GDPR and Data Privacy

GDPR stands for General Data Protection Regulation. 

It is a legal framework that protects the data privacy rights of anyone who lives in the European Union, as well as people in Iceland, Lichtenstein, and Norway - countries that are part of the European Economic Area (EEA) single market - and Switzerland. 

Note - the UK’s Data Protection Act (DPA) was amended in 2021 to integrate EU GDPR requirements. So, while the country is not technically covered by the GDPR post-Brexit, its data privacy regulations are very similar.

For a better grasp of all the lingo, you can refer to our Glossary of Terms.

What does GDPR Consider Personal Data?

The EU GDPR only applies to personal data, which it considers to be any information that relates to an identifiable person. Anything that can confirm your physical presence somewhere is also classified as personal data under GDPR - this includes things like CCTV footage and fingerprints.
 

What does GDPR Consider Sensitive Personal Data?

The GDPR places certain types of sensitive personal data into a “special category” that must be treated with extra security. This includes information related to:

• Political opinions
• Race or ethnicity
• Religion or philosophical beliefs
• Sexuality or a person’s sex life
• Trade union membership
• Genetic information
• Biometric data - when processed to identify someone
   

What are the Penalties for Non-Compliance of GDPR?

GDPR requirements are enforced by the national data protection authorities of EU and EEA member states, and by private right of action - as with Max Schrems and his NYOB advocacy group.

It has established a two-tier sanctions system and companies found to have misused data according to GDPR can be fined either:

• Up to €10 million, or 2% of the worldwide annual revenue from the previous year - whichever is higher
• Up to €20 million, or 4% of the worldwide annual revenue - whichever is higher.
   

Who does GDPR Apply To?

According to the European Commission, GDPR applies to:

1. A company or entity which processes personal data as part of the activities of one of its branches established in the EU, regardless of where the data is processed; or,
    
2. A company established outside the EU and is offering goods/services (paid or for free), or is monitoring the behavior of individuals in the EU

Effectively, GDPR applies to companies that collect data from or market to the European Union, or are prepared to serve citizens and residents there. 

In practice, compliance is mandatory for any company that makes its website or services available to EU citizens. 

It's even mandatory for companies that hold the personal data of just one person living in the EU - even if there is no company office in the Union. 
 

Who does GDPR Not Apply To?

Since GDPR reaches outside the territorial scope of the European Union, the number of formal GDPR exemptions is very small:

1. Companies that actively discourage the processing of EU citizen data
2. Companies that process EU citizen data, without directly targeting subjects or monitoring their behavior 

The European Commission states that some GDPR obligations will not apply to companies where processing personal data isn’t a core business activity - such as the appointment of a Data Protection Officer.
 

Informal Exemptions to GDPR

There are a range of scenarios that free companies from the oversight of GDPR.

If you’re not operating in the EU, you may be exempt from GDPR if you don’t use an EU language, currency or refer to EU consumers - this is tricky given the usage of some of these languages around the world so your intent is important. 

You’d need to also ensure that EU residents can’t register for an account or purchase anything.

If your company does collect data, you may be exempt if you don’t process personal data - i.e. anything that can be used by itself to identify someone. Anonymous data is also not covered by GDPR.

There remain some specific scenarios that fall outside the scope of GDPR - they don’t apply to many private companies and vary from EU country to EU country.

Overall, they relate to very specific parts of the GDPR. Particular companies might not need to provide people with the personal data on file, or they might not need to communicate certain information in their privacy notice. Here are some examples:

• Law enforcement is exempt from GDPR in specific situations
• Journalism is exempt from GDPR, if compliance means suppressing press freedoms
• Universities are exempt from giving students access to exam papers in specific situations.
   

What are GDPRs Key Principles?

Article 5 establishes seven principles that act as an overarching framework to guide the handling of personal data. Data controllers must comply with these principles, and be able to demonstrate adherence at any time.
 

1. Lawfulness, Fairness, and Transparency

Lawfulness means that you should have a good reason for collecting and processing data. 

