# GDPR Export Description

#### General Information

The GDPR export contains all collected information/results of the performed GDPR scan(same information as in the Nimbusec compliance monitor).  
Information is split in 4 main categories

- Inputs
- Cookies
- Tracker
- \[Content\] (optional)

All collected information/results were generated before any kind of user interaction with the website was performed  No cookies etc. were accepted when visited the website\[except the cookie banner feature was enabled (optional)\].

The Excel Document itself contains 5 different data sheets

- Input
- Cookies
- Tracker
- Content (Optional)
- Assets

The "Assets" sheet contains all websites that were scanned for compliance.

#### Inputs

This section focuses on input forms that handle sensitive data. Our scanner collects all form fields that are present on your web-applications.   
Simply put: **A complete inventory of all input forms on all domains in scope.**

[![image-1650604732806.png](https://docs.nimbusec.com/uploads/images/gallery/2022-04/scaled-1680-/1K7jpIcX7YmeFflQ-image-1650604732806.png)](https://docs.nimbusec.com/uploads/images/gallery/2022-04/1K7jpIcX7YmeFflQ-image-1650604732806.png)

##### Table fields explained

- Date  
    Shows the date when this information was discovered
- Asset  
    Indicates the start point that was scanned
- Schema  
    Which HTTP schema was used for the scan (HTTP/HTTPS)
- URL  
    Shows the exact URL of the detected input form
- Art 9/10 Category  
    True shows a violation against this specific case
- Input Name  
    Name of the detected input field (parsed from source code)
- Input Category  
    Based on the detected input name and input type, an input category is defined Contact data, job, gender, user data, …
- Input ID  
    Represents the unique ID of the input field (parsed from source code)
- Input Type  
    Shows the type of the detected input field  e.g. text, radio button, select, …
- Placeholder  
    Shows, if present, the prepared default text
- Form Target Schema  
    Shows the used schema that was used to transmit the provided data  
    https -&gt; data encrypted  
    potentially http -&gt; transmission schema unsure, please check manually (with e.g. Wireshark  
    http -&gt; data unencrypted
- Form Action  
    Provides the defined action for the specific form (from source code)

##### Next steps based on best practices (work package)

- Remove / Update unencrypted forms  https
- Individual website review
- Check if forms are still necessary
- Check if placed input data is needed in the placed context
- Check if provided data is processed / sent outside your organization (third party)
- Check if all provided form data is documented in the privacy policy including the reason why this data is needed

##### Further Reading

**Unencrypted data forms** [https://eur-lex.europa.eu/legal-content/DE/TXT/HTML/?uri=CELEX:32016R0679&amp;from=EN#d1e3385-1-1](https://eur-lex.europa.eu/legal-content/DE/TXT/HTML/?uri=CELEX:32016R0679&from=EN#d1e3385-1-1)  
[https://www.mein-datenschutzbeauftragter.de/blog/datenschutz-auf-websites-warum-die-verschluesselung-von-kontaktformularen-etc-wichtig-ist/](https://www.mein-datenschutzbeauftragter.de/blog/datenschutz-auf-websites-warum-die-verschluesselung-von-kontaktformularen-etc-wichtig-ist/)  
[https://gdpr-info.eu/issues/encryption/](https://gdpr-info.eu/issues/encryption/)  
[https://www.ra-plutte.de/gastbeitrag-warum-sie-ihre-website-auf-https-umstellen-sollten/](https://www.ra-plutte.de/gastbeitrag-warum-sie-ihre-website-auf-https-umstellen-sollten/)

**Personal Identifiable Information (PII)**  
[https://eur-lex.europa.eu/legal-content/DE/TXT/HTML/?uri=CELEX:32016R0679&amp;from=EN#d1e2066-1-1](https://eur-lex.europa.eu/legal-content/DE/TXT/HTML/?uri=CELEX:32016R0679&from=EN#d1e2066-1-1)

**Third Parties**  
[https://www.usp.gv.at/it-geistiges-eigentum/datenschutz/einwilligung.html](https://www.usp.gv.at/it-geistiges-eigentum/datenschutz/einwilligung.html)  
[https://dsgvo-gesetz.de/themen/auftragsverarbeitung/](https://dsgvo-gesetz.de/themen/auftragsverarbeitung/)  
[https://www.lda.bayern.de/media/veroeffentlichungen/FAQ\_Abgrenzung\_Auftragsverarbeitung.pdf](https://www.lda.bayern.de/media/veroeffentlichungen/FAQ_Abgrenzung_Auftragsverarbeitung.pdf)

#### Cookies

This section focus on detected cookies of the scanned websites. Since our scanner does not interact with the website, all detected cookies were set before user consent.  
**-&gt; A full documentation of all set cookies (before user consent) of all scanned web-applications.**

[![image-1650605347170.png](https://docs.nimbusec.com/uploads/images/gallery/2022-04/scaled-1680-/X4HKb55a0PrWEFkA-image-1650605347170.png)](https://docs.nimbusec.com/uploads/images/gallery/2022-04/X4HKb55a0PrWEFkA-image-1650605347170.png)

