databunker

For startup founders from a startup founder ;-) As a startup founder, you need to think about the conversion rates. Better conversion rates mean better business. If you want to target European customers, and you are using CRM service from Silicon ... [More] Valley, you can not simply do it without notifying your potential customers. Some privacy experts will tell you, it is enough to write about it in your privacy policy. Others will tell you to change your landing page and add a checkbox to your customers to give consent for their personal data to be processed by the USA CRM service. We have another solution for you — stick with cloud services provided by European companies. You can simplify your privacy policy and your legal obligations, by avoiding personal data transfer out of the European Union. For example from Europe to the US. To make it really simple go with European SAAS vendors when choosing your service provider. We decided to build a curated list of European SAAS vendors for you. Many services provide a limited free plan so it is great for early-stage companies. You still need to list the services you use in your privacy policy. Vendor Information Mailjet is a French company. The company was sold to Mailgun (USA). It is a powerful email service provider. It provides an API and SMTP service to send emails as well as regular email marketing/newsletter services. An additional bonus: up to 6000 emails per month is for free: https://www.mailjet.com/ Mailerlite is from Vilnius, Lithuania. It is a great email marketing and survey company. An additional bonus: up to 12000 emails per month is for free: https://www.mailerlite.com/ An Ireland-based business-oriented email marketing and survey company. They provide an API for your service. The company recently launched a major privacy initiative called Do not track: https://sensorpro.net/dnt . An additional bonus: the freemium plan is free for up to 2,500 subscribers: https://sensorpro.net/ SMS.TO is easy to use SMS gateway. The service can send messages to WhatsApp and Viber messenger. The company is from Cyprus. It is easy for developers to start working with this service. The company offers a small signup bonus (less than 1 euro) to send out test SMS messages: https://sms.to/ BulkGate is an SMS gateway supporting Viber. The company is registered in the Czech Republic: https://www.bulkgate.com/ Retarus is an international business communication platform. Offers Email, fax, SMS, and EDI services. The company has a number of European offices and offices in the USA: https://www.retarus.com/ Crisp is an Online chat https://crisp.chat/. It is based in France. The basic version is for free. Pipedrive CRM - from Estonia. https://www.pipedrive.com/ Capsule CRM - from the UK. This service has plugins for Gmail and has a free plan for small guys. https://capsulecrm.com/ Really Simple Systems CRM is from the UK. https://www.reallysimplesystems.com/ Suite CRM is an open-source project. You can deploy it on your cloud servers in the EU. https://suitecrm.com/ Vtiger CRM is an open-source project. You can deploy it on your cloud servers in the EU. https://www.vtiger.com/open-source-crm/ Healthcheck is a cron job monitoring service. The service sets up a small script on your server that sends vital signals to the Helathcheck main server. This startup is from Latvia. https://healthchecks.io/ STACK is a cloud hosting service provided by TransIP. This company also offers VPS hosting and domain registration. The company is from the Netherlands. No free plans but cheap and plenty of connectivity and configuration options. https://www.transip.nl/ A secure email hosting service from Norway. https://runbox.com/ A secure email hosting service from Germany. https://tutanota.com/ A well known secure email service from Switzerland. It provides a professional plan to host encrypted emails for your organization. https://protonmail.com/ Vikunja is an Open-Source, self-hosted To-Do list application. https://vikunja.io/ Open source enterprise wiki service. https://www.xwiki.org/ Self-hosted content collaboration platform from Germany. https://nextcloud.com/ Open Source ERP and CRM. https://www.odoo.com/ What do we do at Privacybunker? We build a suite of privacy GDPR/CCPA tools: Cookie consent banner One-click personal data reports Instant GDPR compliance reports User forget-me request automation More info: https://privacybunker.io/ We provide a free service We check websites for GDPR violations: https://privacybunker.io/free-cookie-popup-banner-check/ We released Databunker Databunker is an open-source, self-hosted, GDPR compliant, secure storage for personal data: https://databunker.org/ Do you know any European vendor missing from the list? Contact us at [email protected] and we will update our list with the this vendor. [Less]

Summary This detailed guide provides you with step-by-step instructions on how to build GDPR compliant solutions. This way your European customers can enjoy your business safely. Startup founders will certainly find this guide useful, especially ones ... [More] on the early-stage round. You do not need any technical experience to follow those simple step-by-step instructions. If you run an established business, you will find this guide useful as well. In this article, I will reference 2 solutions that I am working on now. One is an open-source secure vault and SDK to store personal records called Databunker (https://databunker.org/). The second one is a privacy automation service called Privacybunker.IO (https://privacybunker.io/). Why should I care about GDPR? If your target market is Europe you are obliged to work by GDPR standards. Following GDPR rules allows you to satisfy more customers that brings you more business opportunities. If you work directly with the end-users, GDPR compliance will increase your sales. According to the CISCO report, people are asking more questions about how their personal data is being used, and they now view privacy as an important component of a company’s brand. Why is GDPR relevant for small companies? Non-compliance can result in meaningful fines. Not only Facebook and Google are getting hefty fines. Small companies many times turn to be a target of privacy authorities too. For example take a look at the following decision against PACKLINK SHIPPING. They had to pay €1,200 for cookies violations. The Spanish Data Privacy Authority (DPA) fined a website for placing Google Analytics cookies without user consent. More info about this case can be found in the following article. Step 1: Identify Personal Data As a first step, you need to identify which personal data you collect. Personal data is every single piece of information that can help to identify a person. You need to check that personal data you collect is absolutely necessary for your business. Here is a partial list of records that are considered personal: Name Address RFID Contacts Passport details IP address Banking info Driving license Genetic info Financial info Cookie info Mobile device ID Personal ID Ethnic info Health / medical data SSN Political views More Step 2: Update your Privacy Policy and Terms-of-Service pages According to GDPR Article 5: Personal data shall be (a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’); To comply with transparency requirements, you need to make sure your service privacy policy and terms of service are correct and updated. In addition, in order to make use of personal data (called “processing” in GDPR terms) you need to have a legal basis for it. Any operation made with data is called GDPR processing. For example generating a list of customers, storage of data in a database, fraud analysis, sending out emails, shredding documents, image processing, saving in the audit log, etc… GDPR identified a number of legal bases. For example consent and contract. Privacy policy and terms of services are under the contract legal bases. Generating privacy documents As a preparation step make a list of all services you use. For example MySQL, HubSpot, MailChimp, etc… If you are low on budget, you can use one of the online policy generation services: Iubenda (https://www.iubenda.com/) Termsfeed (https://www.termsfeed.com/) Termify (https://termify.io/) You can also find privacy policy experts on Fiverr https://www.fiverr.com/. Personally I prefer Iubenda, as it allows me to list all 3rd party services that I work with. Here is a partial list I use: Storing and updating