CALL US ON 01380 722142
The status of Symphony Online with regards to data collection varies depending on how and where the data is collected. Listed below are examples of this, and an explanation of our understanding of our status in each scenario.
Client created data collection (via our Form Manager)
As a web agency, we provide the tools for our clients to collect data on their own website. This is normally done through a Form Manager, whereby the client creates a form and manages the collection of the data within their own admin system.
Where this arises, we consider the client to be both the Data Controller and the Data Processor. This is because Symphony Online have extremely limited control and oversight of this process which is initiated, managed and controlled entirely by our client.
However, we do recognise our responsibility in with regards to the storage of that data on our server, and agree that the data will be securely stored on our server in compliance with GDPR.
Symphony created data collection
This scenario occurs when we collect data into a Channel in our Content Management System. A good example of this are the Exhibitor Zones on our websites where exhibitors login and enter their details for display on the website and export for a printed asset.
In this situation, Symphony Online creates the form that will store the data, and as such we consider ourselves to be the Data Processor in this situation. We will ensure that we meet our obligations under both GDPR and the new ePrivacy Regulations.
Self managed cookies
As a web agency we provide the tools for our clients to add their own marketing tags that will appear in their website code to facilitate the transfer of data between the website and the user’s device.
Where this arises, we consider the client to be the Data Controller. We will also consider a third party to be the Data Processor. This could be the client themselves, or a third party such as the client’s designated marketing system/company.
Symphony online will have no responsibility or liability for this type of transaction. This is because Symphony Online have extremely limited control and oversight of this process which is initiated, managed and controlled entirely by our client and their appointed representatives.
Cookies that Symphony Online have added to your website
In future, Symphony Online will only add third party cookies that do not contain personally sensitive data and are therefore not covered by GDPR.
This will mainly be limited to Google Analytics code that is GDPR compliant and the implementation is covered satisfactorily by the ePrivacy Regulations.
Our clients are always considered to be the Data Controller as it is them who determine what data is to be collected and how that data is used and stored.
In certain situations, see above, the client will be considered both the Data Controller and the Data Processor.
You must ensure that you are fully compliant with the requirements of GDPR.
We are required by law to obtain the name and contact details for anyone who is an nominated data controller for any of our websites and web services that collect data of a personally sensitive nature.
Please provide the name of your nominated data controller along with the URL of your website to [email protected]
Types of cookies
Cookies that do NOT containing personally sensitive data
Cookies that do not contain personally sensitive data, as defined by the GDPR regulations will be covered by the new ePrivacy Regulations.
Please note, personally sensitive data now includes any data that can be used in conjunction with other data to create profiles of the natural persons and identify them. Under GDPR, this includes data such as IP addresses.
Cookies that DO containing personally sensitive data
These are covered by GDPR, and as such, you will need to ensure you are compliant with the requirements of GDPR. In practice, this means that you will need to implement a robust approach to ensure that your website users are aware of the cookies, know what the cookies do and what data they collect, and most importantly, expressly obtain the users permission to use those cookies BEFORE they are dropped onto the user device.
Again, personally sensitive data includes data such as IP addresses that could be used in conjunction with other data to create profiles of the natural persons and identify them.
If you have any external code that drops cookies that contain personally sensitive data, please inform us at your earliest convenience so that we can assist you with your compliance requirements from a technical perspective. We will need to implement an opt-in cookie notice that is capable of being rejected by the user as a minimum.
Google Analytics code
Google has stated their ambition to be GDPR compliant. So, providing your Google Analytics set up is standard, then you should be GDPR compliant. However, this may not be the case if:
Please refer to your marketing provider to see if you are GDPR compliant. Google Adwords for instance, should be compliant unless you have a custom configuration. Other marketing scripts will NOT be GDPR compliant.
Our Content Management System code
We use ExpressionEngine CMS. This does not drop cookies unless the user has signed in to an Exhibitor area, or the admin area. As these types of visitors have a contract with you, consent is not required, providing the use of the data is inline with another legal basis for data collection:
(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
Please see this page on the ICO website for more details:
PUSH THE BUTTON
Sign up for our FREE newsletter
We want to share our expert insight, knowledge and ninja skills to help you achieve success.
Sign up today!