GDPR Compliance


GDPR Compliance Notice

This document applies only for ThinkCMS v5 and not prior versions or implementations of the system.

In compliance with Articles 25, 32 and Recital (78) of the GDPR, ThinkCMS implements appropriate technical measures to ensure a level of security appropriate to the risk, including among other things:

  • Pseudonymisation - replacing personally identifiable material with artificial identifiers;
  • Encryption - encoding messages so only those authorized can read them;
  • Technical measures to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
  • Measures to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;

All ThinkCMS implementations and standard modules, starting from v5, implement technical and organizational measures, at the earliest stages of the design of the processing operations in a way that safeguards privacy and data protection principles (data protection by design).

In brief

  • Risk analysis has been performed for all most common types of data stored and processed by our system and we have implemented measures to ensure the secure storage and processing of this data;
  • We have taken appropriate technical and organizational measures to ensure the security of processing and the safe storage of personal data in our system;
  • We have implemented and enforced several security policies in the core of our product to minimize the possibility of accidental or deliberate data compromisation;
  • Data can be accessed, altered, disclosed or deleted only by users that are authorized to do so;
  • We have taken measures to minimize the risks of data breaches and reduce the risks of the exposed information;
  • Periodic testing, assessing and evaluating is performed and system updates are released to ensure that security measures remain appropriate and up to date taking into account state of technological development;
  • GDPR compliance modules are implemented that address consent and data subject rights as well as modules that address accountability of the users in the system and enable auditing the access and processing of information in the system;

Security of processing

ThinkCMS and its implementations provide controllers and processors appropriate technical and organizational measures to ensure a level of security appropriate to the risk of the data processed using the system to comply with Article 32 of the GDPR.

While ThinkWeb has taken appropriate security measures to address the risks associated with processing and storing the data, your implementation might rely on other third party vendors that we do not have control over. You will be responsible for ensuring GDPR compliance from all of these vendors and ThinkWeb will not be responsible in any way for any issues that might arise from vendors chosen by you.

Storing sensitive data

According to Articles 4(13), (14) and (15) and Article 9 and Recitals (51) to (56) of the GDPR, the following personal data is considered sensitive and is subject to specific processing and storing conditions:

  • Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs;
  • Trade-union memberships;
  • Genetic data, biometric data processed solely to identify a human being;
  • Health-related data;
  • Data concerning a person’s sex life or sexual orientation;
  • Data of sensitive or confidential nature or data which the client has classified as sensitive;

ThinkCMS provides an encrypted database storage functionality and appropriate access control and logging mechanisms to ensure the safety of the data in case of a breach or unauthorized access and a log of all admin users who have accessed the data.

Data breaches

ThinkCMS and all implementations, feature a number of technical measures to prevent data breaches and minimize the risk of such breaches as well as the "exposed" information, including unauthorized reversal of pseudonymisation or decryption of sensitive data.

Rights for individuals under the GDPR

Under the GDPR individuals have the following rights and since every implementation is different in the types of data and processing activities, please consult our representatives for more information and the appropriate measures that will be or are implemented in your specific case.

  • The right to be informed
  • The right of access
  • The right to rectification
  • The right to erasure
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • Rights in relation to automated decision making and profiling.

Right to data portability

Since every ThinkCMS implementation is different, data portability tools, compliant with Article 20 and Recital 68 of the GDPR and  Article 29 of the Working Party Guidelines on data portability, are created for the specific implementation.

Right of access

According to Article 15 and Recitals 63 and 64 of the GDPR, for users who want to exercise the right of access to their personal data, specific data access tools are created, if needed, to comply with the regulation.

Right to erasure (right to be forgotten)

Article 17 of the GDPR. If needed, tools available in the admin area are created to remove all personal data for a single subject.


For compliance with Articles 4(11), 6(1)(a), 7, 8 and 9(2)(a), ThinkCMS can implement different methods for managing the entire consent lifecycle and keeping detailed records and an accurate audit trail.