privacy policy and terms-of-service documents costs me 9 USD per month at Iubenda. If you have a budget, it is better to prepare privacy policy and terms-of-service documents with a professional privacy lawyer. If you need a privacy compliance specialist, I can recommend working with Vitomir Lučić at [email protected] from Croatia (https://boost.hr/en/). Key topics for privacy documents: Make sure to list all 3rd party services that you use in your privacy policy. For example cloud CRM, email marketing service, advertising tracking tools, etc… You need to create a distinguished email address for a person that will handle user requests like [email protected]. List this email address in your privacy policy and terms-of-service documents. Make sure to list which personal information you store in your internal system. Step 3: Personal data protection Leading GDPR principles are confidentiality and integrity. Meaning that security measures have to be applied to protect personal data. Although there are no explicit GDPR encryption requirements, you have to enforce security measures. The GDPR repeatedly highlights encryption and pseudonymization as “appropriate technical and organizational measures” of personal data security. So, it is always recommended to encrypt personal data you store. Encryption also complies with “privacy by design” GDPR requirements. Technical solutions You can pick a very easy solution for database or disk encryption provided by your cloud provider. Most architects, CTOs and even ISO auditors consider those options as an ok solution. In my opinion database and disk encryption can be considered as fake security solutions. Any SQL Injection or any security problem found in GraphQL will dump your customer personal data in clear text. You can use the open-source Databunker project to store your customer data. Instead of talking with Databunker using SQL, your backend will have to call an API function to retrieve specific user details. It is similar to the API of most NoSQL databases. Databunker does not have an API to fetch all users at once like SELECT *. Databunker encrypts customer records and builds a secure search index for quick user lookup (i.e. using email, token, etc…). Databunker also supports encrypted session storage. You can build your own solution to encrypt sensitive customer records on application level. Step 4: Personal Data Minimization According to GDPR Article 5: Personal data shall be (c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (DATA MINIMIZATION) and (e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. What does this actually mean? You need to remove customer data that is no longer needed. You must remove or anonymize users’ data for expired trial accounts and for customers who left your service. In the SaaS business converting 60% of the trial accounts to customers is a big success. That means that you still need to remove 40% of personal data or convert it to anonymous form. Example of data minimization email You can see an email received by a job candidate from GitHub. GitHub tells the candidate that his personal data will be removed in 30 days. Or, the candidate can leave his details by pressing “Keep my Data”. So, how to comply? For free trial accounts, when creating a user record in a database, make sure to add the last login date or last access date. If the user does not convert to a paying customer, you can try for a few months to convert him with emails. If it does not work, you need to remove his records from internal databases and from external systems (Mailchimp, Hubspot, etc…). You do need to wait for a user forget-me request to remove his records. You have a data minimization GDPR requirement and you need to remove user details in a proactive manner. Technical solutions You can use Privacybunker service to automatically remove user records from different services (Mailchimp, Hubspot, MySQL, PostgreSQL, etc…). You can use the open-source Databunker (https://databunker.org/) project for secure storage of customer records. It has an internal API to remove expired records. You can build your own solution. Step 5: Cookie banner You see cookie banners on almost any website these days. You can find hundreds of examples of cookie banners. In reality, most of the cookie banners you see are not GDPR compliant. Here is a top list of common errors integrating cookie banners: 1. Placing non-essential cookies before getting user consent. We see a lot of websites including Google Analytics or Facebook Pixel Tracking or similar JavaScript URLs called before cookie banners are displayed. By GDPR, users, at first, must give their consent on advertising or analytics tracking before calling external services i.e. from Google or Facebook. 2. Cookie banner with forced acceptance. Displaying a cookie banner with only one button like “Accept” or “Got it” is not legal. It does not give your users a free choice to reject unnecessary cookies. 3. Non-essential cookie groups are pre-checked by default. Make sure that non-essential cookie groups are displayed as not pre-checked by default in the advanced cookie settings window. Explicit consent requires a very clear and specific statement of consent. Go without cookie banner You can go the other route and leave your website without the cookie banner. For that, you will need to completely remove all 3rd party services and scripts from your website. More information about this method can be found in the following article: https://github.blog/2020-12-17-no-cookie-for-you/. Technical solutions Privacybunker service comes with a full GDPR compliant cookie banner in every plan and has a daily scan service that checks websites for common GDPR pitfalls including broken cookie banners. Good cookie banner script is provided by https://seersco.com/ service. You can build your own cookie banner based on some open-source code examples. Step 6: cross-border personal data transfer On July 16, 2020, the Court of Justice of the European Union issued its long-awaited decision in the case Data Protection Commission (DPC) v. Facebook Ireland, Schrems. That decision invalidates the European Commission’s adequacy decision for the EU-U.S. Privacy Shield Framework, on which more than 5,000 U.S. companies rely to conduct trans-Atlantic trade in compliance with EU data protection rules. The case arises from a complaint filed with the DPC in Ireland against Facebook by privacy activist Max Schrems in 2013 alleging that the company violated EU law when it transferred personal data to the U.S. (where the company is obliged to provide access to the government). Why is the Schrems-II case so important? Data exporters are liable to personal data when performing a cross-border transfer. Basically the Data exporter can be your startup company. Data exporters need to implement supplemental technical measures to prevent governmental authorities from identifying individuals pertaining to the data in the target countries. One of the methods is to get explicit consent from your customers for their personal data to be processed in the US. It is called Standard Contractual Clauses (SCCs). You will need to update your privacy policy with this clause. You can also change your lead generation forms and get explicit user consent for his personal data to be processed by, for example, by US CRM companies (Salesforce, HubSpot, etc…). Technical solution In case you change your landing pages you need to collect consent records. You can use Databunker to store your user’s consent. You can build your own solution to store consent. Step 7: GDPR compliant logging A well-known method used to save application logs turned out to be tricky with the GDPR regulations. In fact, new regulations define an IP address as a personal identifier. Like other user identifiers, it should be treated with caution. According to GDPR, you have one month to respond to a user forget-me request. This actually means that you have one month to filter your log files from all user-related records – for example, filter out logs for user IP addresses. The simplest solution You can limit the log retention period just to one month. The rest of customers’ older log entries will get removed. This way you do not need to do anything besides a one-time configuration of the log retention period. Additional methods Take a look at the following article of mine for more technical solutions: https://www.freecodecamp.org/news/how-to-stay-gdpr-compliant-with-access-logs/ As of today, this article is rated in the top 4 in Google “gdpr logging” search ;-) Step 8: Prepare to execute user privacy request GDPR introduced a number of user rights. Most users will contact you using a privacy email as displayed on your privacy policy page. You can as well build a form on your website to request personal data or you can use other commercial tools available. For example, Privacybunker solutions. Brief of user privacy requests. Users have the right to be informed on how their personal data is used. You have to update your Privacy Policy and Terms of Service pages accordingly. Right to access gives your users the right to obtain a copy of their personal data, as well as other supplementary information. Right of rectification allows your customers to fix any incorrect or incomplete personal data. Right to erase or forget-me right. Your customers have the right to restrict processing of their personal data. Right to data portability gives your customers the possibility to obtain and reuse their data with another service provider. Basically you need to return to the user JSON file with their data. Right to object allows users to file an objection. The last user right is the right related to automated decision making including profiling. One of the examples here is that your users can request you to apply human intervention when processing is done in an automatic manner (for example by AI). Technical solutions: Option 1. Choose open-source Databunker. In compliance with right of access, Databunker can provide your customers with passwordless access to the internal user privacy portal. Inside the portal, your customer can perform the following: change personal information, ask for account removal, manage and view consents, view history, etc… Option 2. Privacybunker employs an even simpler method to execute most of the user requests. Inside the cookie banner, your customers can click on the “Privacy portal” link. The following screen with the options appears: When user clicks on “Get personal data” the service asks the user to fill in his email address: The user enters his email address and in a second he gets a comprehensive personal information report that has all details collected from all services like MailChimp, Hubspot, and from internal databases Databunker, MySQL, PostgreSQL, etc…. Option 3. You can build your own solution. It is possible you can do it by combining with Zapier or similar tools. [Less]

For startup founders from a startup founder ;-) As a startup founder, you need to think about the conversion rates. Better conversion rates mean better business. If you want to target European customers, and you are using CRM service from Silicon ... [More] Valley, you can not simply do it without notifying your potential customers. Some privacy experts will tell you, it is enough to write about it in your privacy policy. Others will tell you to change your landing page and add a checkbox to your customers to consent for their personal data processing to be processed in the USA CRM service. We have another suggestion for you - stick with cloud services provided by European companies. You can simplify your privacy policy, and your legal obligations, by avoiding personal data transfer out of the European Union. For example from Europe to the USA. To make it really simple, you can do the same as we do. Go with European SAAS vendors when choosing your service provider. We decided to build a curated list of European SAAS vendors for you. Many services provide a limited free plan so it is great for early-stage companies. You still need to list the services you use in your privacy policy. Vendor Information Mailjet is a French company. The company was sold to Mailgun (USA). It is a powerful email service provider. It provides an API and SMTP service to send emails as well as regular email marketing/newsletter services. An additional bonus: up to 6000 emails per month is for free: https://www.mailjet.com/ Mailerlite is from Vilnius, Lithuania. It is a great email marketing and survey company. An additional bonus: up to 12000 emails per month is for free: https://www.mailerlite.com/ An Ireland-based business-oriented email marketing and survey company. They provide an API for your service. The company recently launched a major privacy initiative called Do not track: https://sensorpro.net/dnt . An additional bonus: the freemium plan is free for up to 2,500 subscribers: https://sensorpro.net/ SMS.TO is easy to use SMS gateway. The service can send messages to WhatsApp and Viber messenger. The company is from Cyprus. It is easy for developers to start working with this service. The company offers a small signup bonus (less than 1 euro) to send out test SMS messages: https://sms.to/ BulkGate is an SMS gateway supporting Viber. The company is registered in the Czech Republic: https://www.bulkgate.com/ Retarus is an international business communication platform. Offers Email, fax, SMS, and EDI services. The company has a number of European offices and offices in the USA: https://www.retarus.com/ Crisp is an Online chat https://crisp.chat/. It is based in France. The basic version is for free. Pipedrive CRM - from Estonia. https://www.pipedrive.com/ Capsule CRM - from the UK. This service has plugins for Gmail and has a free plan for small guys. https://capsulecrm.com/ Really Simple Systems CRM is from the UK. https://www.reallysimplesystems.com/ Suite CRM is an open-source project. You can deploy it on your cloud servers in the EU. https://suitecrm.com/ Vtiger CRM is an open-source project. You can deploy it on your cloud servers in the EU. https://www.vtiger.com/open-source-crm/ Healthcheck is a cron job monitoring service. The service sets up a small script on your server that sends vital signals to the Helathcheck main server. This startup is from Latvia. https://healthchecks.io/ STACK is a cloud hosting service provided by TransIP. This company also offers VPS hosting and domain registration. The company is from the Netherlands. No free plans but cheap and plenty of connectivity and configuration options. https://www.transip.nl/ Do you know a European vendor missing from the list? Contact us at [email protected] and we will add it to the list. [Less]

Summary This detailed guide provides you with step-by-step instructions on how to build GDPR compliant solutions. This way your European customers can enjoy your business safely. Startup founders will certainly find this guide useful, especially ones ... [More] on the early-stage round. You do not need any technical experience to follow those simple step-by-step instructions. If you run an established business, you will find this guide useful as well. In this article, I will reference 2 solutions that I am working on now. One is an open-source secure vault and SDK to store personal records called Databunker (https://databunker.org/). The second one is a privacy automation service called Privacybunker.IO (https://privacybunker.io/). Why should I care about GDPR? If your target market is Europe you are obliged to work by GDPR standards. Following GDPR rules allows you to satisfy more customers that brings you more business opportunities. If you work directly with the end-users, GDPR compliance will increase your sales. According to the CISCO report, people are asking more questions about how their personal data is being used, and they now view privacy as an important component of a company’s brand. Why is GDPR relevant for small companies? Non-compliance can result in meaningful fines. Not only Facebook and Google are getting hefty fines. Small companies many times turn to be a target of privacy authorities too. For example take a look at the following decision against PACKLINK SHIPPING. They had to pay €1,200 for cookies violations. The Spanish Data Privacy Authority (DPA) fined a website for placing Google Analytics cookies without user consent. More info about this case can be found in the following article. Step 1: Identify Personal Data As a first step, you need to identify which personal data you collect. You need to check that personal data you collect is absolutely necessary for your business. Here is a partial list of records that are considered personal: Name Address RFID Contacts Passport details IP address Banking info Driving license Genetic info Financial info Cookie info Mobile device ID Personal ID Ethnic info Health / medical data SSN Political views More Step 2: Update your