GDPR (General Data Protection Regulation) is a privacy regulation that entered into force in the EU and the EEA area on 25 May 2018. GDPR harmonises the privacy rules throughout the EU and the EEA and gives citizens increased control over their personal data. It applies to all organizations and companies that process personal data about EU and EEA citizens, regardless of where the organization or company is established.
In this text, we cover the following issues that we constantly encounter and that are relevant to sales, marketing and customer support:
- How to handle personal data in a CRM?
- What is the legal basis for collecting and processing personal data?
- What does information obligation mean?
- What are the requirements for information and the right to access?
- What does data minimization mean within GDPR?
- How much data are you allowed to collect?
- When must you delete data?
- What is the difference between GDPR and the Norwegian Privacy Act?
- How does the GDPR relate to the law on marketing?
- What is the Marketing Act?
- What is meant by a data controller?
- What is a data processor agreement?
- What is a privacy policy?
- When should deviations be reported to the Norwegian Data Protection Authority?
- What is sensitive personal data?
- What is privacy?
- What happens to cookies and tracking?
- Is Google Analytics legal? Google Analytics may be illegal
- What alternatives are there to Google Analytics in the EU?
- What is the Schrems II ruling?
- July 2023: New rules for the transfer of personal data to the USA
- July 2023: The Norwegian Data Protection Authority has temporarily banned behaviour-based advertising on Facebook and Instagram
Addendum:
What do you have to think about when entering people into a CRM or contact database?
When entering people into a contact database, there are some important principles and rules you must follow:
- Legal basis: You must have a legal basis for collecting and processing the personal data, such as consent, contract, legal obligation, or legitimate interest.
- Information and access: You must inform the persons that you collect and process their personal data. The information should include the purpose of the processing, which data is collected, how long the data is stored, and contact information for the data processor. The person must also be informed of their rights, such as the right to access, correction, deletion, restriction of processing and the right to complain to a supervisory authority.
- Data minimization: You should collect and process only the personal data that is necessary for the stated purpose.
- Storage and security: You must ensure that the personal data is stored safely and securely and protected against unauthorized access, alteration or deletion.
- Time limitation: You should not store the personal data for longer than is necessary for the purpose of the processing.
What does information obligation mean?
As regards the obligation to provide information, you should inform the persons that they are in the database as soon as possible and at the latest within one month after the personal information has been collected. If you plan to use the data for a purpose other than that for which it was collected, you must inform the individuals of this new purpose before you start processing the data.
It is important to note that the regulations and requirements may vary depending on your jurisdiction and situation. For detailed information and guidance, you should consult a lawyer or privacy representative with expertise in privacy laws in your area.
What does legal basis mean?
Legal basis is one of the main principles in GDPR and the Personal Data Protection Ordinance. This means that organizations must have a valid and legitimate basis for processing personal data. Examples of legal grounds include consent, contractual obligations, legal obligations, protection of vital interests, tasks in the public interest and legitimate interest. Correct use means ensuring that the organization has a clear and appropriate basis before the processing of personal data begins. For example, an online store may ask customers for consent to send them marketing material. Misuse can occur when an organization processes personal data without a sufficient basis, such as sending email advertising to customers without their consent or without any other legitimate basis.
What does consent mean and examples of consent?
Consent is a critical component of privacy and data protection, especially in light of General Data Protection Regulation (GDPR) and the Norwegian Marketing Act. Both of these regulations require companies and organizations to obtain consent from individuals before they can collect, process and share personal data. Consent means that a person voluntarily, informedly and unequivocally gives permission for their personal data to be used for specific purposes.
The GDPR defines consent as a "free, informed and unequivocal expression of will, by means of a declaration or other unambiguous affirmative act, by which the data subject accepts the processing of personal data concerning him". The Norwegian Marketing Act also has provisions on the use of personal data in marketing and requires consent to be obtained for certain types of marketing and data collection.
Here are five examples of consent you can give a company within GDPR and the Norwegian Marketing Act:
- Newsletter: When a person registers for a newsletter and gives their consent to receive e-mails with news, offers and other relevant information from the company, they have given their consent to have their e-mail address and any other personal data provided processed for this the purpose.
- Use of cookies: Websites often use cookies to improve the user experience and collect data on visitor behaviour. A consent banner on a website can inform the user about the use of cookies and ask for consent to install and use them on the user's device.
- Marketing communications: A company may ask for consent to send marketing materials via various channels, such as email, SMS or telephone. This can happen through a separate declaration of consent or by giving the user the opportunity to opt in to marketing communications when they register for a service.
- Sharing data with third parties: A company may request consent to share personal data with third parties, such as partners or subcontractors, for specific purposes. This may include marketing, analysis or improvement of products and services. The user must be informed about which third parties the data is shared with and what the purpose of the sharing is.
- Profiling and personalisation: Profiling involves the analysis of personal data to predict or evaluate an individual's preferences, interests and behaviour. A company may ask for consent to use personal data to customize content, advertisements and offers based on the user's profile.
What is meant by information and insight?
