Transparency relative to personal data processing is a fundamental notion of the GDPR.
In the online platform publishing field (websites, mobile applications, etc.) which gathers personal data, data controllers are required to provide their users with a certain amount of information specifying the methods for collection and use of data.
According to the GDPR
Article 5 specifies that:
‘Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject.’
Article 13 and 14 specify information to be provided, including, in particular, explanations relative to the purpose of processing and the length of data storage, etc.
This information must be easily accessible and expressed in explicit terms.
Regarding Piano Analytics
Our Data Processing Agreement (DPA) specifies the obligations relative to information, in accordance with the provisions of Article 13 and 14 of the GDPR.
The information you may provide to your web users concerning your use of Piano Analytics as an audience measurement solution, and via an information page (e.g. ‘Privacy policy’) is notably as follows.
The legal ground for processing: consent
With the exclusion of exceptions authorised by law, the legal ground for processing is based on the consent of your platform users. The purposes of trackers must be presented to the user prior to the user’s consent. No trackers shall be placed on the user’s terminal without the latter’s prior and explicit consent.
Note
Tacit consent is excluded under French law. As specified in the deliberation of September 17, 2020 : 'The fact of continuing to browse a website, to use a mobile application or to scroll through a page on a website or mobile application does not constitute clear positive actions assimilable to valid consent.’
The terms of collection and consent in the framework of our Digital Analytics solution are specified in the Consent Management section.
Furthermore, the web user must also be free to withdraw their consent at any time.
Regarding Analytics, the main options for the withdrawal of consent are:
- Opt-out (ensures the user is no longer traced) Piano Analytics opt-out procedures.
- Location sharing (enables the disabling of GPS data collection on a mobile application)
If your application enables GPS data collection, you must inform your users and provide the means to disable this service.
For more information on this subject:
- Our compliance guide specifies the practical terms for consent management in the framework of our solution (inclusion of opt-out)
- Your users' Preferences section provides an overview of the various options available to users to specify their preferences (including opt-out and share location)
Action
Update your information page (Personal Data) on your websites, in addition to the settings and data of your mobile applications.These sections must form a ‘privacy centre’ listing all essential information relative to your users’ personal data.
This privacy centre must be easily and rapidly accessible, to enable in particular the updating of the user’s consent preferences.
Processing purpose
As a Data Controller, you must be able to explain to your users the end purpose of the use of your audience measurement solution.
The aim of our audience measurement solution is to produce statistical audience data and analysis, digital intelligence and data recovery via a secure web interface or via the export of this data.
In addition to this main purpose, you may wish to use the digital analytics solution for accessory purposes, related notably to your business sector and/or strategic digital aims.
Type of personal data
The types of personal data are presented in the following article.
Data transfer
If the processing procedure you use includes data transfer outside of the European Union, you must inform your web users thereof and ensure an adequate level of security (see Articles 13 , 14 and Chapter 5 of the GDPR).
See ‘data protection around the world’ on the CNIL website.
Regarding Piano Analytics, and as is specified in our DPA, we undertake to ensure all your analytic data is processed and stored within the European Union.
Duration of storage
Article 5 of the GDPR requires the Data Controller to define a personal data storage duration, thus ensuring such data is stored only for the time necessary to achieve the stated purposes.
For more details on the storage duration of your analytic data, please see our ‘Data Retention’ article.
The right of data subjects
With regard to all the personal data you collect, you must be able to provide a response to web users relative to the exercising of their rights.
The terms of application of these rights relative to data collected via our solution are set out in the article ‘Your Users’ Rights’.
Regarding the information to provide on these rights, their existence is to be specified, in addition to a reminder of the legal context and your contact points to exercise such rights.
Data ownership
All data collected via our services is under the full ownership of our customers, the data controllers.
Piano Analytics, the data processor, does not use its customers’ data under any circumstances.