Scribd
Upload
43 views1 page

VISCHER Tracking Checklist

1. The document provides a legal checklist for assessing website and app tracking practices. 2. It contains questions about obtaining consent, informing users, limiting data retention, international data transfers, compliance with local laws, and the use of third-party tracking tools. 3. The checklist helps determine if tracking activities are necessary, properly consented to and compliant with privacy laws like the GDPR and ePrivacy Directive.

Uploaded by

Nathan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
43 views1 page

VISCHER Tracking Checklist

1. The document provides a legal checklist for assessing website and app tracking practices. 2. It contains questions about obtaining consent, informing users, limiting data retention, international data transfers, compliance with local laws, and the use of third-party tracking tools. 3. The checklist helps determine if tracking activities are necessary, properly consented to and compliant with privacy laws like the GDPR and ePrivacy Directive.

Uploaded by

Nathan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 1

Website and App Tracking Project:

.
Start:
You operate a  Responsible:

Legal Checklist
website or app
vacy  Assessor:
for ePri PR
e & GD
Directiv Date:

Applicability: Necessity:
Consent (1):
The website or app (i) is operated in the  Is the activity necessary for the proper 
No Do you obtain consent before No
EU or UK, (ii) targets, or (iii) creates  operation of the website or app (e.g., no 
starting the activity?
profiles of visitors/users in the EU or UK analytics, no marketing, no profiling)?

No
Yes Yes Yes

Method (1): Information: Consent (2):


Do you use any kind of "cookies" when  Do you properly inform users about the  Is the consent statement pre-​selected or 
Yes No Yes
operating your website or app (cookie  tracking and transfer, if any (and if third  pre-​ticked (i.e. the user does not have to 
checker tools can help you find out*)? parties are involved also about them)? actively declare or select it)?

* See, for example, 


https://bit.ly/3UNTr2M and  No Yes No
https://bit.ly/3iU29zg

Method (2): Retention: Consent (3):


Do you collect information that is Do you limit the retention of Is the user clearly and properly informed 
No No
Yes
already stored on the user's device tracking and other information about what the consent is about 
(e.g., data of a local app, a device ID)? gathered to what is necessary? (including any follow-​up data processing)?

No Yes Yes

International transfer (1): Consent (4):


Method (3):
Will personal data be transferred Is the consent obtained separately from 
Do you store any information Yes No No
to a third country without an other consent and any terms & conditions 
on the device of the user?
adequate level of data protection? the user may have to accept?

No Yes Yes

International transfer (2): Consent (5):


Method (4):
Do you have sufficient safeguards for  Is it equally easy to deny consent
Do you otherwise track individual users  No No
Yes
such transfer (EU SCC, TIA) or obtain as to give it and is it presented in
that use your website or app (e.g., using 
valid explicit consent for the transfer? the same manner (i.e. no nudging)?
"fingerprinting" or device IDs)?

No Yes Yes

Method (5): Local Law (1): Consent (6):


Do you let any third party doing anything  Have you checked whether the Can the website or app (or services 
No No No
of the above (e.g., by integrating third  applicable local law has stricter therein) be used without consenting (i.e. 
party tools or code)? or additional requirements***? no "cookie-​wall")?

Yes
Yes / don't know *** See, for instance,  Yes
the "Global Cookie  Switzerland: Use of 
Review" by Bird & Bird:  cookies only requires 
https://bit.ly/3hdYFY2 information, including 
Adequate Controller Agreement: about opt-​out possibility. Consent (7):
Do you have an adequate agreement Is it easily possible to withdraw
Yes No
with the third party that allocates and  Local Law (2): the consent given and is the user 
governs controller responsibilities**? Have you ensured to follow these  informed about it and how?
No
stricter/additional requirements
No / don't know for such activities (if any)? Yes
** For example, Facebook  
and LinkedIn offer a joint  Yes
controller agreement, 
others such as Google rely 
on controller-​controller 
agreements.

Red: Amber: Green:


Not compliant, do not do this until  The local law aspects need If your data processing is otherwise 

adjusted appropriately or a  to be checked. Ask a compliant, your planned activity
specialist has approved this. specialist to do that. is probably, too.

Questions?
[email protected]

Instructions:
Fill out this flowchart for each of your website or app activity separately (e.g., main website,  All rights reserved. May be freely distributed/used unmodified (except for the insertion of contacts in  Version 17.01.2023
product websites, customer apps, other tracking of users). Start at the top left, answer the  the fields). This is information, not legal advice. Authors: David Rosenthal, [email protected]
question, check the answer (for documentation purposes) and follow the arrow to the next  Anna Salm, [email protected]; David Koelliker, [email protected]. Updates: www.rosenthal.ch
question.

You might also like