Information and transparency is another important principle in the GDPR. It requires that organizations inform the data subjects about the processing of their personal data in a clear, understandable and easily accessible way. Correct use of this principle involves providing the data subjects with detailed information about the purpose of the processing, what data is collected, who is responsible for the processing, and their rights in relation to the personal data. An example of proper use is an online store that provides clear and complete information about its privacy practices in a privacy policy and informs customers of their rights. Incorrect use can be not informing the data subjects about the processing of their data or providing incomplete or misleading information.
What does data minimization mean within GDPR?
Data minimization is a principle which means that organizations must only collect and process personal data that is necessary for the stated purpose. Correct use of this principle involves assessing the necessity of collecting and processing each type of personal data and limiting the collection to what is absolutely necessary. For example, an online store may collect the customer's name, address and payment information to process an order, but not their age or gender if it is not necessary. Improper use may be collecting and processing personal data that is not necessary for the purpose, for example collecting detailed demographic data about customers without it being relevant to the service provided.
What does storage and security mean within GDPR?
Storage and security are principles that require organizations to protect personal data against unauthorized access, change and deletion through suitable technical and organizational measures. Correct use of these principles involves implementing security protocols, encryption, access control, and regular security assessments to protect personal data. An example of proper use is an online store that uses encryption to protect customers' payment information and has strict access controls for employees who handle personal data. Improper use can include storing personal data on unsecured servers, using weak passwords or not updating the software regularly to protect against known vulnerabilities.
How much data can you collect?
Within sales and marketing, the systems we use can store extremely large amounts of data. However, you are only allowed to collect personal data that is necessary to fulfill specific, lawful purposes.
Here are examples of data you are allowed to collect:
Basic contact information: It is legal to collect basic contact information such as name, telephone number, e-mail address, and physical address. This information shall be used to deliver the service or product the customer has ordered, or to communicate with the customer or potential customer.
Transaction history: You are allowed to collect data related to the customer's purchase history, such as what they have purchased, when, and how much they have paid. This information helps provide personalized service and product recommendations.
Interaction with the business: You can track the customer's interaction with the business, such as visits to the website, opening of emails, or participation in marketing campaigns.
Preferences: Customers' preferences, such as their preferred communication channel, can also be collected and stored in the CRM system.
What is meant by time limit?
Time limitation is a principle in the GDPR which means that personal data must not be stored for longer than is necessary for the purpose of the processing. Organizations must consider how long they need to store the personal data and delete it when it is no longer necessary. Correct use of this principle involves establishing and following a timetable for deleting personal data based on their necessity and the purpose of the processing. For example, an online store can delete customers' account information after a certain period of inactivity, unless there is a legal requirement to store the data longer. Improper use can be storing personal data indefinitely without a valid reason or not deleting the data when it is no longer necessary for the purpose for which it was collected.
If the company you work for offers a breakfast seminar and asks the guests if they have any allergies, data about allergies will typically be something that should be deleted immediately after the seminar.
When must you delete data according to privacy?
According to privacy laws such as GDPR, it is important to delete personal data when it is no longer necessary for the purpose for which it was collected, or when the data subject withdraws their consent and there are no other legal reasons for retaining the data. Deletion of data is essential to protect the privacy of the data subjects and to comply with the principle of time limitation.
Deletion of marketing data
Marketing: In the case of marketing data, organizations must delete personal data when it is no longer necessary for marketing purposes, or when the recipient of marketing material withdraws their consent. For example, if an individual subscribes to a newsletter and later unsubscribes, the organization must delete the personal data such as the email address, unless they have another legitimate purpose for retaining the data, such as invoicing.
Deletion of data in the CRM/sales support system
Sales (CRM): In a CRM system, data about customers and potential customers is stored for sales and customer management purposes. Organizations must delete personal data when they are no longer necessary to maintain the customer relationship, or when the customer requests the deletion of their data. For example, if a potential customer is no longer interested in the organization's products or services and requests to be removed from the CRM system, the organization must delete their personal data.
Deletion of customer data in an online store
Customer data in online stores: Online stores collect and store personal data about customers to process orders and provide customer service. When a customer closes their account, or when the personal data are no longer necessary to fulfill the purpose for which they were collected, the online store must delete the customer data. For example, if a customer closes their account and there are no active orders or legal requirements to retain the data, the online store must delete the personal data.
Deletion of data at a telephone company
Customer data at a telephone company: Telephone companies store personal data about customers, such as name, address, telephone number and billing information. When a customer terminates their contract with the telephone company, the company must delete the personal data in accordance with privacy legislation. However, there may be statutory requirements to retain certain types of data, such as invoicing information, for a specific period of time after termination of the agreement. When this period expires, the telephone company must delete the personal data.
It is important for organizations to have routines and processes in place to identify and delete personal data when they are no longer necessary or when the data subjects request it. This involves regular review of the data and assessment of their relevance and necessity in relation to the purpose for which they were collected.
For example, an organization can implement a schedule for deleting personal data based on its purpose and legal requirements. This may include automatic deletion of inactive accounts after a certain period, or deletion of marketing materials and associated personal data after a certain time horizon.
