Data Protection FAQs

Consent & Record-Keeping

Q: What consent records do I legally need to maintain?

A: Under both GDPR and Swiss nFADP, you must maintain comprehensive consent logs that can withstand regulatory scrutiny.

Required Consent Data Points:

Essential Records (Legal Minimum):
✅ User identifier (pseudonymized acceptable)
✅ Timestamp with timezone
✅ Specific services/purposes consented to
✅ Method of consent (banner, form, API call)
✅ Evidence of consent mechanism (banner version/text)
✅ Consent withdrawal history
✅ IP address (for fraud detection - can be partially anonymized)

biskoui Consent Log Example:

{
  "consentEvent": {
    "id": "consent_1a2b3c4d5e6f",
    "userId": "usr_pseudonymized_abc123",
    "timestamp": "2023-09-15T14:30:00.000Z",
    "timezone": "Europe/Zurich",
    "method": "consent_banner",
    "bannerVersion": "v2.1.3",
    "ipAddressHash": "sha256:1a2b3c...", // Privacy-preserving
    "userAgent": "Mozilla/5.0 (truncated for privacy)",
    "granularChoices": {
      "analytics": {
        "consented": true,
        "services": ["google-analytics-4", "hotjar"],
        "legalBasis": "consent_art6_1a_gdpr"
      },
      "marketing": {
        "consented": false,
        "services": [],
        "legalBasis": null
      },
      "functional": {
        "consented": true,
        "services": ["language-preference", "shopping-cart"],
        "legalBasis": "legitimate_interest_art6_1f_gdpr"
      }
    },
    "evidencePreservation": {
      "bannerText": "We use cookies and similar technologies...",
      "privacyPolicyVersion": "v3.2",
      "language": "en-CH",
      "choices": ["Accept All", "Reject All", "Customize"]
    }
  }
}

Q: How long must I retain consent records?

A: Retention periods vary by jurisdiction and purpose:

Jurisdiction	Minimum Retention	Recommended	Legal Basis
Switzerland (nFADP)	No specific requirement	3 years	Statute of limitations
EU (GDPR)	As long as processing continues	3-7 years	Regulatory enforcement periods
Germany	3 years	6 years	HGB commercial code
France	3 years	3 years	CNIL guidance

biskoui Retention Policy:

Consent Log Retention:
✅ Active consents: Retained while processing continues
✅ Withdrawn consents: 3 years minimum (audit defense)
✅ Expired consents: 1 year after expiration
✅ Disputed consents: 7 years (litigation protection)

Q: What happens if users don't interact with my consent banner?

A: No interaction = No consent. This is fundamental under both GDPR and Swiss law.

Legal Compliance Actions:
❌ Don't Do:
• Assume consent after timeout
• Use "continued browsing" as consent
• Set analytics/marketing cookies automatically
• Process personal data without legal basis

✅ Must Do:
• Only load strictly necessary cookies
• Block non-essential third-party scripts
• Show banner on every visit until interaction
• Respect "Do Not Track" browser signals
• Document the no-consent scenario

Implementation Example:

// ✅ Compliant: No tracking without explicit consent
if (!biskoui.consent.hasConsent('analytics')) {
  // Block Google Analytics, Hotjar, etc.
  console.log('Analytics blocked - no user consent');
} else {
  // Load analytics only after consent
  gtag('config', 'GA_MEASUREMENT_ID');
}

// ✅ Always allowed: Strictly necessary functionality
sessionStorage.setItem('cart', JSON.stringify(cartItems));

Q: Can I use legitimate interest instead of consent?

A: GDPR: Yes, but with strict conditions. Swiss nFADP: Not explicitly recognized - consent is safer.

Legitimate Interest Assessment (GDPR Art. 6(1)(f)):

Three-Part Test:

1. Purpose Test: Is the processing necessary for a legitimate interest?
2. Necessity Test: Is the processing necessary to achieve that interest?
3. Balancing Test: Do user rights outweigh your legitimate interests?

✅ Commonly Accepted Legitimate Interests:
• Fraud prevention and security
• Network and information security
• Basic website analytics (anonymized)
• Employee monitoring (with transparency)
• Direct marketing to existing customers

❌ Rejected Legitimate Interests:
• Behavioral advertising to new users
• Cross-site tracking for marketing
• Data sales to third parties
• Profiling for credit decisions

Documentation Requirements:

Legitimate Interest Assessment - Example

Purpose: Basic website analytics to improve user experience
Necessity: Required to identify broken pages and optimize performance
Processing: Google Analytics with IP anonymization enabled
User Impact: Minimal - no profiling or cross-site tracking
Safeguards: Data retention limited to 14 months, anonymization active
Balancing: User rights do not override operational necessity
Conclusion: Legitimate interest established under GDPR Art. 6(1)(f)

Q: What audit trails do regulators expect?