Privacy Policy and Terms-of-Service pages According to GDPR Article 5: Personal data shall be (a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’); To comply with transparency requirements, you need to make sure your service privacy policy and terms of service are correct and updated. In addition, in order to make use of personal data (called “processing” in GDPR terms) you need to have a legal basis for it. Any operation made with data is called GDPR processing. For example generating a list of customers, storage of data in a database, fraud analysis, sending out emails, shredding documents, image processing, saving in the audit log, etc… GDPR identified a number of legal bases. For example consent and contract. Privacy policy and terms of services are under the contract legal bases. Generating privacy documents As a preparation step make a list of all services you use. For example MySQL, HubSpot, MailChimp, etc… If you are low on budget, you can use one of the online policy generation services: Iubenda (https://www.iubenda.com/) Termsfeed (https://www.termsfeed.com/) Termify (https://termify.io/) You can also find privacy policy experts on Fiverr https://www.fiverr.com/. Personally I prefer Iubenda, as it allows me to list all 3rd party services that I work with. Here is a partial list I use: Storing and updating privacy policy and terms-of-service documents costs me 9 USD per month at Iubenda. If you have a budget, it is better to prepare privacy policy and terms-of-service documents with a professional privacy lawyer. If you need a privacy compliance specialist, I can recommend working with Vitomir Lučić at [email protected] from Croatia. Key topics for privacy documents: Make sure to list all 3rd party services that you use in your privacy policy. For example cloud CRM, email marketing service, advertising tracking tools, etc… You need to create a distinguished email address for a person that will handle user requests like [email protected]. List this email address in your privacy policy and terms-of-service documents. Make sure to list which personal information you store in your internal system. Step 3: Personal data protection Leading GDPR principles are confidentiality and integrity. Meaning that security measures have to be applied to protect personal data. Although there are no explicit GDPR encryption requirements, you have to enforce security measures. The GDPR repeatedly highlights encryption and pseudonymization as “appropriate technical and organizational measures” of personal data security. So, it is always recommended to encrypt personal data you store. Encryption also complies with “privacy by design” GDPR requirements. Technical solutions You can pick a very easy solution for database or disk encryption provided by your cloud provider. Most architects, CTOs and even ISO auditors consider those options as an ok solution. In my opinion database and disk encryption can be considered as fake security solutions. Any SQL Injection or any security problem found in GraphQL will dump your customer personal data in clear text. You can use the open-source Databunker project to store your customer data. Instead of talking with Databunker using SQL, your backend will have to call an API function to retrieve specific user details. It is similar to the API of most NoSQL databases. Databunker does not have an API to fetch all users at once like SELECT *. Databunker encrypts customer records and builds a secure search index for quick user lookup (i.e. using email, token, etc…). Databunker also supports encrypted session storage. You can build your own solution to encrypt sensitive customer records on application level. Step 4: Personal Data Minimization According to GDPR Article 5: Personal data shall be (c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (DATA MINIMIZATION) and (e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. What does this actually mean? You need to remove customer data that is no longer needed. You must remove or anonymize users’ data for expired trial accounts and for customers who left your service. In the SaaS business converting 60% of the trial accounts to customers is a big success. That means that you still need to remove 40% of personal data or convert it to anonymous form. Example of data minimization email You can see an email received by a job candidate from GitHub. GitHub tells the candidate that his personal data will be removed in 30 days. Or, the candidate can leave his details by pressing “Keep my Data”. So, how to comply? For free trial accounts, when creating a user record in a database, make sure to add the last login date or last access date. If the user does not convert to a paying customer, you can try for a few months to convert him with emails. If it does not work, you need to remove his records from internal databases and from external systems (Mailchimp, Hubspot, etc…). You do need to wait for a user forget-me request to remove his records. You have a data minimization GDPR requirement and you need to remove user details in a proactive manner. Technical solutions You can use Privacybunker service to automatically remove user records from different services (Mailchimp, Hubspot, MySQL, PostgreSQL, etc…). You can use the open-source Databunker (https://databunker.org/) project for secure storage of customer records. It has an internal API to remove expired records. You can build your own solution. Step 5: Cookie banner You see cookie banners on almost any website these days. You can find hundreds of examples of cookie banners. In reality, most of the cookie banners you see are not GDPR compliant. Here is a top list of common errors integrating cookie banners: 1. Placing non-essential cookies before getting user consent. We see a lot of websites including Google Analytics or Facebook Pixel Tracking or similar JavaScript URLs called before cookie banners are displayed. By GDPR, users, at first, must give their consent on advertising or analytics tracking before calling external services i.e. from Google or Facebook. 2. Cookie banner with forced acceptance. Displaying a cookie banner with only one button like “Accept” or “Got it” is not legal. It does not give your users a free choice to reject unnecessary cookies. 3. Non-essential cookie groups are pre-checked by default. Make sure that non-essential cookie groups are displayed as not pre-checked by default in the advanced cookie settings window. Explicit consent requires a very clear and specific statement of consent. Go without cookie banner You can go the other route and leave your website without the cookie banner. For that, you will need to completely remove all 3rd party services and scripts from your website. More information about this method can be found in the following article: https://github.blog/2020-12-17-no-cookie-for-you/. Technical solutions Privacybunker service comes with a full GDPR compliant cookie banner in every plan and has a daily scan service that checks websites for common GDPR pitfalls including broken cookie banners. Good cookie banner script is provided by https://seersco.com/ service. You can build your own cookie banner based on some open-source code examples. Step 6: cross-border personal data transfer On July 16, 2020, the Court of Justice of the European Union issued its long-awaited decision in the case Data Protection Commission (DPC) v. Facebook Ireland, Schrems. That decision invalidates the European Commission’s adequacy decision for the EU-U.S. Privacy Shield Framework, on which more than 5,000 U.S. companies rely to conduct trans-Atlantic trade in compliance with EU data protection rules. The case arises from a complaint filed with the DPC in Ireland against Facebook by privacy activist Max Schrems in 2013 alleging that the company violated EU law when it transferred personal data to the U.S. (where the company is obliged to provide access to the government). Why is the Schrems-II case so important? Data exporters are liable to personal data when performing a cross-border transfer. Basically the Data exporter can be your startup company. Data exporters need to implement supplemental technical measures to prevent governmental authorities from identifying individuals pertaining to the data in the target countries. One of the methods is to get explicit consent from your customers for their personal data to be processed in the US. It is called Standard Contractual Clauses (SCCs). You will need to update your