Organizations should also ensure that they have systems in place to respond to requests from data subjects to exercise their right to be forgotten, i.e. the right to request the erasure of personal data. This may involve giving those registered easy access to delete their accounts, withdraw consent, or request the deletion of data via customer service or an online form.
In addition, organizations should ensure that their data processors and sub-processors also comply with data protection legislation and delete personal data in accordance with the requirements. This can be achieved by including clear provisions on data deletion in data processing agreements and by carrying out regular checks and audits to ensure compliance.
Complying with data protection legislation's requirements for data deletion is essential to protect data subjects' privacy, maintain trust and avoid potential sanctions or fines. Organizations must therefore be proactive and systematic in their approach to the deletion of personal data and ensure that this takes place in line with current regulations.
What is the difference between GDPR and the Norwegian privacy regulations?
GDPR (General Data Protection Regulation) is a privacy regulation that entered into force in the EU and the EEA area on 25 May 2018. GDPR harmonises the privacy rules throughout the EU and the EEA and gives citizens increased control over their personal data. It applies to all organizations and companies that process personal data about EU and EEA citizens, regardless of where the organization or company is established.
The Norwegian privacy regulations are based on the GDPR and implement the regulation through the Personal Data Act and associated regulations. Norway, which is a member of the EEA, has through the Personal Data Act and associated regulations implemented the GDPR in national legislation. This means that the privacy rules in Norway are largely the same as in the rest of the EU and the EEA area.
While the GDPR lays the foundation for the privacy regulations, there may be some national adaptations and additions to the Norwegian privacy regulations. These adaptations may include specific rules for certain sectors, for example health and research, or additional requirements in connection with the processing of sensitive personal data. Furthermore, the Norwegian privacy regulations may also include provisions that are not directly linked to the GDPR, but which are still relevant for privacy, for example rules on monitoring and communication control.
The Norwegian Data Protection Authority is the Norwegian supervisory authority that enforces the privacy regulations in Norway and guides businesses on how to comply with the rules. It is important to note that although the Norwegian privacy regulations are largely based on the GDPR, there may be nuances and national adaptations that must be taken into account. For detailed information and guidance on the Norwegian privacy regulations, you should consult The Norwegian Data Protection Authority websites or contact a lawyer with expertise in Norwegian privacy legislation.
How does the GDPR relate to the law on marketing?
GDPR and marketing legislation are two different but related legal frameworks that regulate businesses' interactions with customers and potential customers. where the GDPR focuses on privacy and the protection of personal data, the Marketing Act is about how companies can communicate with and market themselves to customers.
The Marketing Act regulates how companies can market their products and services, including the use of advertising, e-mail marketing and telemarketing.
Both the GDPR and the Marketing Act affect companies' marketing activities. For example, under the GDPR companies must obtain consent from customers before they can send them marketing material, especially if it involves the processing of personal data. This means that companies must ensure that their marketing methods and strategies comply with GDPR requirements.
In the same way, companies must also comply with the requirements of the Marketing Act. For example, there may be restrictions on sending unsolicited emails or requirements to include an "unsubscribe" option in marketing communications.
In practice, this means that companies must work closely with legal experts and data protection officers to ensure that their marketing activities comply with both the GDPR and relevant marketing legislation.
What is the Marketing Act?
The Norwegian Marketing Act, formally known as Act on control of marketing and contractual terms (Marketing Act), is legislation that regulates how companies and organizations market their products and services in Norway. The purpose of the Act is to protect consumers and other traders against unreasonable and misleading marketing practices, as well as to ensure fair competition between the players in the market.
The Marketing Act includes a number of provisions that set a framework for what is and is not allowed in connection with marketing and advertising. Some of the main points of the law include:
- Good marketing practice: The law requires that all marketing must be in accordance with good marketing practice. This means that the marketing must not be unreasonable, aggressive or misleading, and it must take into account the interests and rights of consumers.
- Misleading marketing: The law prohibits misleading marketing, which involves giving false information or presenting information in a way that could induce consumers to make purchases they would not otherwise have made.
- Comparative advertising: Comparative advertising is permitted, as long as it is objective, not misleading and does not damage the reputation or goodwill of competitors.
- Unsolicited marketing: The law also regulates unsolicited marketing, such as e-mail, SMS and telephone sales. Consumers must have given their consent before businesses can send them electronic marketing. Furthermore, there must always be a simple and free option for the recipient to unsubscribe from such messages.
- Price information: The Marketing Act requires companies to provide clear and complete information about prices, including any additional costs and taxes, so that consumers can compare offers and make informed decisions.
- Marketing to children and young people: The Act contains special provisions for marketing aimed at children and young people, with the aim of protecting them from harmful and inappropriate marketing messages.
The administration and enforcement of the Marketing Act is subject to The Norwegian Consumer Authority, which is a government authority that works to protect consumers' interests and promote fair competition in the market. The Norwegian Consumer Protection Authority can impose sanctions, such as fines or bans on illegal marketing practices.
