General Data Protection Regulation (“GDPR”)
May 26, 2018
(Not Legal Advice, just my opinion)
If you run a website that collects consumer information, you need to update your Privacy Policy and Terms of Use in order to comply with the new European Union General Data Protection Regulation (“GDPR”). The new legal framework took effect on May 25, 2018, and it is designed to:
1. Unify the current data protection privacy laws throughout the EU, and
2. Enhance the rights of citizens of the EU to protect their personal information.
The GDPR applies to any business that does one or both of the following:
1. Offers products or services to citizens of the EU
2. Collects personal information from citizens of the EU
If you are a U.S. based business and you collect email addresses from EU citizens, you must comply with the GDRP.
How to comply:
There are different rules for a Data Controller or a Data Processor. Article 4 defines data controllers and data processors. See https://gdpr-info.eu/
For example, if your company sells products to consumers and uses another company’s services to send emails on your behalf and track the engagement activity — you are the controller, and the third party email service is the processor.
Under the GDPR — the controller is the principal party for collecting consent, managing consent-revocation, permitting access the website, etc. If a user wants to revoke their consent for their personal data, they contact the data controller, even if the stored data is on the processor’s servers. The controller then has to request the processor to remove the revoked data from their servers.
Prior to May 25, 2018, the EU had the “Data Protection Directive” which only applied to data controllers, but now, with the GDPR, it applies to processors as well. Failure to comply with the technical security requirements — by either the processor or controller — can result in civil penalties.
Article 28(1) states: “Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.” See https://gdpr-info.eu/
So data controllers have to seek out data processors that comply with the GDPR or the controller risks a penalty for lack of proper vetting. This puts processors in a position where they now need to get an independent compliance certification to reassure their future customers — and keep their future customers (the controllers) in compliance themselves.
In addition, all processors are required to:
- Only process personal data on instructions from the controller, and inform the controller if it believes said instruction infringes on the GDPR (28.3). So basically, a processor can’t use or mine personal data that it’s entrusted with for purposes not outlined by the data controller.
- Obtain written permission from the controller before engaging a subcontractor (28.2), and assume full liability for failures of subcontractors to meet the GDPR (28.4)
- Upon request, delete or return all personal data to the controller at the end of service contract (28.3.g)
- Enable and contribute to compliance audits conducted by the controller or a representative of the controller (28.3.h)
- Take reasonable steps to secure data, such as encryption and pseudonymization, stability and uptime, backup and disaster recovery, and regular security testing (32.1)
- Notify data controllers without undue delay upon learning of data breaches (33.2)
- Restrict personal data transfer to a third country only if legal safeguards are obtained (46)
See https://www.gdpreu.org/the-regulation/key-concepts/data-controllers-and-processors/
A processor is further required to maintain a record of data processing activities if it qualifies for any of the following criteria (30):
- Employs 250 or more persons
- Processes data that is “likely to result in a risk to the rights and freedoms of data subjects”
- Processes data more than occasionally
- Processes special categories of data as outlined in Article 9(1)
- Processes data relating to criminal convictions
And a processor must appoint a Data Protection Officer in select circumstances.
Id.
How to update your Privacy Policy and Terms of Use Accordingly:
· Provide your users with thorough information about how their personal data is being processed
· Article 12 of the GDPR states the information must be communicated in the following ways:
o Concise
o Transparent
o Intelligible
o Easily accessible
o In clear and plain language
o Free of charge
The GDPR doesn’t want this to be a long complicated document full of legalese that nobody will take the time to read; the goal is to make it short, non-technical, and reader-friendly.
There are 8 rights that must be discussed:
a. Right to be Informed
b. Right to Access
c. Right to Correction (“Rectification”)
d. Right to Erasure (Right to be Forgotten/permanently deleted)
e. Right to restriction of processing
f. Right to Portability- has to be a safe and controlled way if it’s being transferred to a data processor.
g. Right to object to Processing — right to object to public authorities or companies processing their data without explicit consent, or to stop personal data from being included.
h. Right not to be subject to automated decision-making — they can demand human intervention rather than having important decisions made via an algorithm.
See https://www.helpsystems.com/gdpr-understanding-8-rights-data-subjects
Additionally, your privacy policy must include:
· What personal information you collect
· How and why you collect it
· How you use it
· How you secure it
· Any third parties with access to it
· If you use cookies
· How users can control any aspects of this
· Who is the Data Controller (usually it’s the company with the website)
· Include the contact info for the controller — (mailing and email address)
· If you have a Data Protection Officer, include their contact email as well
· Inform your users whether you use the data to make automated decisions — such as for credit scoring, profiling users, employment decisions, etc.
· Whether providing data is mandatory- Let users know whether they are required to provide you with personal data, and what happens if they don’t. For example, if users don’t provide you with an email address, they may not be able to create a user account to log in to.
· Whether you transfer data internationally- If your business transfers personal data to a different country or international organization, you need to let users know this.
· Whether your transfer falls under a legal framework or decision, such as the EU-US Privacy Shield. You should link a copy of your corporate rules, or the contractual provisions of this shield.
· What’s your legal basis for processing data. Article 6 of the GDPR outlines the lawful basis. See https://gdpr-info.eu/art-6-gdpr/. The most common two would be:
a. The subject has given consent to have data processed for the specific purpose/s
b. Processing is necessary for pursuing a legitimate interest (which you need to define as one of the six)
The GDPR requires you to get consent for the data you collect, so you have to make your users agree to your Privacy Policy. They must click a box BEFORE you collect any information. If it’s their basic personal information (email, name, financial info, etc.), it’s called affirmative consent- must be clear and unambiguous. If you are collecting sensitive personal information like sexual orientation, health data, or political views, the consent must be explicit. Make your users click a box next to a statement that says by clicking, the user is agreeing to your Privacy Policy terms. Link to your Privacy Policy there as well.
Thank you.
For more info, read: https://termsfeed.com/blog/gdpr-privacy-policy/