privacy policy with this clause. You can also change your lead generation forms and get explicit user consent for his personal data to be processed by, for example, by US CRM companies (Salesforce, HubSpot, etc…). Technical solution In case you change your landing pages you need to collect consent records. You can use Databunker to store your user’s consent. You can build your own solution to store consent. Step 7: GDPR compliant logging A well-known method used to save application logs turned out to be tricky with the GDPR regulations. In fact, new regulations define an IP address as a personal identifier. Like other user identifiers, it should be treated with caution. According to GDPR, you have one month to respond to a user forget-me request. This actually means that you have one month to filter your log files from all user-related records – for example, filter out logs for user IP addresses. The simplest solution You can limit the log retention period just to one month. The rest of customers’ older log entries will get removed. This way you do not need to do anything besides a one-time configuration of the log retention period. Additional methods Take a look at the following article of mine for more technical solutions: https://www.freecodecamp.org/news/how-to-stay-gdpr-compliant-with-access-logs/ As of today, this article is rated in the top 4 in Google “gdpr logging” search ;-) Step 8: Prepare to execute user privacy request GDPR introduced a number of user rights. Most users will contact you using a privacy email as displayed on your privacy policy page. You can as well build a form on your website to request personal data or you can use other commercial tools available. For example, Privacybunker solutions. Brief of user privacy requests. Users have the right to be informed on how their personal data is used. You have to update your Privacy Policy and Terms of Service pages accordingly. Right to access gives your users the right to obtain a copy of their personal data, as well as other supplementary information. Right of rectification allows your customers to fix any incorrect or incomplete personal data. Right to erase or forget-me right. Your customers have the right to restrict processing of their personal data. Right to data portability gives your customers the possibility to obtain and reuse their data with another service provider. Basically you need to return to the user JSON file with their data. Right to object allows users to file an objection. The last user right is the right related to automated decision making including profiling. One of the examples here is that your users can request you to apply human intervention when processing is done in an automatic manner (for example by AI). Technical solutions: Option 1. Choose open-source Databunker. In compliance with right of access, Databunker can provide your customers with passwordless access to the internal user privacy portal. Inside the portal, your customer can perform the following: change personal information, ask for account removal, manage and view consents, view history, etc… Option 2. Privacybunker employs an even simpler method to execute most of the user requests. Inside the cookie banner, your customers can click on the “Privacy portal” link. The following screen with the options appears: When user clicks on “Get personal data” the service asks the user to fill in his email address: The user enters his email address and in a second he gets a comprehensive personal information report that has all details collected from all services like MailChimp, Hubspot, and from internal databases Databunker, MySQL, PostgreSQL, etc…. Option 3. You can build your own solution. It is possible you can do it by combining with Zapier or similar tools. [Less]

Summary This detailed guide provides you with step-by-step instructions on how to build GDPR compliant solutions. This way your European customers can enjoy your business safely. Startup founders will certainly find this guide useful, especially ones ... [More] on the early-stage round. You do not need any technical experience to follow those simple step-by-step instructions. If you run an established business, you will find this guide useful as well. In this article, I will reference 2 solutions that I am working on now. One is an open-source secure vault and SDK to store personal records called Databunker (https://databunker.org/). The second one is a privacy automation service called Privacybunker.IO (https://privacybunker.io/). Why should I care about GDPR? If your target market is Europe you are obliged to work by GDPR standards. Following GDPR rules allows you to satisfy more customers that brings you more business opportunities. If you work directly with the end-users, GDPR compliance will increase your sales. According to the CISCO report, people are asking more questions about how their personal data is being used, and they now view privacy as an important component of a company’s brand. Why is GDPR relevant for small companies? Non-compliance can result in meaningful fines. Not only Facebook and Google are getting hefty fines. Small companies many times turn to be a target of privacy authorities too. For example take a look at the following decision against PACKLINK SHIPPING. They had to pay €1,200 for cookies violations. The Spanish Data Privacy Authority (DPA) fined a website for placing Google Analytics cookies without user consent. More info about this case can be found in the following article. Step 1: Identify Personal Data As a first step, you need to identify which personal data you collect. You need to check that personal data you collect is absolutely necessary for your business. Here is a partial list of records that are considered personal: Name Address RFID Contacts Passport details IP address Banking info Driving license Genetic info Financial info Cookie info Mobile device ID Personal ID Ethnic info Health / medical data SSN Political views More Step 2: Update your Privacy Policy and Terms-of-Service pages According to GDPR Article 5: Personal data shall be (a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’); To comply with transparency requirements, you need to make sure your service privacy policy and terms of service are correct and updated. In addition, in order to make use of personal data (called “processing” in GDPR terms) you need to have a legal basis for it. Any operation made with data is called GDPR processing. For example generating a list of customers, storage of data in a database, fraud analysis, sending out emails, shredding documents, image processing, saving in the audit log, etc… GDPR identified a number of legal bases. For example consent and contract. Privacy policy and terms of services are under the contract legal bases. Generating privacy documents As a preparation step make a list of all services you use. For example MySQL, HubSpot, MailChimp, etc… If you are low on budget, you can use one of the online policy generation services: Iubenda (https://www.iubenda.com/) Termsfeed (https://www.termsfeed.com/) Termify (https://termify.io/) You can also find privacy policy experts on Fiverr https://www.fiverr.com/. Personally I prefer Iubenda, as it allows me to list all 3rd party services that I work with. Here is a partial list I use: IMAGE-HERE Storing and updating privacy policy and terms-of-service documents costs me 9 USD per month at Iubenda. If you have a budget, it is better to prepare privacy policy and terms-of-service documents with a professional privacy lawyer. If you need a privacy compliance specialist, I can recommend working with Vitomir Lučić at [email protected] from Croatia. Key topics for privacy documents: Make sure to list all 3rd party services that you use in your privacy policy. For example cloud CRM, email marketing service, advertising tracking tools, etc… You need to create a distinguished email address for a person that will handle user requests like [email protected]. List this email address in your privacy policy and terms-of-service documents. Make sure to list which personal information you store in your internal system. Step 3: Personal data protection Leading GDPR principles are confidentiality and integrity. Meaning that security measures have to be applied to protect personal data. Although there are no explicit GDPR encryption requirements, you have to enforce security measures. The GDPR repeatedly highlights encryption and pseudonymization as “appropriate technical and organizational measures” of personal data security. So, it is always recommended to encrypt personal data you store. Encryption also complies with “privacy by design” GDPR requirements. Technical solutions You can pick a very easy solution for database or disk encryption provided by your cloud provider. Most architects, CTOs and even ISO auditors consider those options as an ok solution. In my opinion database and disk encryption can be considered as fake security solutions. Any SQL Injection or any security problem found in GraphQL will dump your customer personal data in clear text. You can use the open-source Databunker project to store your customer data. Instead of talking with Databunker using SQL, your backend will have to call an API function to retrieve specific user details. It is similar to the API of most NoSQL databases. Databunker does not have an API to fetch all users at once like SELECT *. Databunker encrypts customer records and builds a secure search index for quick user lookup (i.e. using email, token, etc…). Databunker also supports encrypted session storage. You can build your own solution to encrypt sensitive customer records on application level. Step 4: Personal Data Minimization According to GDPR Article 5: Personal data shall be (c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (DATA MINIMIZATION) and (e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. What does this actually mean? You need to remove customer data that is no longer needed. You must remove or anonymize users’ data for expired trial accounts and for customers who left your service. In the SaaS business converting 60% of the trial accounts to customers is a big success. That means that you still need to remove 40% of personal data or convert it to anonymous form. Example of data minimization email You can see an email received by a job candidate from GitHub. GitHub tells the candidate that his personal data will be removed in 30 days. Or, the candidate can leave his details by pressing “Keep my Data”. So, how to comply? For free trial accounts, when creating a user record in a database, make sure to add the last login date or last access date. If the user does not convert to a paying customer, you can try for a few months to convert him with emails. If it does not work, you need to remove his records from internal databases and from external systems (Mailchimp, Hubspot, etc…). You do need to wait for a user forget-me request to remove his records. You have a data minimization GDPR requirement and you need to remove user details in a proactive manner. Technical solutions You can use Privacybunker service to automatically remove user records from different services (Mailchimp, Hubspot, MySQL, PostgreSQL, etc…). You can use the open-source Databunker (https://databunker.org/) project for secure storage of customer records. It has an internal API to remove expired records. You can build your own solution. Step 5: Cookie banner You see cookie banners on almost any website these days. You can find hundreds of examples of cookie banners. In reality, most of the cookie banners you see are not GDPR compliant. Here is a top list of common errors integrating cookie banners: 1. Placing non-essential cookies before getting user consent. We see a lot of websites including Google Analytics or Facebook Pixel Tracking or similar JavaScript URLs called before cookie banners are displayed. By GDPR, users, at first, must give their consent on advertising or analytics tracking before calling external services i.e. from Google or Facebook. 2. Cookie banner with forced acceptance. Displaying a cookie banner with only one button like “Accept” or “Got it” is not legal. It does not give your users a free choice to reject unnecessary cookies. 3. Non-essential cookie groups are pre-checked by default. Make sure that non-essential cookie groups are displayed as not pre-checked by default in the advanced cookie settings window. Explicit consent requires a very clear and specific statement of consent. IMAGE HERE Go without cookie banner You can go the other route and leave your website without the cookie banner. For that, you will need to completely remove all 3rd party services and scripts from your website. More information about this method can be found in the following article: https://github.blog/2020-12-17-no-cookie-for-you/. Technical solutions Privacybunker service comes with a full GDPR compliant cookie banner in every plan and has a daily scan service that checks websites for common GDPR pitfalls including broken cookie banners. Good cookie banner script is provided by https://seersco.com/ service. You can build your own cookie banner based on some open-source code examples. Step 6: cross-border personal data transfer On July 16, 2020, the Court of Justice of the European Union issued its long-awaited decision in the case Data Protection Commission (DPC) v. Facebook Ireland, Schrems. That decision invalidates the European Commission’s adequacy decision for the EU-U.S. Privacy Shield Framework, on which more than 5,000 U.S. companies rely to conduct trans-Atlantic trade in compliance with EU data protection rules. The case arises from a complaint filed with the DPC in Ireland against Facebook by privacy activist Max Schrems in 2013 alleging that the company violated EU law when it transferred personal data to the U.S. (where the company is obliged to provide access to the government). Why is the Schrems-II case so important? Data exporters are liable to personal data when performing a cross-border transfer. Basically the Data exporter can be your startup company. Data exporters need to implement supplemental technical measures to prevent governmental authorities from identifying individuals pertaining to the data in the target countries. One of the methods is to get explicit consent from your customers for their personal data to be processed in the US. It is called Standard Contractual Clauses (SCCs). You will need to update your privacy policy with this clause. You can also change your lead generation forms and get explicit user consent for his personal data to be processed by, for example, by US CRM companies (Salesforce, HubSpot, etc…). Technical solution In case you change your landing pages you need to collect consent records. You can use Databunker to store your user’s consent. You can build your own solution to store consent. Step 7: GDPR compliant logging A well-known method used to save application logs turned out to be tricky with the GDPR regulations. In fact, new regulations define an IP address as a personal identifier. Like other user identifiers, it should be treated with caution. According to GDPR, you have one month to respond to a user forget-me request. This actually means that you have one month to filter your log files from all user-related records – for example, filter out logs for user IP addresses. The simplest solution You can limit the log retention period just to one month. The rest of customers’ older log entries will get removed. This way you do not need to do anything besides a one-time configuration of the log retention period. Additional methods Take a look at the following article of mine for more technical solutions: https://www.freecodecamp.org/news/how-to-stay-gdpr-compliant-with-access-logs/ As of today, this article is rated in the top 4 in Google “gdpr logging” search ;-) IMAGE HERE Step 8: Prepare to execute user privacy request GDPR introduced a number of user rights. Most users will contact you using a privacy email as displayed on your privacy policy page. You can as well build a form on your website to request personal data or you can use other commercial tools available. For example, Privacybunker solutions. Brief of user privacy requests. Users have the right to be informed on how their personal data is used. You have to update your Privacy Policy and Terms of Service pages accordingly. Right to access gives your users the right to obtain a copy of their personal data, as well as other supplementary information. Right of rectification allows your customers to fix any incorrect or incomplete personal data. Right to erase or forget-me right. Your customers have the right to restrict processing of their personal data. Right to data portability gives your customers the possibility to obtain and reuse their data with another service provider. Basically you need to return to the user JSON file with their data. Right to object allows users to file an objection. The last user right is the right related to automated decision making including profiling. One of the examples here is that your users can request you to apply human intervention when processing is done in an automatic manner (for example by AI). Technical solutions: Choose open-source Databunker. In compliance with right of access, Databunker can provide your customers with passwordless access to the internal user privacy portal. Inside the portal, your customer can perform the following: change personal information, ask for account removal, manage and view consents, view history, etc… Privacybunker employs an even simpler method to execute most of the user requests. Inside the cookie banner, your customers can click on the “Privacy portal” link. The user enters his email address and in a second he gets a comprehensive personal information report that has all details collected from all services like MailChimp, Hubspot, and from internal databases Databunker, MySQL, PostgreSQL, etc…. You can build your own solution. It is possible you can do it by combining with Zapier or similar tools. [Less]