In addition to the Marketing Act, Norwegian companies must also comply with other relevant laws and regulations, such as the GDPR, which regulates the processing of personal data and privacy. It is also important to be aware of sector-specific rules and industry standards that may have an impact on marketing activities.
Norwegian companies must therefore be aware of the various legal frameworks and ensure that their marketing strategies and practices are in line with both national and international laws. This involves, among other things, drawing up clear guidelines for marketing, training employees in relevant legislation, and regular monitoring and evaluation of marketing activities to ensure compliance with current regulations.
In practice, this means that companies should work closely with legal experts, the marketing department and management to develop and maintain a marketing strategy that is both effective and legal. By following the Marketing Act and other relevant laws, companies contribute to a fairer and more competitive market, while at the same time protecting consumers' rights and interests.
In summary, the Norwegian Marketing Act is an important legal framework that ensures fair competition and protects consumers against unreasonable and misleading marketing practices. To comply with the law, companies and organizations must be aware of their marketing strategies and practices, and ensure that they are in line with both national and international regulations.
What is meant by a data controller?
Data controller is a term used in privacy legislation, such as GDPR, to describe a person, public authority, agency or other legal entity that alone or together with others determines the purpose and means of processing personal data. In other words, the data controller is the person who is responsible for the processing of personal data in accordance with the applicable data protection regulations.
The data controller has a number of obligations and areas of responsibility, including:
- To ensure that the processing of personal data is lawful and takes place in accordance with the privacy principles, such as legality, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality.
- To inform the data subjects (the persons whose information is processed) about the processing of their personal data, including the purpose of the processing, which data is processed, their rights, and contact information for the data controller and, if applicable, the data protection representative.
- To carry out privacy impact assessments (DPIA) to identify and minimize privacy risks, especially when planning to process personal data in a way that may involve a high risk to the data subjects' rights and freedoms.
- To ensure that personal data is protected against unauthorized access, change or deletion through suitable technical and organizational measures.
- To report any breaches of personal data security to the supervisory authority within 72 hours of the breach being discovered, and to inform the affected data subjects without undue delay if the breach is likely to entail a high risk to their rights and freedoms.
- To cooperate with the supervisory authorities and follow their guidance and instructions.
- Appointing a data protection officer (DPO) if required, for example if the business carries out extensive processing of sensitive personal data or systematic monitoring of data subjects.
It is important to note that data controllers can be held responsible for any breaches of the privacy rules and fines and sanctions can be imposed by the supervisory authorities.
When should deviations be reported to the Norwegian Data Protection Authority?
As a general rule, the data controller has an obligation to report the breach to the Norwegian Data Protection Authority as soon as possible.
A personal data security breach can occur when an unauthorized person gains access to personal data, or when the personal data is used or processed in a way that is not in line with privacy legislation. When this happens, the controller is responsible for taking measures to limit the damage and prevent it from happening again in the future.
As part of this process, the controller has a duty to report the breach to the Norwegian Data Protection Authority as soon as possible. This is because the Norwegian Data Protection Authority is responsible for monitoring that personal data is processed in accordance with applicable laws and regulations.
It is important to note that there are some exceptions to this duty to report deviations to the Norwegian Data Protection Authority. For example, the data controller does not need to report the discrepancy if it is unlikely that the breach will entail any risk for the persons concerned. Nevertheless, it is generally better to report all deviations, regardless of the extent, in order to avoid any consequences that may arise if the Norwegian Data Protection Authority later finds out about the deviation without being notified in advance.
Overall, it is important for the controller to be aware of his duty to report personal data security breaches to the Norwegian Data Protection Authority and to take the necessary measures to limit the damage and prevent future breaches.
What is considered sensitive personal data?
Sensitive personal data, also called special categories of personal data in the GDPR, are types of personal data that are considered to be more sensitive and therefore require a higher level of protection. Processing such information is generally prohibited, unless there is a specific legal basis for the processing.
According to the GDPR, the following types of information are considered sensitive personal data:
- Race or ethnic origin: Information indicating a person's race or ethnic background.
- Political opinion: Information about a person's political beliefs or affiliation with a political party.
- Religious or Philosophical Beliefs: Information about an individual's religious beliefs or philosophical beliefs.
- Trade union membership: Information about membership in a trade union or similar organisation.
- Genetic data: Data obtained from a person's biological samples that provides unique information about their genetics, such as DNA sequences.
- Biometric data: Data derived from a person's physical or behavioral characteristics that can be used to uniquely identify them, such as fingerprints, facial recognition or iris scans.
- Health information: Information about a person's physical or mental health, including medical history, diagnoses, treatment and any health-related needs.
- Sexual life or sexual orientation: Information about a person's sexual preferences, practices or orientation.
Processing of sensitive personal data is subject to stricter requirements and controls because they can lead to discrimination, stigmatization or other harm to the data subjects if they are treated irresponsibly or go astray. Organizations that process such information must therefore ensure that they have a strong and legal basis for the processing and that they implement the necessary technical and organizational measures to protect this information against unauthorized access, alteration or deletion.
What is a data processor agreement?