Fairness means you should never purposely withhold your reason for collecting and processing data, and means you won’t mishandle or misuse it. 

Transparency means being open, clear and honest with data subjects about who you are and what you’re going to do with personal data.
 

2. Purpose Limitation

GDPR states that personal data is “collected for specified, explicit and legitimate purposes”. 

You must clearly establish your purpose for collecting data, communicate this to users in a privacy notice and ensure that your activities stay within these set limits. If not, you must acquire further consent from users, unless there is a legal precedent for doing so.
 

3. Data Minimization

This means collecting the least amount of data required to deliver your objective
 

4. Accuracy

This means that all the data you collect and store is correct. It requires setting up systems and regular audits to ensure that incorrect data is corrected, updated, or deleted.
 

5. Storage Limitation

GDPR forces you to justify how long you store personal data for. This can be done by establishing a storage limitation policy and anonymizing data once the set time period is over.
 

6. Integrity and Confidentiality (Security) 

This means you are required to keep personal data secure from internal and external risks, and protect it from unauthorized processing as well as accidental loss or damage.
 

7. Accountability

Companies must have appropriate processes, procedures and documentation in place to prove compliance with data processing principles, and supervisory authorities have the power to demand evidence of this at any time.
 

Understanding GDPR compliance

GDPR has established a new standard for the data protection of EU citizens and residents, and presents a challenge to companies that risk huge fines for non-compliance.

GDPR outlines certain obligations organizations must follow, which limits how personal data can be used. 

It also defines eight data subject rights that guarantee specific entitlements for an individual's personal data, ultimately giving individuals more autonomy over their personal information and how it is used.

But following GDPR requirements is not enough and you may wonder, what is GDPR compliance?

It is the first law of its kind in the US, and other states will be paying close attention to the practical implications as they create privacy laws of their own.

It will be replaced by the more expansive California Privacy Rights Act (CPRA) in 2023.

While a federal data privacy law for the US remains out of reach, compliance with the California Consumer Privacy Act (CCPA) is still a challenge. Only 11% of companies fully meet the regulation's standards, according to research from Cytrio. The report is based on a study of 5,175 US companies with revenues between $25 million and surpassing $5 billion over a six-month period.

The law begins by listing the five rights it has been designed to protect, so that’s a good jumping-off point:

1. The right of Californians to know what personal information is being collected about them
2. The right of Californians to know whether their personal information is sold or disclosed and to whom
3. The right of Californians to say no to the sale of personal information
4. The right of Californians to access their personal information
5. The right of Californians to equal service and price, even if they exercise their privacy rights
    

Sanctions for non-CCPA-compliance

This law has introduced potentially crippling fines for the misuse of data. 

It has given the Californian Attorney General the power to fine companies up to $2,500 per violation - increasing to $7,500 if there was clear intent. 

Companies that suffer a data breach also risk a class-action lawsuit and payment of up to $750 to each affected consumer.

However, the law does give companies 30 days to rectify any misuse of data, if applicable.
 

CCPA Vs. GDPR

CCPA has often been referred to as “America’s GDPR”. 

It is considered one of the strictest laws of its kind in the US and mirrors GDPR in terms of the data protection it gives California residents.

Like GDPR, CCPA includes the right to transparency, requiring companies to inform consumers about what data is collected, and how it is shared. It also gives consumers the right to access, delete, and opt-out of any data activity on request.

The CCPA provides some of the eight GDPR rights of data subjects, but is actually more constructed around emphasizing two additional rights - these are implicit in GDPR, but not recognized as rights themselves:

The right of Californians to say no to the sale of personal information (or “opt-out”)
The right of Californians to equal service and price, even if they exercise their privacy rights (or right to no retaliation)

Below is a side by side comparison of the two laws.

GDPR has inspired a wide range of national legislation that offer similar - though not identical - levels of data protection. 

Below is a list of countries that the European Commission believes has laws adequate for data protection under GDPR:

Argentina
Personal Data Protection Act No 25,326, constitutional protections 
2001

Bahrain
Personal Data Protection Law 
2019
Individuals risk a potential one-year prison sentence for unlawfully transferring personal data out of the country.