Let’s start with the bad news for many European companies. If you use Hubspot CRM, you might break the law. If you use other US CRM, you might break the law. If you use Indian CRM, you might break the law. On July 16, 2020, the Court of Justice of ... [More] the European Union issued its long-awaited decision in the case Data Protection Commission v. Facebook Ireland, Schrems. That decision invalidates the European Commission’s adequacy decision for the EU-U.S. Privacy Shield Framework, on which more than 5,000 U.S. companies rely to conduct trans-Atlantic trade in compliance with EU data protection rules. Why Schrems-II compliance so important? Data exporters are liable to personal data when performing a cross-border transfer. The Data exporter is your company - a CRM service customer. Data exporters need to implement supplemental technical measures to prevent governmental authorities from identifying individuals pertaining to the data in the target countries. In the case of CRM, it is not possible. You need to save customer details in cleartext. Alternatively, you might get explicit consent from your customers for their personal data to be processed in the US. It is called Standard Contractual Clauses (SCCs). Suppose, you hire someone to collect marketing leads for you. You have the list now. Now, you need to contact each guy asking for his consent for his details to be saved in the USA (i.e. Hubspot). I am sure, no one is going to do it. No one will bother his potential customers asking for their consent that their personal data will be saved out of European Union. For the companies using landing pages to collect leads If landing pages are your only method to collect prospects, you win. You can add a checkbox on your landing pages asking for your customer’s consent for his details to be processed by US companies. It must not be pre-checked. Otherwise, you break another GDPR rule ;-). List of European SaaS providers. At Privacybunker website we maintain a list of European SaaS companies you can work with: https://privacybunker.io/blog/european-cloud-saas-vendors/. [Less]

For startup founders from a startup founder ;-) As a startup founder, you need to think about the conversion rates. Better conversion rates mean better business. If you want to target European customers, and you are using CRM service from Silicon ... [More] Valley, you can not simply do it without notifying your potential customers. Some privacy experts will tell you, it is enough to write about it in your privacy policy. Others will tell you to change your landing page and add a checkbox to your customers to consent for their personal data processing to be processed in the USA CRM service. We have another suggestion for you - stick with cloud services provided by European companies. You can simplify your privacy policy, and your legal obligations, by avoiding personal data transfer out of the European Union. For example from Europe to the USA. To make it really simple, you can do the same as we do. Go with European SAAS vendors when choosing your service provider. We decided to build a curated list of European SAAS vendors for you. Many services provide a limited free plan so it is great for early-stage companies. Vendor Information Mailjet is a French company. The company was sold to Mailgun (USA). It is a powerful email service provider. It provides an API and SMTP service to send emails as well as regular email marketing/newsletter services. An additional bonus: up to 6000 emails per month is for free: https://www.mailjet.com/ Mailerlite is from Vilnius, Lithuania. It is a great email marketing and survey company. An additional bonus: up to 12000 emails per month is for free: https://www.mailerlite.com/ An Ireland based business-oriented email marketing and survey company. They provide an API for your service. The company recently launched a major privacy initiative called Do not track: https://sensorpro.net/dnt . An additional bonus: the freemium plan is free for up to 2,500 subscribers: https://sensorpro.net/ SMS.TO is easy to use SMS gateway. The service can send messages to WhatsApp and Viber messenger. The company is from Cyprus. It is easy for developers to start working with this service. The company offers a small signup bonus (less than 1 euro) to send out test SMS messages: https://sms.to/ BulkGate is a SMS gateway supporting Viber. The company is registered in Czech Republic: https://www.bulkgate.com/ Retarus is an international business communication platform. Offers Email, fax, SMS, and EDI services. The company has a number of European offices and offices in the USA: https://www.retarus.com/ Crisp is an Online chat https://crisp.chat/. It is based in France. Basic version is for free. Pipedrive CRM - from Estonia. https://www.pipedrive.com/ Capsule CRM - from UK. This service has plugins for gmail and has a free plan for small guys. https://capsulecrm.com/ Really Simple Systems CRM is from UK. https://www.reallysimplesystems.com/ Suite CRM is an open-source project. You can deploy it in your servers in EU. https://suitecrm.com/ Vtiger CRM is an open-source project. You can deploy it in your servers in EU. https://www.vtiger.com/open-source-crm/ Do you know a European vendor missing from the list? Contact us at [email protected] and we will add it to the list. [Less]

Let’s start with the bad news for many European companies. If you use Hubspot CRM, you might break the law. If you use other US CRM, you might break the law. If you use Indian CRM, you might break the law. On July 16, the Court of Justice of the ... [More] European Union issued its long-awaited decision in the case Data Protection Commission v. Facebook Ireland, Schrems. That decision invalidates the European Commission’s adequacy decision for the EU-U.S. Privacy Shield Framework, on which more than 5,000 U.S. companies rely to conduct trans-Atlantic trade in compliance with EU data protection rules. Why Schrems-II compliance so important? Data exporters are liable to personal data when performing a cross-border transfer. The Data exporter is your company - a CRM service customer. Data exporters need to implement supplemental technical measures to prevent governmental authorities from identifying individuals pertaining to the data in the target countries. In the case of CRM, it is not possible. You need to save customer details in cleartext. Alternatively, you might get explicit consent from your customers for their personal data to be processed in the US. It is called Standard Contractual Clauses (SCCs). Suppose, you hire someone to collect marketing leads for you. You have the list now. Now, you need to contact each guy asking for his consent for his details to be saved in the USA (i.e. Hubspot). I am sure, no one is going to do it. No one will bother his potential customers asking for their consent that their personal data will be saved out of European Union. For the companies using landing pages to collect leads If landing pages are your only method to collect prospects, you win. You can add a checkbox on your landing pages asking for your customer’s consent for his details to be processed by US companies. It must not be pre-checked. Otherwise, you break another GDPR rule ;-). List of European SaaS providers. At Privacybunker website we maintain a list of European SaaS companies you can work with: https://privacybunker.io/blog/european-cloud-saas-vendors/. [Less]