A data processing agreement, also known as a data processing agreement (DPA), is a legal contract between a data controller and a data processor. This is a requirement according to the GDPR and corresponding privacy laws when a data controller engages a third party (data processor) to process personal data on their behalf.
The main purpose of a data processing agreement is to ensure that both parties understand their responsibilities and obligations relating to the processing of personal data, and to guarantee that the personal data is processed in accordance with data protection legislation. A data processing agreement must contain provisions covering the following areas:
- The purpose of the processing: The agreement should state the specific purpose of the processing of personal data and the types of personal data to be processed.
- Instructions from the data controller: The data processor must process the personal data exclusively in accordance with the instructions from the data controller, and the agreement should describe how these instructions must be given and followed.
- Security measures: The agreement must contain requirements that the data processor implements the necessary technical and organizational security measures to protect the personal data against unauthorized access, loss, change or deletion.
- Confidentiality: The data processor and its employees who have access to the personal data shall undertake to keep the information confidential and not to disclose it to unauthorized persons.
- Sub-processors: The agreement must regulate the data processor's use of sub-processors and ensure that they are also subject to corresponding privacy obligations.
- Assistance to the data controller: The data processor must assist the data controller in fulfilling their obligations under privacy legislation, including responding to requests from data subjects about their rights, reporting privacy breaches, and carrying out impact analyzes related to privacy.
- Deletion or return of data: Upon termination of the agreement, the data processor must delete or return all personal data to the data controller, unless there is a statutory requirement to retain the data.
- Audit right: The data controller shall have the right to carry out audits or inspections to ensure that the data processor complies with the privacy obligations in the agreement.
A well-drafted data processor agreement is important to protect personal data, minimize risk and ensure compliance with data protection legislation.
Here you will find an example of a data processor agreement.
What is a privacy policy?
A privacy statement is a public document that explains how a company or organization collects, uses, stores, shares and protects personal data from customers, users or other affected parties. The purpose of the privacy policy is to inform and create transparency about the company's processing of personal data, as well as to fulfill legal requirements, such as the provisions of GDPR (General Data Protection Regulation) and other relevant privacy legislation.
A privacy policy should be easily accessible, understandable and written in clear and simple language. It must contain the following information:
Identity and contact information: The declaration should include the name of the company or organization and its contact details, as well as information about any privacy officer or data protection officer.
- The purposes of the processing: A description of the purposes for the collection and processing of personal data, including the legal bases for the processing (e.g. consent, contractual obligations, legitimate interests).
- Categories of personal data: An overview of which categories of personal data are collected and processed, such as name, e-mail address, telephone number and IP address.
- Recipients of personal data: Information about who may receive the personal data, including any third parties, subcontractors or international transfers of data.
- Storage and security: The declaration should contain information about how long the personal data is stored and what security measures have been implemented to protect it against unauthorized access, loss or damage.
- Data subjects' rights: A description of the rights that affected parties have in accordance with privacy legislation, such as the right to access, the right to rectification, the right to deletion, the right to limit processing, the right to data portability and the right to object to processing.
- The right to withdraw consent: If the processing of the personal data is based on consent, the statement must inform that the consent can be withdrawn at any time, without affecting the legality of the processing before the withdrawal.
- Right to appeal: The declaration should state the right of affected parties to appeal to a supervisory authority if they believe that the processing of their personal data contravenes privacy legislation.
A privacy statement is an important tool to ensure that companies and organizations comply with privacy legislation and create trust with customers and users. By being transparent and communicating clearly about how personal data is handled, companies help to build a relationship of trust and fulfill their legal obligations.
It is important that the privacy policy is updated regularly to reflect any changes in the company's practice or privacy legislation. Companies should also ensure that employees are well informed about the content of the privacy policy and how they should handle personal data in line with the guidelines and current legislation.
In summary, a privacy statement is a critical document that informs customers, users and other affected parties about how a company or organization collects, uses, stores and protects personal data. By including the necessary information as described above, and by keeping the statement up-to-date and available, companies help to fulfill their legal obligations and create trust with customers and users.
Here you will find an example of a privacy policy.
What is privacy?
Privacy is a fundamental principle that ensures the individual's right to privacy and control over personal data, based on the idea of inviolable intrinsic value and the right to a private sphere.
Privacy is anchored in international frameworks such as the European Convention on Human Rights (ECHR) and in Norway. In Norway, privacy was further strengthened on 13 May 2014, when the Storting decided to include the provision on privacy in the Constitution. According to Section 102 of the Constitution, everyone has the right to respect for their privacy and family life, their home and their communications. This involves the protection of the individual's personal integrity against unauthorized access or intervention by public authorities and private actors.
Privacy includes the protection of personal data, and in today's digital world it is particularly important to protect the individual's rights and freedoms. A robust legal framework and effective control mechanisms are necessary to ensure privacy. In the EU and EEA, privacy is regulated by the GDPR, and Norwegian privacy laws such as the Personal Data Act are in line with this.
