GDPR Roles

Is Mono a Data Processor?

Mono has no contractual relation with the SMB Customers and is therefore considered a Data Sub Processor. Please see the diagram below for reference.
 

Who is the Data Controller vs. Processor?

The partners of Mono (reselling partners) are Data Processors of their SMB Customers and need to have a Data Processing Agreement (DPA) and a privacy policy in place with their SMB customers who are the Data Controllers. Please see the diagram below for reference.
 

Diagram: GDPR roles in relation to SMB Websites

This diagram outlines Mono's role in GDPR with regard to Third-party services (data sub-processors) Mono reselling partners (data processor), SMB website (data controller) and the website visitors (data subjects).

GDPR-website-roles-flow-16.png

Is Mono a Processor of Data in RAI?

With regard to the data of the users in RAI, Mono is the Data Processor of the users in RAI and subject to the DPA and Privacy Policy included in the SaaS agreement. Please get in touch with your Partner Success Manager for more information on the SaaS agreement.

Diagram: GDPR roles in relation to RAI

The diagram below outlines Mono's role with regard to GDPR and the use of the Reseller Admin Interface (RAI):

GDPR-website-roles-flow-19.png

 

Privacy Policy & Legal Info

What is the new Privacy Policy Global Data field and how is it applied?

For V5, the Privacy Policy field is a dedicated Global Data field under the legal fields set. Like all Global Data fields, you and/or site owners are able to implement them as you like throughout the website (e.g. on a legal page) and once added they can be updated dynamically from the Global Data area of the editor, via RAI and via the API. For more information, check out the dedicated Global Data Legal text article on Mono Academy.

Can we use the Mono API to do our own Mass-updates or activate new content en mass?

For those familiar with the Mono API this can be done. However we STRONGLY urge our partners to do a detailed analysis of the impact this may have on customer sites beforehand. This action can have severe consequences and rarely, unless using very uniformed structured data, can it be done to a satisfactory level. We cannot support inproper use of the API. Any site restorations required would come at a per-site cost and we cannot guarantee a timely resolution given the circumstances.

How can Mono help partners update legal pages manually with the tools currently at hand?

In order to ensure that SMB customers are compliant with the upcoming GDPR regulation, we've put together the following information that may help you update your customers' websites, as efficiently as possible with the tools currently available in the Mono Platform:

  1. Ensure that SMB customers have an accurate and updated data privacy policy that outlines what data they collect, how it is stored and what they use it for. 
  2. Ensure that this privacy policy is publicly accessible on the SMB's website, for example via a link in the footer as well as from all form modules on the site. We urge our partners and their SMB customers to add and implement the privacy policy via Global Data legal text fields to ensure consistency and easy management. 
  3. We recommend that you update the cookie consent feature to include a link to the SMB's privacy policy as well. Important Note: For more information, please follow the Mono release notes.

 

How do you recommend going about adding required legal text in a given SMB website?

Typically we see that our partners create legal pages as hidden pages in the page tree structure, that is, they are not visible through the main site navigation. However, most will link to this hidden page via a link in the footer, so that it is available site wide at any point. See for example the bottom right corner of www.monosolutions.com. For more on how to hide pages, read here.

On your legal pages, we recommend you make use of the Global Data Legal Text fields to implement the text on these pages so future updates can easily be done outside of the editor interface via the API or in RAI. These are also easily linked to in the consent feature of all form modules (to be released soon). We also recommend you update the cookie consent feature to include a link to your legal texts if you have not yet already

 

Consent

How do I add a consent option to forms on my website?

With the release of GDPR-specific features on Thursday, May 3, it is now possible to add a consent option to the Form module, Mailchimp form module and Email sign up module. For more information on how to implement the consent and where to find documented consent, please check out the dedicated articles on Mono Academy:

Does the Mono Platform support a Double-Opt-In Consent Option?