Brazil
General Data Protection Law LGPD 
2020

Canada
Personal Information Protection and Electronic Documents Act (PIPEDA) 
2000

Israel
Data Security Regulations 
2017

Japan
Act on the Protection of Personal Information (APPI) 
2020

Kenya
Data Protection Act 
2019

Mauritius
Data Protection Act 
2017

New Zealand
Privacy Act 
2020

Nigeria
Data Protection Regulation 
2019

Paraguay
Law No. 6534/20 on the Protection of Personal Credit Data
2020

Qatar
Law No. 13 
2016

South Africa
Protection of Personal Information (POPI) Act 
2020
Like a number of African data protection regulations, POPI distinguishes itself from GDPR in that it only applies to South African companies processing data within the country, and is less strict on consent for non “special category” data.

South Korea
Personal Information Protection Act (PIPA) 
2011, 2020
Considered one of the strictest data privacy laws in the world.

Thailand
Personal Data Protection Act 
2021 

Turkey
Law on Protection of Personal Data No. 6698 
2016

United Kingdom
Data Protection Act (2018)
The law was amended from 2021 to integrate requirements from the EU GDPR.

Uganda
Data Protection and Privacy Act 
2019

Uruguay
Act on the Protection of Personal Data and Habeas Data Action 
2008

If you want to find a law that hasn’t been mentioned here, find the full list on UNCAD's data privacy information portal.

GDPR is in the news constantly of late.

In this section, you will find the latest GDPR news today. It covers GDPR enforcement, data breaches, and updates on data protection policies - both in Europe and across the world:

• GDPR Top Stories
• GDPR News Archive
• GDPR Enforcement News
• Updates on Other Data Protection Policies

Scroll down the page or click the links above to jump to a section.

GDPR Top Stories

France - the Latest DPA to Declare Google Analytics Illegal

February, 2022 - France’s data privacy authority has ruled that Google Analytics is in breach of GDPR Article 44, which prohibits the transfer of personal data outside of the EU/EEA unless the recipient country can provide adequate data protection.

This decision comes hot on the heels of the Austrian Data Protection Authority’s similar ruling on Google Analytics in the private action brought to court by Max Schrems.

Learn more in the full news story
 

IAP Europe Fined €250,000 by DPA for GDPR violations

February 2022 - Belgium's data protection authority has fined Europe’s digital marketing and advertising association €250,000 for violating its Transparency and Consent Framework (TCF).

The decision to sanction IAB Europe and limit the use of TCF, along with the requirement to delete all current data, will impact publishers, advertisers, tech companies, and big tech companies like Google and Amazon. 

Learn more in the full news story
 

CJEU Strikes Down EU-US Privacy Shield

July 2020 - The Court of Justice of the European Justice (CJEU) has this week ruled that companies cannot store EU citizen website traffic data in the US.

This landmark decision effectively terminated the bilateral agreement between the EU and US on data sharing, and has widespread implications for many companies - including the biggest players in the tech industry.

Learn more in the full news story.

GDPR News Archive 

• Does the Schrems II Decision Mean That Google Analytics Is Not GDPR Compliant?
• An overview of regulations after Schrems II and the Privacy Shield invalidation

GDPR Enforcement News

Biggest Financial Penalties to Date

Updates on Other Data Protection Policies

New Privacy Laws

February 2022 - Californian lawmakers are drafting a new bill to protect the personal online data of children. This follows on from the UK’s recently enacted regulations on children’s code.

December 2021 - Zimbabwe brings into force its first privacy act - the Data Protection Act No. 05/2021.

December 2021 - Jordan’s Council of Ministers approved the 2021 Personal Data Protection Draft Law, submitting it to the kingdom’s House of Representatives.

October 2021 - Rwanda brought into law its first data protection legislation, Law No. 058/2021.

October 2021 - An amendment to Hong Kong’s data protection laws came into force, criminalizing doxxing.

September 2021 - Singapore’s Personal Data Protection Commission publishes its revised privacy guidelines.