In summary, privacy is a fundamental right that protects the individual's privacy and personal data, anchored in both international and national laws, and ensures protection against unauthorized access or intervention in individuals' private sphere.
What happens to cookies and tracking?
Cookies and tracking are technologies used on websites to collect information about users' activity and preferences. This can, for example, include information about which pages a user visits, how long they stay on the page and which products they show an interest in. Such information may be used to improve user experience, customize content, deliver targeted advertising and analyze website performance.
The use of cookies and tracking is subject to the privacy regulations, such as GDPR in the EU and the EEA area and the Personal Data Act in Norway. These rules require websites and service providers to meet certain requirements in order to be able to use cookies and tracking legally:
Information: Websites must inform users that they use cookies and tracking, as well as the purpose of such use. This is often done through a cookie statement or a privacy statement.
Consent: For most types of cookies, especially those that are not strictly necessary for the website's function, websites must obtain users' consent before placing cookies on their devices. Consent must be voluntary, informed and express, and users must be able to withdraw consent at any time.
Options: Websites must offer users options regarding the use of cookies and tracking. This may, for example, involve letting users choose between different levels of cookies or tracking.
Security and confidentiality: Websites must ensure that personal data collected using cookies and tracking is processed securely and is not shared with unauthorized third parties.
Storage limitation: Websites must not store personal data collected through cookies and tracking for longer than is necessary for the purpose of the processing.
Cookies and tracking may be legal as long as websites and service providers follow the privacy rules and make sure to inform users, obtain consent, offer options and safeguard security and confidentiality. It is important to be aware that different types of cookies and tracking may have different requirements and exceptions, and that there may be national differences in the regulations.
Google Analytics may be illegal!
The Austrian Data Protection Authority (DSB) investigated a website's use of Google Analytics and concluded that the transfer of personal data to the United States was unlawful citing the Schrems II judgment of the European Court of Justice.
The Data Protection Authority for the EU Bodies (EDPS) supports the decision. Norway's Data Protection Authority is also handling a case regarding Google Analytics and will look to European practice. Several European supervisory authorities will make decisions about Google Analytics, so it is recommended to explore alternatives.
The Austrian Data Protection Authority points out that de-identification of IP addresses in Google Analytics does not solve the problem, as analysis data can be linked to users' Google accounts via cookies. Sending personal data to the US may be legal with the necessary measures, but it is difficult for website owners to ensure that Google implements these measures.
The case also affects other website tools that send personal data to the United States. Website owners should have an overview of the tools they use and which personal data they process. Illegal tools must be removed, and serious cases can lead to sanctions from the Norwegian Data Protection Authority.
After the Schrems II-judgment in 2020, the organization noyb has lodged a complaint against several websites in the EEA for the use of Google Analytics. Data supervisory authorities in Europe deal with similar complaints, coordinated by the European Data Protection Board (EDPB). More decisions on Google Analytics are expected in 2022.
Italian data supervision prohibits the use of Google Analytics
Italy's data watchdog, Garante Per La Protezione Dei Dati Personali, states that websites that use Google Analytics without the necessary security measures are in breach of privacy regulations. The reason is that user data is transferred to the USA, without an adequate level of protection. This was published in a press release 23 June 2022.
French data supervision prohibits the use of Google Analytics
The French Data Protection Authority (CNIL) decided on 10 February that Google Analytics sends personal data to the USA, this was announced in a press release. They also require a French website administrator to comply with the privacy regulation and, if necessary, to stop the use of the service under current conditions.
What alternatives are there to Google Analytics in the EU?
There are several alternatives to Google Analytics that have been developed and/or store data within the EU and EEA area. These tools focus on privacy and are more in line with GDPR. Here are some of the most popular options:
- Matomo (formerly known as Piwik): Matomo is an open source web analytics platform that offers a similar functionality to Google Analytics. Data is stored on your own servers, which gives you full control over your data. Matomo also offers a cloud version where data is stored in the EU.
- Plausible Analytics: Plausible is a lightweight, open source and privacy friendly alternative to Google Analytics. It does not require consent from users, as it does not use cookies and does not collect personally identifiable information.
- Simple Analytics: Simple Analytics is another privacy-friendly option that does not use cookies and focuses on simplicity and clear reporting. They store data on servers in the EU and provide you with GDPR-compliant reports.
- Fathom Analytics: Fathom is a web analytics platform that focuses on privacy and simplicity. They do not collect personal data and do not use cookies. Fathom offers a simple interface for analysis and reporting.
- Countly: Countly is an open source web analytics platform that offers web, mobile and desktop analytics functionality. It has a strong focus on privacy and data security and allows you to store data on your own servers or in their cloud service with servers in the EU.
When considering an alternative to Google Analytics, it is important to investigate where the data is stored, what privacy features are offered, and whether the solution is in line with GDPR and local privacy laws.
What is Schrems II?
The Schrems II judgment, issued by the European Court of Justice in July 2020, has had significant consequences for the transfer of personal data between the EU and the US. The ruling declared the EU-US Privacy Shield, a main mechanism for the safe and free flow of data between EU and US organizations, invalid. This decision has forced many organizations to reconsider how they handle personal data transfers and whether the transfer mechanisms they have in place comply with EU data protection law.
