Specifying Legal Basis for processing data
This is a requirement under GDPR, but it does not seem to be covered in the Iubenda privacy notices - will this be added?
Just found this statement on the length of data being stored.
Retention policy - This field refers to how long data is being stored.
The default option is “keeping the data for the time necessary to fulfill the purpose” and should apply to most cases. Otherwise, you can choose from a period of 1 up to 5 years.
If they do not have the specific piece to accommodate the DPA then you will not be GDPR compliant come Friday... oh what to do...
So glad I found this thread as I've spent the past hour trying to find that language. that is a HUGE piece of being GDPR compliant. Really the main focus is the data processing agreement (DPA) - I'm 50% sure the time frame is no more than 1 year as a standard.
I also believe there needs to be a way to specify in details for how long data will be stored...is there any way to add that "manually"?
I agree with this. We must state which lawful basis we are using, yet the GDPR element is so generic that it almost touches on all in my policy....
How is everyone getting around this for now?
I agree with this but would like to go further. For example, we have various contact forms on our site (including a "demo request") - since we are a B2B business, we would like to rely on legitimate interest / opt-out for further contacting those people for marketing reasons, beyond the initial demo, but short of writing our own text, there is no option for this.
Looking forward to an update from Iubenda.
Thank you for the GDPR update! You could still further enhance the service by allowing the website owner to choose the legal basis of processing.
Currently, the policy does not seem to fulfill the requirements of GDPR since it does not actually specify which legal basis is relied on. WP29 has stated: In addition to setting out the purposes of the processing for which the personal data is intended, the relevant legal basis relied upon under Article 6 or Article 9 must be specified.
Listing all the possible legal basis under GDPR does not fulfill this requirement.
This is still not included in the Iubenda privacy policies. You have stated in your email to users: "We can confirm that all of iubenda's current solutions will be fully GDPR ready by the end of April. The GDPR comes into effect on the 25th of May 2018." Currently it does not seem to be the case - can you confirm that you are working on this?