Brizy Cloud is not GDPR compliant?

Smo Mo

• October 18, 2022 10:00
• Edited

Hi, I know there are a lot of posts about this issue but I read almost all of them and I still have a question. 

I'm building a website for a client and I relied on your statement: 

"Brizy Cloud is fully GDPR compliant, we don't set or store any data nor set any cookies tracking or otherwise by default."
https://support.brizy.io/hc/en-us/articles/360050041371-Is-Brizy-Cloud-GDPR-compliant-

But it looks to me that this statement is not true. Please correct me if I'm wrong.

You can check it out for yourself. I create a very simple site with just an image an a text. 

https://simple-test.brizy.site/

I tested this website with the service you recommends: https://www.cookiebot.com/
And the scan results show: this website is NOT conform. 

It's the popup problem (6 Popup statistics cookies) we can read about in this Help center. 

I know I could probably use the CookieBot Script in my header to fix this, but my question is this: "are you not wrong by saying that Brizy Cloud is fully GDPR compliant?"

I don't wanna call you liers, I really like your easy peasy way of designing a website. I love it. But my client needs to have a website which is fully GDPR compliance, and I picked you based on your promise. 

 

But it gets worse and more complicated. 

My client needs a multilingual website. And I picked your service because you just launched this feature. BUT it makes the GDPR problem even worse. 

 

I create another website to prove my point: 
https://multilingual-test.brizy.site/

This website also only has a image in a text but it has the translation feature. 

It says: NOT compliant.

- Prior consent on other than strictly necessary cookies (ePR)

AND ALSO:

- Personal data is transmitted to 'adequate countries' only (GDPR)"

 

The problem here is: my client Website has 21 pages and around 5 custom post. But the website is translated in 4 languages. So Cookiebot is saying that I have over 100 pages. 

 

The only solution I see is that I pay €12 / Month to Cookiebot so that I can have a fully GDPR compliant website. Please update your statement or explain to me how to fix this. I didn't calculate this in my budget because I relayed on your promise. 

I found Brizy Cloud just recently and I love your CMS but I might need to move my current and also all future clients away from you because I work in Germany. 

0

• 

  KC George

  • October 18, 2022 10:07
  • Edited

  Hi

  Please have a look at these GDPR compliance reports of your websites

  • https://2gdpr.com/824009566
  • https://2gdpr.com/142959702

  Please also look at this article for what data Brizy stores about users. https://support.brizy.io/hc/en-us/articles/7421688586385-What-cookies-does-Brizy-store- 

  These are the key points about the data that Brizy Cloud collects about its users.

  • Brizy does not use cookies; instead it uses :Local Storages. Some information about user's behavior on the website is stored locally on the user's browser. This user data is not transferred to any server what so ever on the planet. Read more about Local Storages here. https://www.xenonstack.com/insights/local-vs-session-storage-vs-cookie
  • As as per the GDPR definition of personal data, the information about the user that Brizy Cloud collects cannot be categorized as personal. https://gdpr.eu/eu-gdpr-personal-data/  
  • Since Brizy Cloud does not collect personal data and the data collected is not transferred it to any server, it is inherently GDPR compliant

  Unfortunately, Cookiebot misrepresents information about Brizy local storages in their compliance reports. We had worked with Cookiebot to clean up the errors about Brizy local storages in their database. They have cleaned up around 80% of the errors. Remaining errors continue to show up in their compliance reports.

  Please also note that prior consent on other than strictly necessary cookies is not a GDPR requirement. It is an ePR requirement.      

  

  0
• 

  Smo Mo

  • October 18, 2022 11:00

  Thanks George for the very thorough and quick response. 

  So you're saying that Brizy Cloud is indeed GDPR compliant and I can ignore the 2 error messages: 

  • Prior consent on other than strictly necessary cookies (ePR)
  • Personal data is transmitted to 'adequate countries' only (GDPR)

  from Cookiebot can be ignored as long as the report is talking about the 6 Statistic cookies and the 1 unclassified cookie?

  Those are the errors Cookiebot is cleaning up? 

   

  Or are you saying the ePR message:

  • Prior consent on other than strictly necessary cookies (ePR)"

  can NOT be ignored because it's not an error from Cookiebot? 

