GDPR Export Description General Information The GDPR export contains all collected information/results of the performed GDPR scan(same information as in the Nimbusec compliance monitor). Information is split in 4 main categories Inputs Cookies Tracker [Content] (optional) All collected information/results were generated before any kind of user interaction with the website was performed  No cookies etc. were accepted when visited the website[except the cookie banner feature was enabled (optional)]. The Excel Document itself contains 5 different data sheets Input Cookies Tracker Content (Optional) Assets The "Assets" sheet contains all websites that were scanned for compliance. Inputs This section focuses on input forms that handle sensitive data. Our scanner collects all form fields that are present on your web-applications. Simply put: A complete inventory of all input forms on all domains in scope. Table fields explained Date Shows the date when this information was discovered Asset Indicates the start point that was scanned Schema Which HTTP schema was used for the scan (HTTP/HTTPS) URL Shows the exact URL of the detected input form Art 9/10 Category True shows a violation against this specific case Input Name Name of the detected input field (parsed from source code) Input Category Based on the detected input name and input type, an input category is defined Contact data, job, gender, user data, … Input ID Represents the unique ID of the input field (parsed from source code) Input Type Shows the type of the detected input field  e.g. text, radio button, select, … Placeholder Shows, if present, the prepared default text Form Target Schema Shows the used schema that was used to transmit the provided data https -> data encrypted potentially http -> transmission schema unsure, please check manually (with e.g. Wireshark http -> data unencrypted Form Action Provides the defined action for the specific form (from source code) Next steps based on best practices (work package) Remove / Update unencrypted forms  https Individual website review Check if forms are still necessary Check if placed input data is needed in the placed context Check if provided data is processed / sent outside your organization (third party) Check if all provided form data is documented in the privacy policy including the reason why this data is needed Further Reading Unencrypted data forms https://eur-lex.europa.eu/legal-content/DE/TXT/HTML/?uri=CELEX:32016R0679&from=EN#d1e3385-1-1 https://www.mein-datenschutzbeauftragter.de/blog/datenschutz-auf-websites-warum-die-verschluesselung-von-kontaktformularen-etc-wichtig-ist/ https://gdpr-info.eu/issues/encryption/ https://www.ra-plutte.de/gastbeitrag-warum-sie-ihre-website-auf-https-umstellen-sollten/ Personal Identifiable Information (PII) https://eur-lex.europa.eu/legal-content/DE/TXT/HTML/?uri=CELEX:32016R0679&from=EN#d1e2066-1-1 Third Parties https://www.usp.gv.at/it-geistiges-eigentum/datenschutz/einwilligung.html https://dsgvo-gesetz.de/themen/auftragsverarbeitung/ https://www.lda.bayern.de/media/veroeffentlichungen/FAQ_Abgrenzung_Auftragsverarbeitung.pdf Cookies This section focus on detected cookies of the scanned websites. Since our scanner does not interact with the website, all detected cookies were set before user consent. -> A full documentation of all set cookies (before user consent) of all scanned web-applications. Table fields explained Date Shows the date when this information was discovered Asset Indicates the start point that was scanned Schema Which HTTP schema was used for the scan (HTTP/HTTPS) URL Shows the exact URL of the detected cookieIn case of a manual review, please check this URL Name Includes the name of the detected cookie Value Shows the set value of the detected cookie Domain Shows the domain that sets the detected cookie ThirdParty Has a direct relation to the Domain column, if the Asset and the Domain is not equal (based on domain level) a third party sets this cookie Next steps based on best practices (work package) Check all detected cookies and classify them as “technically necessary” or not (depends on the application) Implement/Update a cookie banner to ensure that all ”non technically necessary” cookies were set after user consent Create/Update privacy policy / cookie policy and list all used cookies Further Reading https://curia.europa.eu/juris/document/document.jsf;jsessionid=F2A804042CAC4FE3D70A00596C6A76D0?text=&docid=218462&pageIndex=0&doclang=DE&mode=req&dir=&occ=first&part=1&cid=1686588 https://www.wbs-law.de/it-und-internet-recht/datenschutzrecht/eugh-cookies-aktive-einwilligung-c-673-17-45473/ https://www.wko.at/branchen/information-consulting/werbung-marktkommunikation/eugh-entscheidung-zu-cookies-und-einwilligung.html https://www.datenschutz.org/cookies/#die-regelungen-fuer-cookies-innerhalb-der-eu https://www.lda.bayern.de/media/pm/pm2021_06.pdf Tracker This section focuses on internal/external used tracking software. Our scanner analyses the whole network traffic that was triggered by initially visiting the web-application. As a result, all detected requests were triggered before user consent. -> A complete list of all used tracking technologies of each domain in scope Table fields explained Date Shows the date when this information was discovered Asset Indicates the start point that was scanned Schema Which HTTP schema was used for the scan (HTTP/HTTPS) Category All detected tracker will be assigned to a specific category e.g. FingerPrinting, Social Media, … Date Shows the date when this information was discovered Asset Indicates the start point that was scanned Schema Which HTTP schema was used for the scan (HTTP/HTTPS) Category All detected tracker will be assigned to a specific category e.g. FingerPrinting, Social Media, … Next steps based on best practices (work package) Disable/Remove all events (that process personal user data) that were triggered by initially visiting the website (before user consent) Implement (if not present) a user consent banner (e.g. cookie banner) Create/Update privacy policy (https://gdpr.eu/privacy-notice/) Further Reading https://dsgvo-gesetz.de/themen/auftragsverarbeitung/ https://gdpr.eu/privacy-notice/ Content This section focus on company specific compliance parts that were individually defined with the project team. ->A full documentation of which domain violates the defined rules Table fields explained Date Shows the date when this information was discovered Asset Indicates the start point that was scanned Schema Which HTTP schema was used for the scan (HTTP/HTTPS) URL Shows the exact URL of the checked ressource OK This flag shows if the rule (in the Rule column) is was violated or not true = no violation detected false = violation detected Rule Shows the rule that was checked for the given asset Next steps based on best practices (work package) Analyze individual rule violations of each website(Why was this part not detected?) Apply changes to the web-application to meet the company rules