August 2021 - Japan’s Personal Information Protection Commission issued guidelines for the 2020 amendments to its Act on the Protection of Personal Information (APPI), clarifying previously unclear aspects of the law.

September 2021 - China’s Data Security Law comes into force.

August 2021 - Cape Verde amends its 2001 Data Protection Act, bringing it closer to GDPR in on a number of key privacy issues.

June 2021 - The European Commission launches talks aimed at adopting an “adequacy decision” for the transfer of personal data to South Korea. This means that it is happy that South Korean data privacy laws meet GDPR requirements.

April 2021 - Burkina Faso enacts its Data Protection Act, replacing outdated legislation from 2004.

March 2021 - Zambia enacted the Data Protection act, becoming the 31st African country to pass data protection legislation.
Regulations and Guidance

December 2021 - Senegal’s data protection authority released regulations related to data retention periods for different classifications of data that range from six months to 10 years.

December 2021 - Kenya published its Data Protection Regulations that fleshes out its 2019 Data Protection Act. It tightens up national privacy laws on a range of issues that would be recognizable to anyone that has been following the GDPR.

June 2021 - South Africa issued POPIA guidance notes on the processing of special personal information and the personal information of children. This followed instructions in March and April on applications for prior authorization and exemptions for the unlawful processing of personal information respectively.

March 2021 - Uganda adopted its Data Protection and Privacy Regulations - this complements its Data Protection and Privacy Act and provides further details on issues that include its data protection authority, data management obligations, and data subject rights.

GDPR is a huge obligation for marketers.

Digital marketing is all about using websites, search engines, emails, and social media to drive consumer engagement with your company and boost revenue.
 

How does GDPR Affect Marketing?

GDPR and marketing go hand-in-hand, with the law introducing quite a few essential requirements for marketers.
 

Data Consent

Consent is a big component of GDPR requirements. In practice, this is about having opt-ins across your marketing ecosystem.

You need to actively seek explicit permission from users for the collection and use of their personal data. Pre-ticked opt-ins are yesterday’s news as, to comply with GDPR, consent needs to be a deliberate choice.
 

Data Access

GDPR has given EU residents more control over how their personal data is collected and used - including the ability to access, transfer or remove it. 

It is your responsibility as a marketer to ensure that you respect these wishes and have systems in place to quickly access these requests.
 

Data Focus

GDPR requires that you have a legal justification for any personal data collected. 

All this means is that you only collect the data you need to provide your customer with a quality product or service.
 

Why Comply with GDPR?

Beyond the implications of GDPR fines, GDPR compliance brings with it a range of benefits for marketers:

• Creates a sustainable marketing strategy
• Increases trust with clients and customers
• Optimizes data accuracy, organization, and security
• Upgrades available martech options
• Improves relationships with DPO, C-Suite, and other departments
• Gives peace of mind from conducting business in an ethical fashion

How to Comply with GDPR? 

GDPR & Your Website

The information gleaned from website cookies has long been a useful tool for marketers in the digital age, enabling them to personalize outreach based on behavioral analysis that follows users around the internet.

However, GDPR requires consent for cookie collection - consent that is clear, specific, and unambiguous. 

Users must also be able to withdraw their consent at any time.
 

GDPR & Your CRM

Marketers need to consider how they collect, process, and handle data. With regards to the CRM, you need to look at:

• Kind of data: companies can only collect and store data that they can legally justify to provide consumers with their product or service
• Data storage and transfer: companies should encrypt personal data to secure it from the risk of unauthorized access or a data breach
• Data processing: companies should process personal data in a way that prevents it from being used to identify data subjects
• Data access: companies need to audit their systems and processes to see who has access to different types of data on file.
   

GDPR & Your Email Marketing

GDPR compliance for email marketing means preventing unwelcome or spam communications - consumers need to have opted-in to enter prolonged email campaigns.

Companies need to seek explicit consumer consent for how their personal data will be used before sending out any emails. This includes when companies acquire email lists from third parties.
 

