The General Data Protection Regulation (GDPR) has some consequences for website editors. This page sums up the most important issues you need to be aware of as a website editor.
This list is not a full lists of GDPR rules, but just a short overview based on questions websites editors at the UT face regularly.
Personal information may not be retained indefinitely on systems such as WebHare and may only be stored if there is a legal basis (good reason) for doing so. Consequences:
- Content of web forms will eventually be deleted. Only data entered during the past 800 days (two years plus a grace period of 2 months) will be kept in the systems.
- Web statistics (Google Analytics) will be removed after 50 months.
- Customer data stored on University of Twente systems (such as information requests of prospective students through the website) will be removed or anonymized if they have not become students one year following the expected start date.
- If there is no reason for storing something (for example, ‘it is convenient’ is not a good reason), no personal information may be stored.
- You may only ask for information that is strictly necessary. If someone subscribes to a digital newsletter, for example, you may not ask for their postal address. Gender is another personal detail that people are regularly asked to specify but which is often not necessary.
- In general, the University of Twente stores personal information on European systems to safeguard this data. This is why it is not allowed to collect personal information through American services such as Google Forms or Dropbox, or to store data with these services. Refer to the University of Twente Privacy Statement for details and exceptions.
Photos are used extensively on websites. These can fall into the ‘special personal information’ category, for which stricter rules apply.
- Only post passport photos of students and staff after they have given explicit consent. This applies to intranets as well.
- Do not post staff photos on the page in WebHare directly but upload them through People Pages whenever possible. You can do so by using the WebHare who-is-who (people folder). Where individuals included in the main body of text are concerned, you can use our inline components 'person info' and 'person info foldable'. On People Pages > My Profile, staff can indicate whether they want access to their photo to be limited to internal access or not. The WebHare website automatically adopts their settings if you use the WebHare elements just mentioned.
- All websites using the default layout of the University of Twente are provided with a cookie message that offers visitors the option of specifying their preference regarding cookies types they do/do not want to enable using sliders.
- Do you ever use HTML files in WebHare to do your own programming? Please avoid this as much as possible and be aware that if you use elements such as videos that place cookies, we will not be in compliance with the legislation. That is why we recommend always using WebHare’s integrated online editor. If you add videos using the filmstrip button, WebHare ensures the content meets all requirements; visitors who block cookies will only be shown the content after having enabled cookies.
Do you manage a website outside of WebHare, for example for an EU project? We offer integration of the University of Twente cookie message though and API for WebHare sites with own domain name (projectabc.eu) or websites outsite WebHare that are hosted on utwente.nl (osiris.utwente.nl). If you are interested, contact firstname.lastname@example.org.
You may not simply send a mass e-mail to invite people to a conference, for example. When collecting the e-mail addresses of potential customers for a mass e-mail/newsletter later on, you must always ensure that:
- They have given permission to store personal information such as their e-mail addresses.
- They have indicated they want to receive this type of e-mail.
- They have deliberately specified they want to receive something (not a default checkmark) and the text next to the checked box is sufficiently specific.
- Be aware that you are required to record the date on which they have subscribed and the text that was included next to the checked box.
No permission is required for sending transactional e-mails (confirmation of event registration, password retrieval, etc.) since website visitors submit the requests themselves.