The judgment upheld the use of standard contract clauses (SCCs), but cast doubt on this method of transferring personal data outside the EU. It required companies and regulators to conduct case-by-case analyzes to determine whether foreign protections regarding government access to transferred data meet EU standards.
The Schrems II ruling underscores the importance of data protection in global commerce and the critical role that privacy professionals play in implementing protections consistent with foreign legal requirements.
July 2023: New rules for the transfer of personal data to the USA
On July 2023, the EU adopted new rules that make it easy to transfer personal data to the US. The rules took effect immediately. What does this mean in practice for those of us who work with marketing, sales and delivery of services covered by this?
It has been possible to freely transfer personal data within the EU/EEA, while as a general rule it has been prohibited to transfer personal data outside the EEA. Therefore, large companies such as Microsoft, HubSpot and others important to establish regional data centers in the EU.
Schrems II put a stop to the use of Privacy Shield Framework for transferring data to e.g. USA.
The European Commission can still approve individual countries through something called an adequacy decision, and on July 10 the EU approved an adequacy decision which means that if an American business is on the list of approved businesses, you can transfer personal data to it as if it were a European business.
All other rules within the GDPR must still be followed, so that you must have a basis for processing or a data processor agreement to share personal data with others. In practice, this means that American services, like many of us who work in marketing and sales, provided they are on the list - can be used.
Read the full article here: GDPR and privacy: What do the new rules mean for the transfer of personal data to the US?
July 2023: The Norwegian Data Protection Authority has temporarily banned behaviour-based advertising on Facebook and Instagram
- In July 2023, the Norwegian Data Protection Authority Meta banned behaviour-based advertising based on the monitoring and profiling of users in Norway, on the platforms Facebook and Instagram.
In December, the Irish Data Protection Authority decided that Meta has carried out illegal behaviour-based advertising. Since then, Meta has made changes, but after a new decision from the European Court of Justice, the Norwegian Data Protection Authority has chosen to introduce a temporary ban.
Currently, Meta has in one comment to NRK said that they believe they are acting in line with the European Privacy Act.
- We will assess the Norwegian Data Protection Authority's requirements. But this will not have an immediate impact on our business. That's what Matthew Pollard, spokesman for Meta, writes in an e-mail to NRK.
- The Danish Data Protection Authority's decision does not ban Facebook or Instagram in Norway, but ensures that users can use these services in a safe way, says Tobias Judin in the Norwegian Data Protection Authority.
Read the entire article here: What does the Norwegian Data Protection Authority's temporary ban on behavior-based advertising on Facebook and Instagram mean?
Attachment: Example of privacy statement
In this privacy policy, we provide a thorough explanation of the types of personal data we collect and store, how we process them, and how long we keep them. Our aim is to be transparent and clear, so that you as a user understand how we look after your personal data.
Types of personal data we collect and process:
We collect and process the following categories of personal data:
- Contact information: This includes name and email address.
- Customer activity: Here we collect reading and action history from apps, websites or electronic communications we send out, as well as technical information about the devices you use.
- Cookies: For more information about how we use cookies, please see our information page about cookies.
This personal data is either collected directly from you, for example when you purchase or register for our services, subscribe to our newsletters and blogs, fill in a form or contact us.
How we use the personal data:
- Delivery of services: We use your personal data to deliver services for which you have registered, for example our newsletter. The legal basis for processing personal data for this purpose is your consent. You can withdraw your consent at any time by unsubscribing from the newsletter.
- Analysis, business development and improvement of services: We work continuously to develop and improve our services, as well as the information we provide you. This involves analyzing contact information and customer activity. The legal basis for processing personal data for this purpose is our legitimate interest.
- Sales and marketing: We use personal data in connection with the sale and marketing of our products and services, by you receiving e-mails from us. The legal basis for processing personal data for this purpose is consent. You can withdraw your consent at any time by unsubscribing from the newsletter.
Your rights as a registered user:
- Right to access your own information: You can request a copy of all information we process about you by contacting us at the e-mail address mentioned earlier.
- Right to correction of personal data: You have the right to ask us to correct or supplement information that is incorrect or misleading.
- The right to deletion of personal data: You have the right to have your personal data deleted without undue delay. You can therefore ask us to delete information about yourself at any time.
- Limitation of processing of personal data: In certain situations, you can ask us to limit the processing of data about you. You can do this by managing consents or reservations in our solutions.
- Object to the processing of personal data: If we process data about you based on our tasks or a balancing of interests, you have the right to object to our processing of data about you.
- Data portability: You have the right to have your personal data provided in a structured, commonly used and machine-readable format. Contact us at the e-mail address mentioned earlier to obtain your personal data.
- Complaint about our processing of personal data: We want you to speak up if you think we are not complying with the rules in the Personal Data Act. Please let us know through the contact or channel you have already established with us. You can also complain about our processing of personal data to the Norwegian Data Protection Authority.