GDPR & Your Software

Companies developing software need to ensure that the GDPR requirements of “privacy by default and design” are built in from the beginning.

What this means is that data privacy measures are included into the software from the earliest stages of development.

Why is Martech Important?

It’s common for various departments within a company to operate in silos, with sub-optimal collaboration processes. 

When used properly, Martech can remove these silos and bring departments closer together - enabling them to work more effectively towards shared goals, while delivering a better customer experience.

Some other benefits of Martech include:

• Better content creation: improve a marketer’s understanding of how effective their content delivery is, enabling them to understand performance, optimize experience, and deliver tailored content
• Improved efficiency: automate repetitive and time-intensive tasks, enabling employees to focus on other things
• Improved consumer targeting: create strategies that are individually tailored to each individual customer, resulting in stronger customer relationships, greater trust, and repeat business.
   

Issues with Adoption

While technology is constantly changing, organizations can remain somewhat inflexible. Martech can empower companies to keep up with increasing customer expectations, but they must utilize their solutions effectively.
 

What Categories of MarTech are there?

The range of martech options is wider than ever before.

While there is obviously some overlap, martech options largely fall into the following six categories:
 

1. Advertising

Integrate different advertising and promotion platforms used for paid ads and streamline the following areas:

• Automated advertising
• Social media advertising
• Search engine optimization
   

2. Content Performance

Improve your content creation, automation, and other processes. Examples include:

• Search engine optimization (SEO)
• Content management systems (CMS)
• Digital asset management (DAM)
   

3. Data and Analytics

Streamline data collection and analysis; optimize your website, improve product UX etc. Examples include:

• Customer data platforms (CDP)
• Data management platforms (DMPs)
• Website analytics
• Predictive analytics
   

4. Management

Used for improving managerial collaboration, communication, and project delivery. Examples include:

• Budgeting and finance
• Communication
• Project management
• Recruitment
• Time tracking
   

5. Sales

Enable your marketing and sales teams to better collaborate, automate processes, and execute sales and customer management at scale. 

Such tools can in fact connect multiple departments - beyond marketing and sales, to customer support, success, and finance too. Examples include:

• Customer relationship management (CRM)
   

6. Social Media

This category of marketing technology includes:

• Social media management
• Monitoring
• Email marketing
• Influencer marketing
• Community management
• Chatbots
• Survey platforms
   

What is a Marketing Stack?

Simply put, your marketing stack is the collection of various technologies that your department is using. 

As individual tools, they will typically only provide limited benefit work - but, if you are able to successfully marry the data (between tools and departments) and automate processes, they can be the foundations of a successful strategy. 

By developing a marketing tech stack, marketing departments can visualize how their different platforms and systems are working together, with the goal of integrating everything for an enhanced internal and external user experience.

GDPR fines have also been the spark for positive changes. 

After being hit by a €35.3m fine in October 2020, H&M responded by introducing a swathe of new measures to protect consumer personal data. 

This included appointing a new Data Protection Coordinator, as well as creating a long-term data protection strategy. 

H&M is also working on paying back compensation to the employees that were affected.
 

The difficulties so far

Despite these successes, challenges still remain.
 

Lack of Intercountry Harmonization

While GDPR is almost fully rolled out across the EU, the depth of integration varies from country to country. 

Supervisory authorities also vary in how they interpret GDPR, and enforcement can conflict with different local laws in each state.

There is also a slow turnaround in cross-border investigations at the moment.

This resultant lack of data privacy harmony among EU member states is a real frustration of privacy professionals. It also makes the development of standardized guidance difficult.
 

Confusing Nature of Compliance

That uncertainty still hangs over the business community about compliance does not paint GDPR in a good light. 

The wording of the law is highly ambiguous and many companies are loath to spend huge amounts of money redesigning their data systems from the ground up, if they can’t be certain that they will escape fines for the misuse of data.

Companies have also been sent into a spin by the GDPR’s overly broad definition of what a personal data breach is. 

The 72-hour breach notification has also created problems for companies, resulting in DPAs being swamped in unnecessary notifications as companies jumped the gun before fully understanding what was going on.

