The right to privacy and data protection is the hallmark of a democratic society.
Ever since GDPR came into force, organisations are becoming more aware of the rights of individuals. Businesses that collect and use personal data need to be clear about their motives.
Nowadays, organisations collect a whole range of personal information, both personal and non-personal.
The data items, for example, names, addresses, email addresses, contact information etc. satisfy the definition of personal data and hence fall under the scope of GDPR.
If you are operating your business within the EU and have clients, users or members in the EU, you must comply with provisions of the GDPR to avoid violations of the law.
The GDPR requires companies to be transparent. They must ensure what they do with this data, how the data is gathered and make sure that it is processed in a fair and transparent manner.
The GDPR has created a whole range of privacy rights and protections for individuals and consequently organisations are obliged to become compliant or face legal action.
- The identity and contact details of your organisation
- The identity and contact details of your Data Protection Officer, if you have one
- The categories of personal data involved
- The purpose of processing each category of personal data
- The legal bases for each stated legal purpose
- If you rely on “legitimate interest” as the lawful basis of processing, clearly state those legitimate interests.
- The fact that you share or intend to share personal data with other entities, or affiliate organisations in your group
- The likely retention period of the data
- The existence of the rights of data subjects and how they can exercise their rights
- If you rely on “consent” as the legal basis of processing, the existence of the right to withdraw consent at any time
- Whether you use personal data for profiling and automated decision making. Provide detailed reasons behind such processes, and their importance and consequences.
- The clarity in the personal data of children, how the consent will be taken.
- Explicitly state the use of third-party website links.
- The detail information regarding cookies, in case used on your website. How it works and what information is extracted.
- Clear advice to the data subjects about the “right to complain” to the Data Protection Authority.
Article 13(1) and (2) of the GDPR states that the data controllers must publish the necessary information at the time the data is being collected.
- Categories of personal data are expanded to include more data items and/or include the gathering of special categories of personal data.
- If you find out that the information is being used for an unanticipated, unintended purpose
- You intend to share data with third-party users
- You intend to transfer personal data outside the EU
- You employ a third party data processor
- Easy to understand
- Concise and clear use of language
- Easily accessible
- Free of charge
- Adopting a clear strategy for communication between parties
- Avoiding the use of false or misleading information
What to do now?
- Ensure that you are compliant with the requirements of Article 12, 13 and 14 of the GDPR.
- Refer to “What, When and How” section of this article for detailed guidance.
Seers also provides expert advice, GDPR consultation and guidance in drafting custom privacy policies. If you need assistance in this regard then feel free to contact us.