A: Regulators expect complete, tamper-proof audit trails that demonstrate compliance over time.

Audit Trail Components:

1. Consent Lifecycle Documentation

Required Audit Elements:
✅ Consent collection evidence
✅ Consent withdrawal handling
✅ Data subject rights responses
✅ Privacy policy evolution
✅ System configuration changes
✅ Data breach incident reports
✅ Staff training records
✅ Vendor due diligence documents

2. Technical Implementation Evidence

System Audit Logs:
✅ Cookie/script loading decisions
✅ Data processing triggers
✅ Cross-border transfer logs
✅ Data retention/deletion events
✅ Security incident responses
✅ Access control changes

3. biskoui Compliance Dashboard

Real-Time Compliance Monitoring:
✅ Consent rate trends by category
✅ Geographic compliance status
✅ Data subject rights request handling
✅ Third-party service audit status
✅ Privacy policy synchronization
✅ Regulatory change impact assessment

Privacy Policy & Disclosure Requirements

Q: What must I include in my privacy policy?

A: Privacy policies must provide clear, comprehensive disclosure of all data processing activities.

Mandatory Disclosure Elements:

Requirement	GDPR Article	Swiss nFADP	Example
Controller Identity	Art. 13(1)(a)	Art. 19(1)	"Acme Corp, Bahnhofstrasse 1, 8001 Zurich"
Processing Purposes	Art. 13(1)(c)	Art. 19(2)	"Website analytics to improve user experience"
Legal Basis	Art. 13(1)(c)	Art. 19(2)	"Consent (GDPR Art. 6(1)(a))"
Data Categories	Art. 13(1)(c)	Art. 19(2)	"IP addresses, browser information, page views"
Recipients	Art. 13(1)(e)	Art. 19(3)	"Google (Analytics), Hotjar (Heatmaps)"
Retention Periods	Art. 13(2)(a)	Art. 19(4)	"Analytics data: 26 months, Marketing: 2 years"
Data Subject Rights	Art. 13(2)(b)	Art. 19(5)	"Access, rectification, erasure, withdrawal"
Transfer Countries	Art. 13(1)(f)	Art. 19(3)	"USA (Google), EU (Hotjar)"

Q: How should I reference biskoui in my privacy policy?

A: Reference biskoui as your consent management platform with clear technical details.

Privacy Policy Section - Consent Management:

## Cookie and Consent Management

We use biskoui, a Swiss-based consent management platform, to:
- Obtain and record your cookie preferences
- Manage your data processing consents
- Ensure compliance with Swiss and EU data protection laws

**biskoui Data Processing:**
- **Data Controller:** [Your Company Name]
- **Data Processor:** biskoui AG, Switzerland
- **Data Processed:** Consent choices, timestamps, anonymized interaction data
- **Storage Location:** Swiss data centers only
- **Retention Period:** 3 years for audit compliance
- **Legal Basis:** Consent (GDPR Art. 6(1)(a)) or Legitimate Interest (compliance)

**Your Consent Rights:**
- View your current consent choices: [Link to consent center]
- Withdraw consent anytime: [Link to consent withdrawal]
- Download your consent history: [Link to data export]

For technical questions about consent processing, contact: privacy@[yourdomain].com
For biskoui-specific questions, visit: https://biskoui.com/privacy

Q: What about cookie policy vs privacy policy?

A: You can have separate documents or combined policy - both approaches are legally valid.

Option 1: Combined Privacy & Cookie Policy

# Privacy and Cookie Policy

## 1. Overview
[General privacy information]

## 2. Information We Collect
[Personal data categories including cookies]

## 3. Cookies and Tracking Technologies
[Detailed cookie information with biskoui integration]

## 4. Your Rights and Choices
[Including cookie preferences via biskoui]

Option 2: Separate Cookie Policy

# Cookie Policy

This Cookie Policy explains how [Company] uses cookies and similar 
technologies on our website, and how you can manage your preferences 
through our consent management platform, biskoui.

**Cookie Categories:**
- Strictly Necessary: [List with purposes]
- Analytics: [List with third parties and retention]
- Marketing: [List with cross-border transfers]
- Functional: [List with legitimate interests]

**Managing Your Preferences:**
You can review and modify your cookie preferences anytime through 
our consent center powered by biskoui: [Link]

Common Edge Cases & Legal Topics

Q: Are IP addresses personal data?

A: Yes, IP addresses are personal data under both GDPR and Swiss nFADP.

Legal Reasoning:

• GDPR: Court of Justice ruling (Breyer case, C-582/14)
• Swiss nFADP: Federal Data Protection Commissioner guidance
• Rationale: Can identify individuals when combined with other data

IP Address Processing Scenarios:
✅ Requires Consent/Legal Basis:
• Analytics with IP tracking (Google Analytics)
• Geolocation beyond country-level
• Cross-site tracking correlation
• Marketing attribution

⚠️ Legitimate Interest Possible:
• Basic server logs (security)
• Fraud prevention (transaction-specific)
• Load balancing (immediate technical necessity)
• DDoS protection (network security)

✅ Technical Safeguards:
• IP anonymization (last octet removal)
• Hashing with short-lived salts
• Geolocation to country/region only
• Automatic deletion within 24-48 hours

Q: What about Google Fonts and external resources?