Ireland and the one-stop-shop rule

The Irish DPC office has been underfunded for over two decades now and the workload is high. It currently has investigations open on at least 17 huge multinational firms.

This is because GDPR has a “one-stop-shop” rule, which says that companies should be prosecuted in whichever member state they choose to situate their headquarters.

Ireland is the number 1 destination for US tech companies - meaning that the Irish DPC is leading investigations into some of the richest and most powerful Silicon Valley firms, on behalf of the whole of Europe. 

Restricting business growth and innovation

Innovation conflicts with the protection of individual rights and GDPR appear to be seriously hampering the EU’s capacity to develop new technology. 

Knowledge of many important technologies for the future was already widespread when GDPR was being drafted, but the regulations make it all but impossible to develop or even use them.

This comes at a time when the continent desperately needs digital solutions, and there is no practical guidance about how GDPR can accommodate new technologies moving forwards.
 

Artificial intelligence (AI)

This is straightjacketed by strict GDPR requirements to obtain consent when processing data, putting EU firms at a competitive disadvantage next to North American and Asian competitors.
 

Blockchain

Blockchain is a digital database of information (like financial transaction records) that can be used and shared across a decentralized, publicly accessible network. 

This technology is seen as a powerful tool for increasing data security and can be applied to everything from the secure sharing of medical data and voting mechanisms to NFT marketplaces and cross-border payments.

A key feature of blockchain technology is that the intrinsic personal data cannot be modified without the consent of everyone involved. 

So, despite blockchain having the potential to meet GDPR objectives - like the secure flow of data and information - the law requires that consumers can request the deletion of personal information, making the two incompatible at present.
 

Health

GDPR requirements for data minimisation, purpose limitation and transfer of pseudonymised data outside of the EU makes it difficult to share health data.

It has also acted as a powerful check on health management during the COVID pandemic, since it restricted use of tracking data and data exchange between local health authorities.
 

eGovernance

In the last decade, Electronic Government measures have had a profound impact on the quality of the delivery of public services to citizens, though issues of privacy and security - central to GDPR - are causing momentum to be lost.
 

How will GDPR change in the future?

Ease of compliance

The European Commission wants to make it easier for smaller companies to comply with GDPR regulations. 

This would mean providing them with extra guidance, support and tools - like Standard Contractual Clauses, which companies can simply paste into their own customer contracts.
 

Ease of exercising GDPR rights

This includes seeing data portability beyond just banking and telecoms.
 

Private lawsuits

Private right of action and class action lawsuits are clear avenues for advancing how EU citizens can exercise their rights under GDPR. 

Such private lawsuits are anticipated to become more common, and these rulings will have a powerful impact on how GDPR will be interpreted in the coming years.
 

Proactive rather than reactive

Overall, the GDPR enforcement during the law’s first three years has been reactive - a result of either data breach notifications or data subject complaints. 

However, data protection authorities are now becoming much more proactive in targeting companies before any non-compliance issues have been filed. 

This sophistication in GDPR enforcement is only anticipated to grow in the years to come.
 

Data Protection Authority effectiveness

There is a push to improve how DPAs operate, particularly given how the case against Whatsapp illustrated the convoluted nature of GDPR’s enforcement mechanisms.

Improved effectiveness includes better collaboration between member state data protection authorities, with discussions continuing on how they can better work together to enforce GDPR. There is also support for a more centralized approach to enforcement.

This harmonization includes regional consistency and matching resources to the growing number of requests.
 

What does the future hold for companies?

Future legislation to look out for
 

EU ePrivacy Regulation

This will replace the ePrivacy Directive, introducing new rules on electronic communications. A draft proposal seen in April 2021 included regulations for artificial intelligence that were in line with GDPR.
 

Privacy shield replacement

Privacy Shield allowed US companies to process EU citizen data, as long as they adopted the GDPR’s higher privacy standards. However, US law meant that the US government could still monitor that data. 

