Concerns about legal/GRPD stuff (EU)
Hi all,
I'm about to release an app that's basically a marketplace to find skilled people in certain areas. I'm based in Poland (part of EU) and this app will be targeted at the Polish market only, at least initially.
If a person/company decides to advertise their service, I'll have to persist a bunch of data. All their data will be publicly available anyway (apart from the credentials, of course) as this is the main goal of the website, to promote certain services. I'm not asking anything else apart from what's going to be promoted.
I'm using Firebase as backend/database/auth and I'm wondering what kind of legal/GRPD documents I should add.
I don't use any cookie for unauthenticated users who are just scrolling through, trying to find a service. But once the user is logged in, I'm sure Firebase will add some cookies even if just to keep the session of an authenticated user.
Any recommendations of what I should add to my website/app to protect myself?
What @that_guy_iain said is very important as of now, but the EU and the US are very close to an agreement that would end that constraint.
You also need:
Stuff like Iubenda is helpful, but getting a privacy policy and terms and conditions does not mean you are 100% compliant with the GDPR. You also need to ensure that you process data for adequate purposes, that you process only the minimum set necessary for the purposes, that your data is secure, to respond to data subject requests, etc.
GDPR compliance is not only getting T&Cs and a privacy policy. It is much more than that.
I use https://www.iubenda.com/ iubenda. It's not cheap but it's worth it in my opinion. It has a tool that asks you step-by-step what services you use (firebase auth, db, stripe for payments, analytics, etc) and then spits out custom privacy policy, cookie policy and terms&conditions. It also gives you a couple of javascript snippets so they're easy to integrate in your site. The best feature, imho, is that they work with lawyers to make sure all your polices stay up to date.
EDIT: You can see it in action on https://focusdiner.io
Thanks!
Unfortunately, it doesn't seem like they have a Polish version. I can get it translated though.
They're located in Italy and are fairly new, I'm sure they'll support more languages in the future, but I'm pretty sure that in the meantime there's polish alternatives out there
I think you should have an Data processing agreement with the processor (in this case Google). Sort of it can be found here: https://firebase.google.com/terms/data-processing-terms you should save this.
Besides this, I don't expect that anyone will fine you. As that_guy_iain says they don't have to manpower as long as there are no serious big offences to GDPR
Thanks!
You reckon I should have those firebase terms referenced in my website terms of service?
According to Article 28 of the GDPR, you should only use data processing providers (like Firebase in your case) that provides sufficient guarantees to meet the GDPR. This guarantee can be given by the linked Data processing agreement. The one thing you should do in my opinion is just to download the agreement of Firebase, so that you always can refer to it. It is mainly to prove that you have the guarantees that Firebase meets the GDPR requirements
A privacy notice. That states who you share data with and why.
Using Firebase will be a GDPR violation. Since it's owned by a US org and there is no legal way to give them data. But... It's something you can mostly get away with since they're too many doing it's impossible to fine everyone. They don't have the manpower.
Same with Google analytics. But courts are fining people for that...
If you're going to send them emails you need consent for that unless it's required emails like forgot password and what not.
I'll come back with more because I'll remember more.
Fines are based on the extent of the violation so no matter how big or small the size of your company if there is a violation of privacy of a large number of people fines can be big. I wouldn't count on their manpower.
Thanks for the help so far!
So basically, any US owned hosting company will be a GDPR violation, even if I'm hosting on their EU servers?
I mean, I understand they don't have the manpower to go after small fish, but it's still frightening. Based on what @Rolandf mentioned, it gets worse as the fines are based on the extent of the violation and not the size of the company.
It's a dead simple service with no gotchas. Very transparent to everyone. The only data (apart from e-mail and password used as credentials and stored by firebase/google) I'll be storing is the same data that will be public anyway (I plan to add a consent for that case, just to be on the safe side). I mean, I could even give up on Google Analytics and look for something less invasive though it doesn't seem to be enough to fully protect me.
The fact that just hosting my app on a US-owned company is already enough to be in the wrong makes me wonder how serious it can get.
Perhaps I should indeed consult with a lawyer before I go public.
This comment was deleted 3 years ago.
This comment was deleted 3 years ago.
The courts decided that because Google, AWS, etc are US based companies a US court could force them to hand over data even though the data is stored within the EU.
Exactly. I believe Google believe they will find a workaround by 2023.
All the Google Analytics are illegal court decisions. They're all based on the fact they're controlled by a US org. And there is no legal way currently transfer data to the US.
Here is the Danish Data Protection Agency saying so. https://www.datatilsynet.dk/english/google-analytics/use-of-google-analytics-for-web-analytics
This comment was deleted 3 years ago.
It's the same court judgements. The logic applies to all...
What are you talking about? Have a quick word with yourself. You were literally being quoted to point out what I was responding to. Or do you not understand how replies work?
This comment was deleted 3 years ago.
This comment was deleted 3 years ago.
IF YOU DO NOT UNDERSTAND THAT IF THE LAW THAT ALLOWED GOOGLE ANALYTICS TO BE LEGAL WAS STRUCK DOWN AND THAT LAW WAS THE SAME ONE FOR ALL US-BASED ORGANISATIONS. THERE IS NO POINT CARRYING ON. YOUR UNDERSTANDING OF GDPR AND LAW IS NOT GOOD ENOUGH TO CONVERSE ON THE MATTER.
This comment was deleted 3 years ago.
It's funny you call me really dumb. While not understanding how GDPR works or how data transfer agreements work. As I said, you're lacking the understanding that is required to converse on the subject.
Your question hasn't been evaded. You just haven't understood why the answer given is valid and very important. Because you're lacking the understanding required to converse on the subject.
In case you haven't understood what I've said so far. You lack the understanding of GDPR and the EU law required to talk and discuss about the legalities of things.
This comment was deleted 3 years ago.