Yes, the Mono Platform supports a double opt-in (multi opt-in) option on the Email sign up module. The double opt-in must be manually activated by the data controller (SMB) on each individual email sign up form. It can be found under the Settings section of each form.

Can we automatically mass-update the new consent option of our customers' websites?

As the new consent option contains a link to a privacy policy or legal text specific to the SMB website, Mono is unable to offer bulk updates of due to the advisement of our own legal counsel.

 

GDPR APP

What is the GDPR App?

The GDPR App is a tool built in to the Mono Platform that will enable the SMB to easily search and extract a log of all data registered on a data subject (website visitor) anywhere on the Mono Platform. Since it's release, the GDPR App has been renamed as the Personal User Data Report. 

Where is the GDPR app be made available?

The Personal User Data Report (previously known as the GDPR App) is available for all V5 subscriptions underneath Settings in the editor. For more information on how to use the feature, please see the dedicated article. 

 

Third Party Apps & Code

Who is responsible for the addition of third-party code or applications added to a website built on the Mono platform?

The SMB is always responsible for GDPR compliance as the Data Controller of the website. The Mono Platform has developed functionality to help SMBs gain and document consent when receiving any personal information via native website functionality – e.g. via forms, blog comments, etc. However, Mono cannot control the third-party code or applications that SMBs add to their website. It is up to the SMB to understand the way a third party tracks/collects and treats any personal data. It is also our understanding that the SMB should update their website privacy policy with a list of third parties that they use, what they’re used for and their associated privacy policy links.

Websites built on the Mono platform use a third-party font provider- Google Fonts. Does this affect the privacy of website visitors?

Using Google Fonts does not affect the privacy of website visitors. To the question “What does using the Google Fonts API mean for the privacy of my users?“ on https://developers.google.com/fonts/faq Google clearly states:
“No cookies are sent by website visitors to the Google Fonts API. Requests to the Google Fonts API are made to resource-specific domains, such as fonts.googleapis.com or fonts.gstatic.com, so that your requests for fonts are separate from and do not contain any credentials you send to google.com while using other Google services that are authenticated, such as Gmail.“

 

Analytics

Are there any pre-installed website analytics on the Mono platform?

Yes, the Mono Platform has Google Analytics pre-installed in order, for example, to display visitor statistics in the dashboard of the Mono Editor.

What GDPR requirements are there for the pre-installed Google Analytics tags on all sites?

The pre-installed Google Analytics use session-based cookies to collect information about a users' behavior on the site. As no personally identifiable behavior is recorded, there are no specific GDPR requirements. However, keep in mind there may already be a opt-in or opt-out general cookie policy applicable by law. This answer is strictly pertaining to GDPR. We wish to reiterate this pertains to the standard, pre-installed or "out of the box" Google Analytics on Mono sites. If you or your SMB clients add any additional Google Analytics or other cookie-relevant external code added to a website there may be other obligations to which you need to consult with local counsel.

Are IP addresses in Google Analytics tags implemented on a website built on the Mono Platform anonymized/masked?

The Mono Platform has enabled the anonymization/masking of IP addresses for all Google Analytics Tags implemented on websites built on the Mono Platform.

Does Google store any personally identifiable information from the Google Analytics tags installed on a website?

No, Google does not store any personally identifiable information as outlined in their terms and conditions: https://privacy.google.com/businesses/compliance/

 

Cookies

What Cookies do websites built on the Mono platform use?

Websites built on the Mono Platform use the following types of cookies:

  • CONSENT (gstatic.com) for Google tracking
  • _ga .{domain} for Google tracking
  • _gat .{domain} for Google request rate throttling
  • _gid .{domain} for Google user differentiation
  • site_session {subdomain}.{domain} for PHP Session ID used for session specific interactions (shop, blog, etc)
  • _utmz .{domain} for ga.js cookie usage - See Google Documentation for specifics
  • _utma .{domain} for ga.js cookie usage - See Google Documentation for specifics

None of the above cookies store any personally identifiable information. For more information, please visit: https://developers.google.com/analytics/devguides/...