A: Google Fonts from Google's CDN require consent - they enable cross-site tracking.

Google Fonts Analysis:

❌ Google CDN (fonts.googleapis.com):
• Transfers IP addresses to Google servers
• Enables cross-site tracking correlation
• No control over Google's data use
• Requires explicit consent under GDPR/nFADP

✅ Self-Hosted Fonts:
• No third-party data transfer
• Full control over loading and delivery
• No consent required
• Better Core Web Vitals performance

Implementation Options:

<!-- ❌ Requires consent: Google CDN -->
<link href="https://fonts.googleapis.com/css2?family=Open+Sans" rel="stylesheet">

<!-- ✅ No consent required: Self-hosted -->
<link href="/assets/fonts/open-sans.css" rel="stylesheet">

<!-- ✅ Conditional loading with biskoui -->
<script>
if (biskoui.consent.hasConsent('functional')) {
  // Load Google Fonts only with consent
  const link = document.createElement('link');
  link.href = 'https://fonts.googleapis.com/css2?family=Open+Sans';
  link.rel = 'stylesheet';
  document.head.appendChild(link);
}
</script>

Q: What about first-party vs third-party cookies?

A: The distinction affects consent requirements and legal basis options.

Cookie Classification:

Cookie Type	Domain	Consent Required	Examples
First-Party Essential	yourdomain.com	❌ No	Session, security, shopping cart
First-Party Analytics	yourdomain.com	✅ Yes	Custom analytics, A/B testing
Third-Party Functional	external.com	⚠️ Depends	Payment processors, maps
Third-Party Tracking	external.com	✅ Yes	Google Analytics, Facebook Pixel

Legal Analysis:
First-Party Cookies:
• Subject to your privacy policy
• Easier legal basis justification
• Less regulatory scrutiny
• Still require consent for non-essential purposes

Third-Party Cookies:
• Subject to third party's privacy policy
• Cross-site tracking implications
• Higher regulatory scrutiny
• Almost always require explicit consent

Q: How do I handle localStorage and sessionStorage?

A: Local storage is personal data if it contains identifiable information.

// ✅ No consent required: Essential functionality
sessionStorage.setItem('csrf_token', 'abc123');
localStorage.setItem('language_preference', 'en');

// ❌ Requires consent: Tracking/analytics
localStorage.setItem('user_behavior_profile', JSON.stringify(analytics));
localStorage.setItem('marketing_segments', JSON.stringify(segments));

// ✅ Conditional storage with biskoui
if (biskoui.consent.hasConsent('analytics')) {
  localStorage.setItem('analytics_session', sessionId);
}

// ✅ Cleanup on consent withdrawal
biskoui.on('consent.withdrawn', function(category) {
  if (category === 'analytics') {
    localStorage.removeItem('analytics_session');
    localStorage.removeItem('user_behavior_profile');
  }
});

Q: What about embedded content (YouTube, Vimeo, social media)?

A: Embedded content almost always requires consent due to automatic data transmission.

Consent-Required Embeds:

<!-- ❌ Automatic data transfer to Google -->
<iframe src="https://www.youtube.com/embed/VIDEO_ID"></iframe>

<!-- ❌ Automatic data transfer to Vimeo -->
<iframe src="https://player.vimeo.com/video/VIDEO_ID"></iframe>

<!-- ❌ Automatic data transfer to Facebook -->
<div class="fb-like" data-href="https://example.com"></div>

Consent-Managed Approach:

<!-- ✅ Placeholder until consent -->
<div class="video-placeholder" data-video-id="VIDEO_ID">
  <img src="/video-thumbnail.jpg" alt="Video thumbnail">
  <button onclick="loadVideoWithConsent()">
    ▶️ Play Video (requires consent)
  </button>
  <p><small>This video is hosted by YouTube. Playing it will share 
     data with Google. <a href="/privacy-policy">Learn more</a></small></p>
</div>

<script>
function loadVideoWithConsent() {
  if (biskoui.consent.hasConsent('marketing')) {
    // Load actual YouTube embed
    loadYouTubePlayer();
  } else {
    // Request consent first
    biskoui.consent.request(['marketing'], {
      onAccept: loadYouTubePlayer,
      purpose: 'Loading YouTube videos'
    });
  }
}
</script>

---

⚖️ Legal Disclaimer: These FAQs provide general guidance only. Data protection law is complex and evolving. For specific legal advice, consult with qualified privacy counsel in your jurisdiction.