Public pages on your web site
•Privacy Policy is the main document that requires compliance with the GDPR
•It must be clearly stated what Personal and Non-personal information the system collects
•For what purposes is the information collected
•What rights does the user have (Art. 15 – 18 GDPR)
•Data Retention Policy
•The data must not be stored longer than is necessary for the purposes for which the personal data were collected (Art. 5 GDPR)
•Transfer of data to other countries (International transfers of your personal data) Art. 45 GDPR
•How data will be protected
•Contact information, including legal address; contacts of the Data Protection Officer, if available
•Terms of Use – you need to add bold text “The Website is available only to individuals who are at least 16 years old.” if the system does not work specifically with children or children’s content, otherwise, you need to add Age Checks functionality to the system form of a checkbox on the registration page and obtaining parental consent if the user is under 16. (Art. 8 GDPR)
•Compliance & Security is optional, but users are already asking what you have with GDPR, so it’s better to have a resource that describes in detail how you organize data protection
•Payment Policy, Cookie Policy – describes how payments are processed and what cookies the system uses
Registration page
•The number of fields must be minimal and reasonable – ‘data minimisation’ (Art. 5 GDPR)
•Granular Consent (Art. 7 GDPR)
•Mandatory checkbox to agree with the Terms of Use and Privacy Policy
•A separate checkbox if you want to subscribe the user to the mailing list
User Profile Page
•The users should be able to change any field about themselves (Art. 16 GDPR)
•Delete Account button (Art. 17 GDPR). The user should be able to remove himself and all his information from the system.
•Restrict Processing Mode button (Art. 18 GDPR). If the user has enabled this mode, then personal information should no longer be available publicly, nor to other users or even system administrators. As the GDPR positions it, this is an alternative for the user to complete removal from the system
•Export Personal Data button (Art. 20 GDPR). Option to download in any format
•Granular Consent again (Art. 7 GDPR)
•The ability to give/withdraw consent to system actions related to working with personal data (for example, subscription to news or marketing material)
Additional functionality
•Automatic deletion or anonymization of personal data that is no longer needed by Art. 5 GDPR. For example, information in orders that are processed (completed)
•Automatic deletion of personal data in other services integrated to the system (Art. 19 GDPR)