a recipient to be on the site and collect the site visitors' personal data, then the recipient has an obligation not to do so.
If a recipient still is on the site and collects the site visitors' personal data, then the recipient breaches the obligation not be on the site and collect the site visitors' personal data, and is “unauthorised” to receive the website visitors' personal data.
Authorised
If you additionally ask yourself
“When is a recipient on my website not authorised to receive (or access) my website visitors' personal data?”
The answer depends on whether the recipient (GDPR Article 4.9) is classified as
- data controller
- joint controller
- processor to whom data is transferred or disclosed
- third party recipient
If the site owner classifies the recipient as a “processor” (GDPR Article 4(8)), then the recipient would have permission to process the site visitors' personal data if the site owner and the recipient have entered into a data processing agreement (GDPR Article 28). If the recipient processes the site visitors' personal data without a data processing agreement, then that processing would be “unauthorised” and there would be a personal data breach.
If the site owner classifies the recipient as a “data controller” (GDPR Articles 4(7) and 28.10), then the recipient would have permission to process the site visitors' personal data if the site owner and the recipient have a lawful basis for the recipient's collection and reception of the site visitors' personal data. In many cases, the lawful basis will be consent or legitimate interest.
Ongoing confidentiality
You can also ask yourself
"Must I continuously detect 3rd parties on my website?"
The answer is, yes, most probably.
Article 32 of the GDPR, “security of processing,” explains that when implementing technical and organisational measures to ensure a level of security appropriate to the risk, consideration should be given, amongst other things, to “the ability to ensure the ongoing confidentiality ... of processing systems and services.”
Record of all unauthorised 3rd parties
If you also ask yourself
"Must I in the record include all 3rd parties to which the personal data of my website visitors are disclosed without my authorisation?"
The answer is yes.
This is the rule in GDPR Article 33.5.
WP29 says in its Guidelines on Personal data breach notification under Regulation 2016/679 (wp250rev.01) that
"This is linked to the accountability principle of the GDPR, contained in Article 5(2). The purpose of recording non-notifiable breaches, as well notifiable breaches, also relates to the controller’s obligations under Article 24, and the supervisory authority can request to see these records. Controllers are therefore encouraged to establish an internal register of breaches, regardless of whether they are required to notify or not."
In a footnote to this text, WP29 says
"The controller may choose to document breaches as part of if its record of processing activities which is maintained pursuant to article 30. A separate register is not required, provided the information relevant to the breach is clearly identifiable as such and can be extracted upon request."
You may also ask yourself
"What must the record include regarding disclosure of the personal data of my website visitors to unauthorised 3rd parties on my site?"
GDPR Article 33.5, first sentence, says that site owners must record details concerning the breach, comprising "the facts relating to the personal data breach, its effects and the remedial action taken."
You may also ask yourself
"How long must I keep the record regarding disclosure of the personal data of my website visitors to unauthorised 3rd parties on my site?"
WP29 says in its Guidelines on Personal data breach notification under Regulation 2016/679 (wp250rev.01) that
"(t)he GDPR does not specify a retention period for such documentation. Where such records contain personal data, it will be incumbent on the controller to determine the appropriate period of retention in accordance with the principles in relation to the processing of personal data44 and to meet a lawful basis for processing (GDPR Article 5). It will need to retain documentation in accordance with Article 33(5) insofar as it may be called to provide evidence of compliance with that Article, or with the accountability principle more generally, to the supervisory authority. Clearly, if the records themselves contain no personal data then the storage limitation principle (GDPR Article 6 and also Article 9) of the GDPR does not apply."
Obligation to notify breach
If you additionally ask yourself
“Must I always notify Supervisory Authorities and my site visitors of unauthorised 3rd parties on my site?”
The answer is no.
Notification to the competent supervisory authority is required unless a breach is unlikely to result in a risk to the rights and freedoms of individuals.
Communication of a breach to the individual is only triggered where it is likely to result in a high risk to their rights and freedoms.
WP29 says in its Guidelines on Personal data breach notification under Regulation 2016/679 (wp250rev.01) that
“This means that immediately upon becoming aware of a breach, it is vitally important that the controller should not only seek to contain the incident but it should also assess the risk that could result from it. There are two important reasons for this: firstly, knowing the likelihood and the potential severity of the impact on the individual will help the controller to take effective steps to contain and address the breach; secondly, it will help it to determine whether notification is required to the supervisory authority and, if necessary, to the individuals concerned.”
In practise, most site owners do not know what the srcipts of the 3rd parties on the site owner's website do with the personal data of the website visitors.
Hence, it will be difficult to assess the likelihood in a risk to the rights and freedoms of the website visitors.
What should the site owner do? Notify the supervisory authority or not?
Tools to become “aware” of unauthorised 3rd parties on websites
If you also ask yourself
“How can I become aware of 3rd parties that are on my site without my authorisation?”
The answer is that you can use Trackerdetect.
How can Trackerdetect help?
With Trackerdetect you can automatically detect all 3rd parties on your site
- at a given time by manual clicks
- at given intervals, e.g. each 6th hour
- from a given location
- and store the information about the 3rd parties in a record with Signatu
- including information about their
- legal entity
- contact details
- etc
- get a dashboard view of whether or not you have approved 3rd parties according to various parameters
Other blogposts on Trackerdetect
In other blogposts about Trackerdetect on
- Oh heck, do I have a lot of 3rd parties on my website?
- Keep a record of all 3rd parties on websites?
- Inform about all 3rd parties on websites in Privacy Policy?
- Inform about 3rd parties on websites in Access Request response?
- Notify 3rd parties on websites of site visitors' request to exercise rights?
- Classify 3rd parties on websites as Controllers, Processors etc?
- Assess risk of having 3rd parties on websites?
- Internal policies for having 3rd parties on websites?
- Is having unauthorised 3rd parties on a website a personal data breach?
- Must I have a tool to identify and record 3rd parties on my website?
we have explained reasons why you should become aware of 3rd parties on your site and how Trackerdetect automatically detects and builds a record of 3rd parties that are on your website to
- help you meet the record keeping requirements in GDPR Article 30.1.
- help you meet the information and transparency requirements in GDPR Article 13.
- help you respond to your website visitor's Access Request in GDPR Article 15.
- equip you with their contact details so you can communicate to those 3rd parties that your website visitor requests to exercise his/her right.
- enable you to classify 3rd parties to determine whether or not you are required to enter into an agreement with the detected 3rd parties, as required in GDPR (data processing agreement (GDPR Article 28), joint controller agreement (GDPR Article 26), controller to controller agreement).
- help you identify all 3rd parties on your website so that you can assess whether your website-3rd parties' processing operations pose risks to the rights and freedoms of your website visitors and whether a DPIA is necessary, in accordance with GDPR.
- help you understand how 3rd parties appear on your website so that you can adopt internal data protection policies for having 3rd parties on your website, as required by GDPR Article 24.
- help you to identify whether unauthorised disclosure of your website visitors’ personal data have occurred and whether you need to notify the personal data breach to the supervisory authority and your website visitors.
- help you to be able to demonstrate that you have the technological measures to detect and record 3rd parties on websites, as required by the GDPR Articles 24.1, 30.1(d) and Recital 87.
Reach out to us
If you have an interest in Trackerdetect, please send us an email to hello@signatu.com.