Privacy Battles
Simple Analytics
Privacy Score
94
%
⚔️
AT Internet
Privacy Score
86
%

Designated DPO or GDPR correspondent

Compliant
Partially Compliant
Not Compliant

Simple Analytics doesn’t process personal data, therefore does not have to designate a DPO.

Simple has a privacy dedicated email contact available on the website: privacyquestions@simpleanalytics.com

Compliant
Partially Compliant
Not Compliant

AT Internet has appointed a Data Protection Officer who can be contacted at the following address: dpo@atinternet.com or by post.

Privacy Policy

Compliant
Partially Compliant
Not Compliant

Regarding cloud:
A Cloud Privacy Policy is not necessary as no personal data is processed in the Cloud.

Regarding website:
https://simpleanalytics.com/privacy-policy

Country & Type of Data storage

Compliant
Partially Compliant
Not Compliant

Company Headquarters:
The Netherlands 🇳🇱  (EU) 🇪🇺

Storage Facilities:
All analytics data is processed by Dutch cloud providers Worldstream and Leaseweb.

Compliant
Partially Compliant
Not Compliant

Company Headquarters:
France 🇫🇷  (EU) 🇪🇺

Storage Facilities:
All analytics data is stored in the EU by cloud providers AWS and SFR.

AT Internet however doesn’t specify in which country data is hosted.

Data transfers outside the EU

Compliant
Partially Compliant
Not Compliant

Data is never transferred outside the EU.

Compliant
Partially Compliant
Not Compliant

AT Internet doesn’t transfer analytics data outside the EU.

Legal tools for Subcontractors

Compliant
Partially Compliant
Not Compliant

Simple has only one subcontractor for CDN that is called BunnyCDN and is part of a company called BunnyWay, located in Slovenia (EU). They have concluded a written agreement protecting personal data processed on BunnyCDN's part.

Compliant
Partially Compliant
Not Compliant

At Internet commits itself to verify that its subcontractors present sufficient guarantees regarding the implementation of technical and organizational measures.

AT Internet has made public its list of subprocessors: https://www.atinternet.com/en/processor-sub-processor-information-parent-company/

Prior to modifying the list of subprocessors, the controller will be notified and is able to object.

Data Breach Notification

Compliant
Partially Compliant
Not Compliant

Simple shares technical incidents on its website: https://status.simpleanalytics.com/?ref=simpleanalytics.com

Simple doesn’t process personal data and therefore a data breach cannot be materialized nor notified.

Compliant
Partially Compliant
Not Compliant

In case of a data breach, AT Internet will notify the controller without undue delay after becoming aware of the breach, and provide the necessary information to notify Data Protection Authorities.

Right Requests Process

Compliant
Partially Compliant
Not Compliant

Simple doesn’t process personal data therefore does not have to fulfill this GDPR obligation.

Compliant
Partially Compliant
Not Compliant

Data request will be forwarded to the controller without delay and assistance will be provided to the controller to answer any request.

Data Privacy Impact Assessment

Compliant
Partially Compliant
Not Compliant

Simple doesn’t process personal data therefore does not have to fulfill this GDPR obligation.

Compliant
Partially Compliant
Not Compliant

AT Internet will provide necessary assistance to the controller in case of Data Privacy Impact Assessment on an analytics processing activity.

Employee Trainings

Compliant
Partially Compliant
Not Compliant

Simple doesn't process personal data and therefore is not obliged by the GDPR to have its employees subject to confidentiality obligations and trainings on personal data management.

Compliant
Partially Compliant
Not Compliant

Employees are trained on the confidentiality of personal data and subjects to a strict confidentiality obligation.

Security Policy

Compliant
Partially Compliant
Not Compliant

Simple doesn’t mention having a security policy.

Compliant
Partially Compliant
Not Compliant

AT Internet mentions having a security policy and updating it regularly, but has not made it public.

Organizational and Technical Security Measures

Compliant
Partially Compliant
Not Compliant

Server security:
Cloud security relies on Worldstream and Leaseweb.

Other measures:
Anonymisation and pseudonymisation of data, password encryption, backups on external servers.

Compliant
Partially Compliant
Not Compliant

AT Internet mentions having a security policy and updating it regularly, but has not made it public.

Data Encryption

Compliant
Partially Compliant
Not Compliant

Data is encrypted at rest.

Compliant
Partially Compliant
Not Compliant

AT Internet never mentions data encryption.

Restriction of access

Compliant
Partially Compliant
Not Compliant

Simple doesn’t process personal data therefore does not have to fulfill this GDPR obligation.

Compliant
Partially Compliant
Not Compliant

AT Internet limits access to data only to persons who need to know and does not share data with third parties without prior demand of the controller.

Reuse of data

Compliant
Partially Compliant
Not Compliant

Swetrix doesn’t reuse personal data, nor sell it.

Compliant
Partially Compliant
Not Compliant

AT Internet doesn’t pursue its own purposes with this data processing. The controller stays the data owner.

Exemption of cookie consent

Compliant
Partially Compliant
Not Compliant

YES, Simple doesn’t set any cookies.

Compliant
Partially Compliant
Not Compliant

YES, if controller masks the following personal data by default (visitor ID, postal code, internet service provider, converted visit) and anonymizes IP addresses.

Submission to Cloud Act/FISA

Compliant
Partially Compliant
Not Compliant

NO, data is stored in the EU and anonymized (therefore no more considered personal).

Compliant
Partially Compliant
Not Compliant

YES, data hosted on Amazon servers doesn’t appear to be anonymized nor encrypted at rest, therefore can be accessed by an American intelligence agency on demand.