By providing a more detailed privacy policy, we want to ensure that you as a user have a clear and complete understanding of how we collect, process and store your personal data. We are concerned with safeguarding your privacy and complying with applicable legislation, and we will continuously work to maintain and improve our guidelines and practices.
Attachment: Example of a data processing agreement
The Danish Data Protection Authority has drawn up a standard data processing agreement that can also be used by Norwegian businesses. The Norwegian Data Protection Authority has translated it into Norwegian and it is available in English - from the Danish Data Protection Authority.
Data processor agreement in English
Here is a less comprehensive data processor agreement:
Data processor agreement between [Customer] and [Supplier]
Purpose and background
1.1 This data processing agreement (the "Agreement") regulates [Supplier]'s processing of personal data on behalf of [Customer] in connection with [Customer]'s use of the services provided by [Supplier].
1.2 The agreement must ensure that the processing of personal data takes place in accordance with current privacy legislation, including the EU's privacy regulation (GDPR).
Definitions
2.1 "Data processor" means [Supplier], which processes personal data on behalf of [Customer].
2.2 "Personal data" means any information about an identified or identifiable natural person.
2.3 "Processing" means any operation or series of operations carried out on personal data, either manually or by automated processes.
Scope and responsibilities
3.1 [Supplier] shall process personal data exclusively in accordance with [Customer]'s instructions and to the extent necessary to deliver the services.
3.2 [Supplier] shall ensure that the personal data is confidential and protected against unauthorized access, loss, destruction or damage, and that the processing takes place in accordance with applicable legislation.
3.3 [Supplier] shall not use the personal data for purposes other than those agreed with [Customer].
Security measures
4.1 [Supplier] shall implement and maintain technical and organizational security measures necessary to protect the personal data against unauthorized access, loss, destruction or damage.
4.2 [Supplier] must regularly assess and update the security measures to ensure continued protection of the personal data.
Sub-processors
5.1 [Supplier] may use sub-processors to deliver the services. [Customer] agrees that [Supplier] may use sub-data processors, provided that [Supplier] enters into written agreements with the sub-data processors requiring them to comply with the obligations in this Agreement.
5.2 [Supplier] shall ensure that the sub-data processors comply with the security requirements and privacy legislation, and [Supplier] is responsible for the actions and omissions of the sub-data processors.
Access, correction and deletion
6.1 [Supplier] shall assist [Customer] in fulfilling its obligations towards data subjects in accordance with applicable privacy legislation, including the right to access, correction, deletion and restriction of processing.
Information and cooperation
7.1 [Supplier] shall assist [Customer] with any requests from supervisory authorities or registered parties, and shall cooperate with [Customer] to ensure compliance with applicable privacy legislation.
7.2 [Supplier] shall inform [Customer] immediately if they receive a request from a registered or supervisory authority concerning the processing of personal data under this Agreement.
Data breach
8.1 [Supplier] shall notify [Customer] without undue delay after becoming aware of a data breach involving personal data processed under this Agreement.
8.2 [Supplier] shall cooperate with [Customer] to handle the data breach, including assisting in identifying the cause, limiting the extent of damage and taking the necessary measures to prevent future data breaches.
Audit and inspection
9.1 [Supplier] shall, after reasonable notice and within normal working hours, give [Customer] the opportunity to carry out audits and inspections to verify that [Supplier] complies with its obligations in accordance with this Agreement and applicable privacy legislation.
9.2 [Supplier] shall cooperate with [Customer] and provide all necessary information and assistance in connection with such audits and inspections.
Conclusion
10.1 This Agreement applies as long as [Supplier] processes personal data on behalf of [Customer].
10.2 Upon termination of this Agreement, [Supplier] shall either delete or return all personal data to [Customer], and delete any copies, unless storage of the personal data is required in accordance with applicable legislation.
Choice of law and dispute resolution
11.1 This Agreement shall be governed by the laws of [jurisdiction], and any disputes shall be resolved by [dispute resolution mechanism, eg, arbitration or court].
Appendix: Personal data and the purpose of the processing
Types of personal data processed
- Name
- E-mail address
- Telephone number
- IP adress
- Device information
- Browser information
- Usage data
The purpose of the processing:
- Customer administration
- Sales and marketing
- Analysis and improvement of services
- Customer support
Date: [Date]
[Customer]
[Customer Name]
[Customer's address]
[Supplier]
[Supplier Name]
[Supplier's address]
Signature for [Customer]:
[Name]
[Title]
Signature of [Supplier]:
[Name]
[Title]
This data processor agreement contains the necessary provisions to ensure compliance with privacy legislation, including the EU's General Data Protection Regulation (GDPR), when [Supplier] processes personal data on behalf of [Customer] in connection with their use of the services.
The agreement regulates responsibility, security measures, use of sub-processors, rights and obligations relating to access, correction and deletion of personal data, as well as audit and inspection. The agreement must ensure that both parties comply with applicable privacy legislation and protect the personal data that is processed.
By signing this agreement, [Customer] and [Supplier] undertake to comply with the terms and ensure that the personal data is processed in accordance with applicable data protection legislation.