For startup founders from a startup founder ;-) As a startup founder, you need to think about the conversion rates. Better conversion rates mean better business. If you want to target European customers, and you are using CRM service from Silicon ... [More] Valley, you can not simply do it without notifying your potential customers. Some privacy experts will tell you, it is enough to write about it in your privacy policy. Others will tell you to change your landing page and add a checkbox to your customers to consent for their personal data processing to be processed in the USA CRM service. We have another suggestion for you - stick with cloud services provided by European companies. You can simplify your privacy policy, and your legal obligations, by avoiding personal data transfer out of the European Union. For example from Europe to the USA. To make it really simple, you can do the same as we do. Go with European SAAS vendors when choosing your service provider. We decided to build a curated list of European SAAS vendors for you. Many services provide a limited free plan so it is great for the early stage companies. Vendor Information Mailjet is a French company. The company was sold to Mailgun (USA). It is a powerful email service provider. It provides an API and SMTP service to send emails as well as regular email marketing/newsletter services. An additional bonus: up to 6000 emails per month is for free: https://www.mailjet.com/ Mailerlite is from Vilnius, Lithuania. It is a great email marketing and survey company. An additional bonus: up to 12000 emails per month is for free: https://www.mailerlite.com/ An Ireland based business-oriented email marketing and survey company. They provide an API for your service. The company recently launched a major privacy initiative called Do not track: https://sensorpro.net/dnt . An additional bonus: the freemium plan is free for up to 2,500 subscribers: https://sensorpro.net/ SMS.TO is easy to use SMS gateway. The service can send messages to WhatsApp and Viber messenger. The company is from Cyprus. It is easy for developers to start working with this service. The company offers a small signup bonus (less than 1 euro) to send out test SMS messages: https://sms.to/ BulkGate is a SMS gateway supporting Viber. The company is registered in Czech Republic: https://www.bulkgate.com/ Retarus is an international business communication platform. Offers Email, fax, SMS, and EDI services. The company has a number of European offices and offices in the USA: https://www.retarus.com/ Crisp is an Online chat https://crisp.chat/. It is based in France. Basic version is for free. Pipedrive CRM - from Estonia. https://www.pipedrive.com/ Capsule CRM - from UK. This service has plugins for gmail and has a free plan for small guys. https://capsulecrm.com/ Really Simple Systems CRM is from UK. https://www.reallysimplesystems.com/ Suite CRM is an open-source project. You can deploy it in your servers in EU. https://suitecrm.com/ Vtiger CRM is an open-source project. You can deploy it in your servers in EU. https://www.vtiger.com/open-source-crm/ Do you know a European vendor missing from the list? Contact us at [email protected] and we will add it to the list. [Less]

The General Data Protection Regulation (GDPR) is the toughest privacy and security law in the world. Though it was drafted and passed by the European Union (EU), it imposes obligations onto organizations anywhere, so long as they target or collect ... [More] data related to people in the EU. Any company that stores or processes personal information about EU citizens within EU states must comply with the GDPR, even if they do not have a business presence within the EU. GDPR includes 3 sides in gathering and processing personal data: A controller is a “person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing of personal data”. Processor is a “person, public authority, agency or other body which processes personal data on behalf of the controller”. Physical person called Data Subject which owns his/her personal data and is, under certain rules, to give them to Controller. Controller has to know and control all data given to Processor at all times. In order to have any company and web site comply with GDPR, web site owners need to define Cookie Policy and Privacy policy and make them visible to any site visitor. That means one should inform all data subjects on what personal info they gather and process, for what purpose, for how long and which third parties will have access to data etc. These information are expected to be in detail explained in Privacy Policy. In that way, data subject (private person) will have an opportunity to decide whether he/she wants to give consent and exercise certain relationship with Controller (company) in case some personal data will be exchanged or given to controller to process them. In order to check how your personal data is used on certain site that uses Privacy Bunker system, one has following options and functionalities on disposal. First thing user will see on landing page (example of https://boost.hr/ site) is Privacy and Cookie notification in form of pop-up window. At the bottom of pop-up window is option “Customize settings”. Once you click on it, any user can see what cookies are on disposal and can decide himself/herself what cookies will allow while visiting this web page. It is important to click on “Save settings” once you have decided what type of cookies you will allow to be placed on your device. Below option to “Customize settings” one has another option – “Privacy portal” (lower right part of pop-up window). In order to check whether this site is having your email address (drop-down menu offers more personal data check-out) one has to click on check-box where one confirms to allow sending access code to 3rd party service. Also, at the field “Enter email” one can type email address one wants to check within personal data registry on this site. Also, it is mandatory to enter captcha code before clicking LOGIN. Below is an example of filled form just before clicking LOGIN and submitting request to receive code for login. You can note that links to Terms and Conditions (Uvjeti korištenja), Privacy Policy (Politika privatnosti) are visible at all times as they should be in accordance with GDPR regulation. On submitted email address new message will arrive with Access Code. Following screen shows that correct code is entered and user needs to click on ENTER in order to access its personal profile related to this web site. In that way user enters Privacy Bunker Homepage. One can see that blue ribbon line is offering number of options. Below Privacy Bunker provides tools that might contain your data, in this example MailerLite and WordPress as Boost uses only those tool for newsletter distribution. Other companies might use more tools related to personal data. If user chooses option “Profile” (on blue ribbon) option to be forgotten will be visible. Screen also shows what exact data this web site uses. In case web site uses additional tool, on “App Data” option (blue ribbon options) additional data will be listed. Additional option on blue ribbon is “Privacy control” where user can check all given consents, but also has an option to “Withdraw consent”. If one chooses option User Requests all record on requests will be shown. If there are none, system will notify user that “No matching records found”. Profile activity “History” on blue ribbon will show all users activity records related to this web site. Coming back to Homepage of Privacy Bunker will show several options related to any of the external systems used (in this example MailerLite and WordPress). Another option (blue button) will fetch selected data. If user chooses Fetch data from MailerLite tool following screen shows report details that are shown to user. This testimonial was generated by non-technical person which shows that even average internet user can control his/her personal data using Privacy Bunker tool. Therefore, as Boot LLC Croatia General Manager I can fully recommend Privacy Bunker solution to any company owner or any web site owner that feels having GDPR compliance on web site is too complicated to too costly. It is not, one just has to let experts from Privacy Bunker solve your compliance problem. Vitomir Lučić, GM at Boost LLC Croatia [Less]