  If not: do those 6 or 7 cookies (which are by default on each Brizy Cloud website) force me to create a Cookie Banner. But I did embed the CookieYes script on this page (just a test): 
  https://dsgvo-test.brizy.site/

  and CookieBot still gives me still the error message: 

  - "Prior consent on other than strictly necessary cookies (ePR)" So what am I doing wrong?

  

   

  Or is this not your problem because you don't claim to be ePR compliant (and ePR doesn't fall under the GDPR compliance)?

   Sorry, I'm a bit confused. I'm trying my best to understand the situation. Thanks for your help!

  0
• 

  KC George

  • October 18, 2022 15:57

  Hi 

  Let me elaborate what I mean here

  Please also note that prior consent on other than strictly necessary cookies is not a GDPR requirement. It is an ePR requirement.      

  Let's say that a Brizy Cloud website does not take prior consent on other than strictly necessary cookies. This would make the website ePR non compliant, but it can still be GDPR compliant. If you are primarily concerned about GDPR compliance, ePR non compliance should not be a concern for you? 

  0
• 

  Smo Mo

  • October 19, 2022 10:03

  Ok thanks for your help. I still have a couple more questions:

  So it is a fact that Brizy Cloud is fully GDPR compliant "out of the box"? And as long as I don't embed my own 3rd party scripts (like YouTube) I don't have to worry about GDPR compliance?

   

  And on the ePR compliance topic: 

  Let's say that a Brizy Cloud website does not take prior consent on other than strictly necessary cookies.

  So Brizy Cloud is not "out of the box" ePR compliant - correct?  
  Shouldn't CookieYes or CookieBot fix this problem? 
  As I said: I embedded the CookieYes script - why isn't it working?
  https://dsgvo-test.brizy.site/

  0
• 

  KC George

  • October 20, 2022 04:40

  Hi 

  There could be other aspects of GDPR compliance that you may need to take care. For example, having a well drafted privacy policy, a cookie policy document etc. There is a popular perception in Germany that a website that sends requests to any third party server before prior consent violates GDPR. This perception became prevalent after the Munich judgement on Google Fonts. If your client has this perception, you may want to ensure that no request goes to external servers. (This would violate GDPR only if the third party server captures and stores the user's IP address or any other personal data. Prior consent is not a requirement when the third party server does not capture/store user's personal data)

  In Brizy Cloud, the local storages get stored in user's browser irrespective of the consent. If you categorize the Brizy Local storages as other than strictly necessary, you need consent before storing those in user's browser. Hence even if you use a consent script, Brizy Cloud could be ePR non compliant if Brizy Local storages are categorized as other than strictly necessary. 

  0
• 

  Smo Mo

  • October 21, 2022 13:28

  I'm sorry, I feel like you are doing a great job but I can't completely follow you. 

  You said earlier: 

  Since Brizy Cloud does not collect personal data and the data collected is not transferred it to any server, it is inherently GDPR compliant. 
  Unfortunately, Cookiebot misrepresents information about Brizy local storages in their compliance reports. 

  Let me only ask two questions, because I really want to understand it so that I can use Brizy Cloud with confidence.  

  When I understand you correctly, you're saying that "Brizy Cloud is fully GDPR compliant" but there is still something I need to do to make sure I'm on the safe side. Like a well-drafted privacy policy etc. 

  My scenario is: I wanna use the multi-language feature from Brizy Cloud, embed YouTube videos, no Google Maps or any other embedded script. I do use the CookieYes script in the header to have a Cookie Popup and I will have a well-drafted privacy policy statement.

  1. What do I need to do to have a DSGVO conform Brizy Cloud website? Could you give me a list?  
  2. What do I need to do to have an ePR conform Brizy Cloud website?

  Check out my test site: https://dsgvo-test.brizy.site/de/

  It still says: "Personal data is transmitted to 'adequate countries' only (GDPR)". Can I ignore this statement because CookieBot is wrong? 

  0
• 

  KC George

  • October 21, 2022 13:58

  Hi 

  Please refer to these articles on GDPR and ePrivacy checklist for websites

  1. https://www.cookieyes.com/blog/gdpr-checklist-for-websites/
  2. https://termly.io/resources/articles/legal-requirements-for-websites/

  Like I have mentioned earlier, Brizy Cloud does not use cookies. Instead it uses local storages. Hence no data is transmitted to 'adequate counties'  or 'inadequate countries'. The data collected stays in the user's browser.

  1

Please sign in to leave a comment.