What is GDPR?
Since May 25th, 2018, every organization that has a user base in any of the member states of the EU, has to abide by the strict privacy regulations of the GDPR. The law aims to protect the personal data and privacy of users and the organizations have to take steps to ensure that the users' personal data and privacy are protected.
Complying with GDPR is necessary even if your organization is not based out of the European Union and if you are in any way collecting the data of a European Union citizen. Non-compliance to the regulations can potentially cause a fine of up t0 €20 million or 4% of the annual turnover of the previous financial year or whichever is higher. Read more about the GDPR here.
The policy document should contain the name of the data controller in the organization and how they can be contacted. Information on how they can be contacted should be provided for the users.
If the organization is required to have a Data Protection Officer in your Organization, then include the details of the Data Protection Officer. The details should contain the name and contact information of the DPO. The contact details can be used by the users to reach out to the DPO with their queries and concerns regarding the processing of their personal data.
Details about the personal data collected
When informing the users about the data collected, the details should include the types of personal data collected, why the data are collected, how the data is collected, for how long will the data be stored, whom the data is shared with, what security measures have been taken to safeguard the data, etc.
Personal data can be defined as any data that can directly or indirectly identify an identifiable person. This can be the name, address, credit card information, IP address, a cookie identifier, etc related to the user. Read more about what is personal data in GDPR in this article.
Transferring Personal Data Outside the European Economic Area (EEA)
How to Opt-out
The purpose and lawful basis for data collection
The privacy statement should clearly indicate the lawful basis for data collection and processing. There are 6 lawful bases for data collection. They are the following.
If the data is collected by the clear and informed consent of the individual.
If the data processing is necessary for a contract you have with the individual.
- Legal obligation
If data processing is necessary to comply with the law.
- Vital interest
If data processing is necessary to protect someone's life.
- Public task
If the data is processing is necessary to perform a task in the public interest.
- Legitimate interest
Sources of the Data
Rights of the Individual
There are certain rights that the GDPR gives the users. They are the following.
- The right to be informed
- The right to access
- The right to erasure
- The right to rectification
- The right to object
- The right to restrict processing
- The right to data portability
- Rights related to automated decision making including profiling
Make the users aware of their rights and inform them how they can exercise their rights. The user can invoke their rights verbally or in a written form and the request should be responded to within a month.
The Language of the Policy
Lodge a complaint to the Supervisory authority
The users should be informed that they have the right to lodge a complaint to the supervisory authority. If the users' complaint is not resolved by your organization, then they can lodge a complaint to the relevant data protection authority.
Automated Decision Making or Profiling
If there is automated processing done on the user data using an algorithm, then the users should be made aware of such processing and the logic and reasons behind the processing.
It is recommended that the privacy information is provided at the first point of contact. The minimum amount of time within which the users should be provided with the required information within 1 month of the data collection.
There are certain circumstances where it is not required to provide users with privacy information. In cases where privacy information has been already provided to the users or it would require a disproportionate effort to provide it to them.
Disclaimer: This content should not be treated as legal advice and the article is not written by a lawyer. The website owners should seek legal advice if needed to know what is best for their website or app depending on which further actions may be required to fully comply with the law.