  • Appropriate collection of consent across multiple digital channels allowing granular preferences;
  • Management of consent withdrawals;
  • Tools enabling the controller to demonstrate that the data subject has consented to processing of his or her personal data;
  • Consent audit logs;

Depending on the specific requirements of the specific project, the implementation will include all appropriate tools and measures to address the GDPR requirements.


One of the newest additions to ThinkCMS v5 is the GDPR module, created to streamline the technical implementations required by the Regulation. The new cookie related functions enable the administrators to create GDPR compliant cookie consent banners in multiple languages and configure different cookie groups from the administration panel. The module ensures that no cookies (except the necessary) / tracking pixels will be stored or used unless the user has given his explicit consent. The easy to use UI gives the user a choice on which cookies to accept, to withdraw the consent, once given, or change the preferences at any given time.

The administration panel provides a full overview of all the collected consents and changes to the consent the user has made along with how and when the consent was obtained, fulfilling the obligations of the controller to demonstrate a data subject's consent under Article 7(1). Appropriate technical measures are taken to ensure that the system refreshes the consent at appropriate intervals.

Sharing data with third parties

With the latest release of ThinkCMS we have ensured that all necessary resources are stored locally on your installation so that we do not share any IP addresses or other usage information for the admin panel users with third parties. By doing so, we have eliminated the attack vector of injecting malicious code from resources hosted on other servers.

However, in some cases it is necessary to share data with third party services to perform a certain task or implement a specific function in the system. In such cases (payment validation and processing, fraud prevention, external API integration, etc..), appropriate measures have been taken to implement appropriate controls, safe transport and communication, minimization of the data shared and or anonymize it when there is personal data involved, when possible.

Backend administrator data

All personal data related to the administrators is protected against unauthorized access using appropriate organizational and technical measures. In order to provide authenticated users with access to specific functions we collect and use the following information:

  • Username - We use usernames to uniquely identify users in the ThinkCMS admin;
  • Name - Full name, nick name or first / last name is used only to show other backend users who performed which operation in the admin area;
  • Password - Used only for authenticating the user in the admin area;
  • Email - We use your email to send security notifications and to enable password resets for your account;

Additional data we collect and use:

  • IP address - We use and log your IP address to initiate secure sessions once you authenticate and create an admin log of all your actions in the backend for the sole purpose of accountability of the users in the system;

In order to prevent attacks and ensure the information security and accountability in the system, in compliance with Recital (47) and (49) of the GDPR, we collect and store the following data:

For all users:

  • IP addresses;
  • User agents;
  • Actions (logins, failed logins, password resets etc...)

For admins:

  • Actions (add, edit, delete, etc..)
  • Before and after object states of all data records in the system when a specific action is performed;
  • To ensure that no personal or sensitive data is logged in the logs, pseudonymized version of the data are used;
  • Time and date each admin accessed a record or set of records containing personal data;

All data collected for the administrators is subject to policies defined by the client that regulate the period of storage and accessibility (Recital 78). More information on what data do we store or process can be found in the data mapping section.

ThinkWeb in the role of data processor

According to Article 28 and Recital (81) of the GDPR, ThinkWeb can act as a data processor only if a support or other legal contract is present. All processing activities will be governed by the contract and all applicable laws and regulations. If ThinkWeb is not identified as a data processor it can act only as recipient of personal data as defined in Article 4(9) of the GDPR.

Support contracts

To comply with Article 28 and 32 of the GDPR, for all our clients on support contracts we implement processes for regular testing, assessing and evaluating the effectiveness of technical measures used in securing the processing in the ThinkCMS implementations. Also we will assist your with complying with your various obligations in Articles 32 to 36 of the GDPR.

Change history

Date Version Created by Description
22.01.2018 1.0 Goce Bonev First document outlining the new features and compliance mechanisms of ThinkCMS v5;
10.04.2018 1.1 Goce Bonev References to GDPR articles and recitals;
22.04.2018 1.2 Goce Bonev Information added on the new cookie related functions in the system, GDPR modules and sharing data with 3rd parties;