GDPR Export Description

General Information

The GDPR export contains all collected information/results of the performed GDPR scan(same information as in the Nimbusec compliance monitor).
Information is split in 4 main categories

• Inputs
• Cookies
• Tracker
• [Content] (optional)

All collected information/results were generated before any kind of user interaction with the website was performed  No cookies etc. were accepted when visited the website[except the cookie banner feature was enabled (optional)].

The Excel Document itself contains 5 different data sheets

• Input
• Cookies
• Tracker
• Content (Optional)
• Assets

The "Assets" sheet contains all websites that were scanned for compliance.

Inputs

This section focuses on input forms that handle sensitive data. Our scanner collects all form fields that are present on your web-applications.
Simply put: A complete inventory of all input forms on all domains in scope.

Table fields explained

• Date
  Shows the date when this information was discovered
• Asset
  Indicates the start point that was scanned
• Schema
  Which HTTP schema was used for the scan (HTTP/HTTPS)
• URL
  Shows the exact URL of the detected input form
• Art 9/10 Category
  True shows a violation against this specific case
• Input Name
  Name of the detected input field (parsed from source code)
• Input Category
  Based on the detected input name and input type, an input category is defined Contact data, job, gender, user data, …
• Input ID
  Represents the unique ID of the input field (parsed from source code)
• Input Type
  Shows the type of the detected input field  e.g. text, radio button, select, …
• Placeholder
  Shows, if present, the prepared default text
• Form Target Schema
  Shows the used schema that was used to transmit the provided data
  https -> data encrypted
  potentially http -> transmission schema unsure, please check manually (with e.g. Wireshark
  http -> data unencrypted
• Form Action
  Provides the defined action for the specific form (from source code)

Next steps based on best practices (work package)

• Remove / Update unencrypted forms  https
• Individual website review
• Check if forms are still necessary
• Check if placed input data is needed in the placed context
• Check if provided data is processed / sent outside your organization (third party)
• Check if all provided form data is documented in the privacy policy including the reason why this data is needed

Further Reading

Unencrypted data forms
https://eur-lex.europa.eu/legal-content/DE/TXT/HTML/?uri=CELEX:32016R0679&from=EN#d1e3385-1-1
https://www.mein-datenschutzbeauftragter.de/blog/datenschutz-auf-websites-warum-die-verschluesselung-von-kontaktformularen-etc-wichtig-ist/
https://gdpr-info.eu/issues/encryption/
https://www.ra-plutte.de/gastbeitrag-warum-sie-ihre-website-auf-https-umstellen-sollten/

Personal Identifiable Information (PII)
https://eur-lex.europa.eu/legal-content/DE/TXT/HTML/?uri=CELEX:32016R0679&from=EN#d1e2066-1-1

Third Parties
https://www.usp.gv.at/it-geistiges-eigentum/datenschutz/einwilligung.html
https://dsgvo-gesetz.de/themen/auftragsverarbeitung/
https://www.lda.bayern.de/media/veroeffentlichungen/FAQ_Abgrenzung_Auftragsverarbeitung.pdf

Cookies

This section focus on detected cookies of the scanned websites. Since our scanner does not interact with the website, all detected cookies were set before user consent.
-> A full documentation of all set cookies (before user consent) of all scanned web-applications.

Table fields explained

• Date
  Shows the date when this information was discovered
• Asset
  Indicates the start point that was scanned
• Schema
  Which HTTP schema was used for the scan (HTTP/HTTPS)
• URL
  Shows the exact URL of the detected cookieIn case of a manual review, please check this URL
• Name
  Includes the name of the detected cookie
• Value
  Shows the set value of the detected cookie
• Domain
  Shows the domain that sets the detected cookie
• ThirdParty
  Has a direct relation to the Domain column, if the Asset and the Domain is not equal (based on domain level) a third party sets this cookie

Next steps based on best practices (work package)

• Check all detected cookies and classify them as “technically necessary” or not (depends on the application)
• Implement/Update a cookie banner to ensure that all ”non technically necessary” cookies were set after user consent
• Create/Update privacy policy / cookie policy and list all used cookies

Further Reading

https://curia.europa.eu/juris/document/document.jsf;jsessionid=F2A804042CAC4FE3D70A00596C6A76D0?text=&docid=218462&pageIndex=0&doclang=DE&mode=req&dir=&occ=first&part=1&cid=1686588
https://www.wbs-law.de/it-und-internet-recht/datenschutzrecht/eugh-cookies-aktive-einwilligung-c-673-17-45473/
https://www.wko.at/branchen/information-consulting/werbung-marktkommunikation/eugh-entscheidung-zu-cookies-und-einwilligung.html
https://www.datenschutz.org/cookies/#die-regelungen-fuer-cookies-innerhalb-der-eu
https://www.lda.bayern.de/media/pm/pm2021_06.pdf

Tracker

This section focuses on internal/external used tracking software. Our scanner analyses the whole network traffic that was triggered by initially visiting the web-application. As a result, all detected requests were triggered before user consent.
-> A complete list of all used tracking technologies of each domain in scope

Table fields explained

• Date
  Shows the date when this information was discovered
• Asset
  Indicates the start point that was scanned
• Schema
  Which HTTP schema was used for the scan (HTTP/HTTPS)
• Category
  All detected tracker will be assigned to a specific category e.g. FingerPrinting, Social Media, …
• Date
  Shows the date when this information was discovered
• Asset
  Indicates the start point that was scanned
• Schema
  Which HTTP schema was used for the scan (HTTP/HTTPS)
• Category
  All detected tracker will be assigned to a specific category e.g. FingerPrinting, Social Media, …

Next steps based on best practices (work package)

• Disable/Remove all events (that process personal user data) that were triggered by initially visiting the website (before user consent)
• Implement (if not present) a user consent banner (e.g. cookie banner)
• Create/Update privacy policy (https://gdpr.eu/privacy-notice/)

Further Reading

https://dsgvo-gesetz.de/themen/auftragsverarbeitung/
https://gdpr.eu/privacy-notice/

Content

This section focus on company specific compliance parts that were individually defined with the project team.
->A full documentation of which domain violates the defined rules

Table fields explained

• Date
  Shows the date when this information was discovered
• Asset
  Indicates the start point that was scanned
• Schema
  Which HTTP schema was used for the scan (HTTP/HTTPS)
• URL
  Shows the exact URL of the checked ressource
• OK
  This flag shows if the rule (in the Rule column) is was violated or not
  true = no violation detected
  false = violation detected
• Rule
  Shows the rule that was checked for the given asset

Next steps based on best practices (work package)

• Analyze individual rule violations of each website(Why was this part not detected?)
• Apply changes to the web-application to meet the company rules