After Max Schrems challenged this legal conflict, the Privacy Shield was struck down. It would be in everyone's interest to agree a replacement,
 

An Evolving Law

Given its seismic impact on global privacy laws, it is no wonder that GDPR is taking time to bed in. 

However, since its introduction in 2018, it has undoubtedly strengthened both security measures and consumer protection.

Much has also been learnt about where GDPR has succeeded and where improvements can be made in the future.

No doubt improvements made by other countries to data privacy legislation will also influence data privacy regulation and enforcement in Europe.

What Makes TWIPLA Privacy-first?

For us, data privacy is an undebatable principle. 

We do not sell data or pass it on to any third parties. 

Data is aggregated and anonymized, and only used to provide the website owner with the stats and insights needed for improving site performance. These details cannot be traced back to any individual. 
 

What Data Protection and Privacy Laws are we Compliant With?

From the very first version of our app, our priority has always been the protection and privacy of the data that our customers trust us with. 

That is why we are focused on staying up to date with every data privacy law, and making sure that we are compliant with each one: BDSG, CCPA, CPA, DPA, ePrivacy, GDPR, LGPD, PECR, PIPEDA, PIPL, PDP, POPI, VCDPA, & TTDSG.

What Web Data do we Process?

The types and amounts of personal data we process are limited to those stated in the contract with the customer. We do not share it with third parties. We only process personal data as described in our Privacy Policy. 
 

Why and How do we Process Web Data?

At TWIPLA, we are aware of the trust that our customers place in our product and team, and our responsibility to keep your data and privacy secure. 

Therefore, we are transparent regarding the information we collect when you use our products and services, why we collect it, and how we use it to improve the service for you!

Our Terms of Use & Data Processing Agreement describe how we treat personal data in connection with the use of our App and how we take care of it.
 

Who has Access to Web Data?

All the data we gather for our customers is confidential information. 

TWIPLA’ employee access controls protect customer data from unauthorized access, and we use a special script to access a website owner’s data (both account data and their visitors’ data) and conduct audits to ensure the controls are enforced.
 

What is ISO 27001?

We are proud to be ISO 27001 certified. 

ISO 27001 is an internationally recognized standard that ensures that our app meets best practices for an information security management system.

These help our organization manage the security of assets such as financial information, intellectual property, employee details or information entrusted to us by third parties — such as websites and other customers or partners.

Using this mode, IP addresses are anonymized, page history is not displayed, returning visitors are only guessed, and screen resolutions are approximate.  You will still be able to access approximate Visitor Location. This is our most secure mode as no cookies, fingerprinting, or other data is stored. This means a cookie banner is not required.

Using Complete Protection, no tracking data or cookies are generated or stored and the details of a user’s device are never accessed. 

There is no digital fingerprint at all. No personal data is stored. No cookies are used. Only a unique ID. 

So, there is no need for consent - one less thing to worry about when managing a website. 

This also means that 100% of ethical statistical and analytical data is available for users to rely on when making website improvement decisions.
 

FAQs
 

Is session recording and heatmap data considered personal data?

This data is not considered personal information as long as it is not linked to a specific IP address. By using Cookieless Tracking Mode and Complete Protection Mode, IPs are anonymized.
 

How does digital fingerprinting work?

Unlike cookies (which are set by services in the user’s browser storage), the fingerprint is already set for each browser, as a kind of user agent identifier (browser name, version, screen resolution, etc.)
 

What is the difference between digital fingerprinting and unique ID?

The fingerprint does not change often, while the unique ID is a different ID generated by us, as a hash on the server for each session.
 

Where is the digital fingerprinting data stored? How long is it stored? What happens with that data?

The fingerprint is NOT stored anywhere on the browser. It usually does not change, unless there is a browser version update, or an uninstallation and reinstallation. It is always calculated on-the-fly.
 

How is collecting data without using cookies or consent banners legal?

GDPR and other privacy laws are very specific when it comes to data that can create an approximate individual profile. By not storing any data and by not using IP addresses, activity patterns like page history, or exact locations or device settings, there is no way an individual profile can be identified.