UN websites and GDPR

[Alex Faundez]

Greetings, GWG members!

Are UN websites (especially those that use Google Analytics) subject to the GDRP?

If you're a UN agency based in Switzerland, do you need to add a GDPR warning to your website?

I did some research but couldn't come up with anything conclusive, so any help would be greatly appreciated.

Thank you!

Alex Faundez

[Genc Kastrati]

Hi Alex,

 

Good question! It is one for the lawyers as every organization needs to assess the risk and compliance and decide. Language added to the directive later states IOs are subject to GDPR, but of course it is a bit more complicated. The relationship between the IO and EC is also important here. Voila an article that might be useful:

https://iapp.org/news/a/eu-gdpr-applicability-to-international-organizations/

 

At the Global Fund we’ve implemented GDPR on our website in the stricter sense because I believe it is the right thing to do, and also because it is important to provide the option of not-tracking to visitors. Visitors should own the data and be aware of how it will be used. It is also important not to force them to accept cookies, or make it complicated. Anyone can browse the website without any hindrance if they don’t accept cookies.

 

GDPR compliance has also been expanded to other platforms and we’ve had numerous deletion requests already. These requests were processed in compliance with GDPR.

 

My own opinion is that IOs already enjoy a lot of privileges and should be an example of protecting personal data, something many companies abuse.

 

Merci!
Genc

 

Genc Kastrati Lead, Web Team Web Team Communications Department External Relations and Communications   M: +41794683971 (no sms or WhatsApp) T: +41587911540 genc.k...@theglobalfund.org theglobalfund.org

 

From: geneva-w...@googlegroups.com <geneva-w...@googlegroups.com> On Behalf Of Alex Faundez
Sent: Wednesday, 3 August 2022 10:33
To: Geneva Web Group <geneva-w...@googlegroups.com>
Subject: {GWG: 3095} UN websites and GDPR

 

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.

--
The Geneva Web Group is a Community of Practice for Internet professionals. Informal meetings are held in Geneva, Switzerland 3-4 times per year.
---
You received this message because you are subscribed to the Google Groups "Geneva Web Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to geneva-web-gro...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/geneva-web-group/633b3634-7bae-4c84-9898-52d351b837a0n%40googlegroups.com.

[Andy Pattison]

Hi Genc:

My understanding is that it is not applicable to the UN.

"The European Data Protection Board recognises that the GDPR is not applicable to UN-System organizations, and that the application of the GDPR to private entities providing services to international organizations may require some adjustments."

more info here:  https://edpb.europa.eu/sites/default/files/files/file1/edpb_letter_out2020-0109_un.pdf

All the best

Andy 

To view this discussion on the web, visit https://groups.google.com/d/msgid/geneva-web-group/PH0PR07MB84783F98DC3732CF13F8F61FE79C9%40PH0PR07MB8478.namprd07.prod.outlook.com.

[Dominique Chantrel]

Alex,

Comme d'habitude, on est United Nations supranational donc pas soumis
à cela (sauf si on le veut).
Mais pour une bonne pratique, je te conseille de l'être.

En tout cas c'est ce qu'on essaye de faire à TRAINFORTRADE
(tft.unctad.org). Mais je ne pense pas que tu trouveras un texte dans
ce sens.

Dom .-)

[Peter Hall-Jones]

Same question!

The law seems really unclear. Does the nation where the website is hosted make a difference? Or is it based on the nation where the organisation is legally based? I note that the WHO website has no homepage message but the ILO one does.

--

The Geneva Web Group is a Community of Practice for Internet professionals. Informal meetings are held in Geneva, Switzerland 3-4 times per year.
---
You received this message because you are subscribed to the Google Groups "Geneva Web Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to geneva-web-gro...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/geneva-web-group/633b3634-7bae-4c84-9898-52d351b837a0n%40googlegroups.com.

--

Peter Hall-Jones

+64 020 4161 3506 

Skype: peter.hall-jones

[Genc Kastrati]

Thank you Andy,

 

That letter was quite a fun read 😊 I admit it was very difficult to understand it. Regarding the quote you included, I did not see it in the document (failed to find it elsewhere), would you have the source please? Am asking because in the EDPB link it states the following:

 

“In its guidance1, the European Data Protection Board has also clarified that the application of the GDPR is without prejudice to the provisions of international law, such as the ones governing the privileges and immunities of international organizations. At the same time, this guidance highlights that entities subject to the GDPR that exchange personal data with international organizations have to comply with the GDPR, including its rules on international transfers (Chapter V of the GDPR).”

 

I believe that the UN system is indeed exempt, also because there are no mechanisms to enforce compliance (EC can’t fine the UN). This might not be the case for all international organizations in Geneva, some of which are Swiss Foundations legally-speaking. In any case, I know this was not the question Alex asked initially, I do believe however that being in clear violation of GDPR and other similar legislation, does carry some reputational risk for orgs/missions/agencies.

 

Thank you!
Genc

 

Genc Kastrati Lead, Web Team Web Team Communications Department External Relations and Communications   M: +41794683971 (no sms or WhatsApp) T: +41587911540 genc.k...@theglobalfund.org theglobalfund.org

 

[Alex Faundez]

Hi All,

Thanks for your input to this tricky discussion. I'm asking specifically about a UN agency (not an international organization as this to me is a broader definition and also includes non-UN entities with different legal status).

Here's an excerpt of a discussion I had with WMO's legal team:

Q: Do you know if GDPR applies to UN websites, and in particular our websites?

Legal: As a general point if the data is collected, stored and processed by us then we are not subject to GDPR. If the data is collected, stored and processed by a third party then these partners may well be subject to the data protection regulations.

Q: Follow-up question: we use Google Analytics, a free Google service to track user behavior on our websites. Our data is “shared” on their platform, but we’re the only ones using it. Does Google qualify as third-party?

Legal: If Google is processing our data then it is subject to GDPR if the processing is based in the EU or the data derives from the EU. The issue here is that the data is not subject to immunity but rather the entity.

I'm not a legal expert, and I was really hoping to find a straightforward answer to be honest :-)

Alex Faundez

Information Architecture, Content Strategy, Content Design
faunde...@gmail.com 

Skype: alex.faundez

To view this discussion on the web, visit https://groups.google.com/d/msgid/geneva-web-group/PH0PR07MB8478D73EE97979ED756DFB8FE79F9%40PH0PR07MB8478.namprd07.prod.outlook.com.

[Anna]

Hi,

It's a bit of a grey area, you're not really obliged to follow GDPR rules (regardless of hosting country), but it doesn't hurt to do it anyway as best practice. For UN secretariat sites, a link to the Privacy Notice - https://www.un.org/en/about-us/privacy-notice - has to be included in the footer anyway, and should cover your bases if all you're using is Google Analytics. Other agencies seem to do something similar with their own privacy statements. If you're using social media cookies or something else tracking identifiable data, then it's nice to give users the option. 

Thanks,

Anna