Can we automatically mass-update and/or mass-activate Cookie Notifications on our customers' websites?

Mono cannot offer to do bulk updates of elements of your websites that contains, or links to privacy policies or other legal texts due to the advisement of our own legal counsel.

Can I add a Cookie Opt-In/Opt-Out Notification to my website?

The Mono Platform provides the technology to add a cookie opt-in/opt-out option to websites built on the Mono Platform. Please note that it is the responsibility of the SMB (the data controller) to add the cookie consent feature to their website. It will also be possible to add a link to the SMB's data privacy policy. For more information, please see Mono Academy article

 

Data

What kind of data does Mono retain on reselling partners' SMB clients?

Mono only acts as a Data Processor for our partners' employee data entered in RAI (Email, name and log files). For any purposes of which our partners use RAI for their SMB client information, RAI is simply a part of the Mono Platform. In this scenario Mono is a Data Sub-processor. Partners are responsible for any SMB data they enter into RAI including deleting it when requested to do so by the SMB.

Where is the data of a website built on the Mono platform stored?

For reselling partners within the European Union (EU), all website data is hosted on servers located within the EU.

Does Mono have access to data collected on SMB websites?

As a data sub-processor, Mono recognizes our ability to access the data being processed by our partners. This is why there are requirements to list sub-processors in Data Processing Agreements (DPA). Mono's ensures that SMB customer data is processed only as instructed by the partner, throughout the entire chain of processing activities by Mono and its sub-processors. We recommend you seek local counsel to determine how best to convey this in your DPA with your SMB clients.

How long does Mono store back-up data after a subscription has been terminated? And, how do I permanently delete the back up data upon request from an SMB customer?

After a subscription has been terminated in RAI, a back-up is kept by Mono Solutions for three months before expiring. Should you wish to permanently delete the the data before the three months is over, then please submit a ticket via the Mono Service Desk and our team will manually delete the data and provide a data deletion receipt. However, please note that the GDPR does not legally require a deletion of back-up data.

Is log data stored from all websites? 

Yes, all log data is stored for 30 days to ensure the security and operation of the Mono Platform. This is a standard practice for all applications on our platform, including websites, and while it does not require the consent of the user; it does require that the user is informed. For more information about the right to retain data for security, please read more: https://gdpr-info.eu/recitals/no-49/. 

What log data is stored?

We store date, time, IP address, URL, user agent (browser) and referrer (where did they come from). Log data is stored in the following format: [23/Apr/2018:12:43:54 +0000] "GET /robots.txt HTTP/1.1" 200 82 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)" 

Does mono share user data for re-marketing purposes?

No, Mono does not share user data for marketing or re-marketing purposes.

 

Domains

What changes are happening to domain registration?

Due to GDPR, domain registrars may in some cases now require consent from the site owner to complete a new domain registration. Site owners may therefore receive an email from the domain registrar asking them to give consent, before the domain registration is processed. For more detailed information, please see the dedicated Mono Academy article

What changes are happening to domain transfers? 

Due to GDPR, domain admins will no longer be able to access the AUTH code needed for domain transfers. Domain owners are the only ones who can receive the AUTH code. To send the AUTH code to a domain, please submit a ticket to the Mono Service Desk Team. For more detailed information on this updated domain transfer process, please see these articles on how to transfer-in and how to transfer-away a domain to Mono. 

 

Which Mono webinars cover GDPR? 

We've done several webinars that have given an update on GDPR from a product update viewpoint, as well as more practical tutorials on how to implement GDPR-relevant features on your SMB websites:
January 31 - Product Update (Requires login to Sales Portal) 
March 14 - Product Update (Requires login to Sales Portal)
April 25 - Product Update (Requires login to Sales Portal) 
May 17 - Feature Insights Tutorial 
May 31 - Feature Insights Tutorial
June 14 - Feature Insights Tutorial

Was this article helpful?
0 out of 0 found this helpful