##### Table fields explained

- Date  
    Shows the date when this information was discovered
- Asset  
    Indicates the start point that was scanned
- Schema  
    Which HTTP schema was used for the scan (HTTP/HTTPS)
- URL  
    Shows the exact URL of the detected cookieIn case of a manual review, please check this URL
- Name  
    Includes the name of the detected cookie
- Value  
    Shows the set value of the detected cookie
- Domain  
    Shows the domain that sets the detected cookie
- ThirdParty  
    Has a direct relation to the Domain column, if the Asset and the Domain is not equal (based on domain level) a third party sets this cookie

##### Next steps based on best practices (work package)

- Check all detected cookies and classify them as “technically necessary” or not (depends on the application)
- Implement/Update a cookie banner to ensure that all ”non technically necessary” cookies were set after user consent
- Create/Update privacy policy / cookie policy and list all used cookies

##### Further Reading

[https://curia.europa.eu/juris/document/document.jsf;jsessionid=F2A804042CAC4FE3D70A00596C6A76D0?text=&amp;docid=218462&amp;pageIndex=0&amp;doclang=DE&amp;mode=req&amp;dir=&amp;occ=first&amp;part=1&amp;cid=1686588](https://curia.europa.eu/juris/document/document.jsf;jsessionid=F2A804042CAC4FE3D70A00596C6A76D0?text=&docid=218462&pageIndex=0&doclang=DE&mode=req&dir=&occ=first&part=1&cid=1686588)  
[https://www.wbs-law.de/it-und-internet-recht/datenschutzrecht/eugh-cookies-aktive-einwilligung-c-673-17-45473/](https://www.wbs-law.de/it-und-internet-recht/datenschutzrecht/eugh-cookies-aktive-einwilligung-c-673-17-45473/)  
[https://www.wko.at/branchen/information-consulting/werbung-marktkommunikation/eugh-entscheidung-zu-cookies-und-einwilligung.html](https://www.wko.at/branchen/information-consulting/werbung-marktkommunikation/eugh-entscheidung-zu-cookies-und-einwilligung.html)  
[https://www.datenschutz.org/cookies/#die-regelungen-fuer-cookies-innerhalb-der-eu](https://www.datenschutz.org/cookies/#die-regelungen-fuer-cookies-innerhalb-der-eu)  
[https://www.lda.bayern.de/media/pm/pm2021\_06.pdf](https://www.lda.bayern.de/media/pm/pm2021_06.pdf)

#### Tracker

This section focuses on internal/external used tracking software. Our scanner analyses the whole network traffic that was triggered by initially visiting the web-application. As a result, all detected requests were triggered **before user consent.**   
**-&gt; A complete list of all used tracking technologies of each domain in scope**

[![image-1650606295391.png](https://docs.nimbusec.com/uploads/images/gallery/2022-04/scaled-1680-/ujPWTTP37T4k92p1-image-1650606295391.png)](https://docs.nimbusec.com/uploads/images/gallery/2022-04/ujPWTTP37T4k92p1-image-1650606295391.png)

##### Table fields explained

- Date  
    Shows the date when this information was discovered
- Asset  
    Indicates the start point that was scanned
- Schema  
    Which HTTP schema was used for the scan (HTTP/HTTPS)
- Category  
    All detected tracker will be assigned to a specific category e.g. FingerPrinting, Social Media, …
- Date  
    Shows the date when this information was discovered
- Asset  
    Indicates the start point that was scanned
- Schema  
    Which HTTP schema was used for the scan (HTTP/HTTPS)
- Category  
    All detected tracker will be assigned to a specific category e.g. FingerPrinting, Social Media, …

##### Next steps based on best practices (work package)

- Disable/Remove all events (that process personal user data) that were triggered by initially visiting the website (before user consent)
- Implement (if not present) a user consent banner (e.g. cookie banner)
- Create/Update privacy policy (https://gdpr.eu/privacy-notice/)

##### Further Reading

[https://dsgvo-gesetz.de/themen/auftragsverarbeitung/](https://dsgvo-gesetz.de/themen/auftragsverarbeitung/)  
[https://gdpr.eu/privacy-notice/](https://gdpr.eu/privacy-notice/)

#### Content

This section focus on company specific compliance parts that were individually defined with the project team.  
**-&gt;A full documentation of which domain violates the defined rules**

##### Table fields explained

- Date  
    Shows the date when this information was discovered
- Asset  
    Indicates the start point that was scanned
- Schema  
    Which HTTP schema was used for the scan (HTTP/HTTPS)
- URL  
    Shows the exact URL of the checked ressource
- OK  
    This flag shows if the rule (in the Rule column) is was violated or not  
    true = no violation detected  
    false = violation detected
- Rule  
    Shows the rule that was checked for the given asset

##### Next steps based on best practices (work package)

- Analyze individual rule violations of each website(Why was this part not detected?)
- Apply changes to the web-application to meet the company rules