As you may be aware, there has recently been a significant development in privacy law with the introduction of the General Data Protection Requirements (GDPR) in May 2018. We have received an overwhelming number of inquiries regarding the applicability of the GDPR to businesses collecting ‘personal data’, particularly from those who may be collecting personal data from individuals in the European Union.
Article 24 of the GDPR states that data controllers must implement “appropriate technical and organisational measures to ensure and be able to demonstrate that processing is performed in accordance with this Regulation”, which “shall include the implementation of appropriate data protection policies by the controller”.
This legal requirement means that every organisation bound by the GDPR and which processes personal data should have a data protection policy that complies with the rules set out in the GDPR.
Article 5 of the GDPR contains six guiding principles by which all personal data must be processed:
- Lawfulness, transparency and fairness;
- Purpose limitation (data should be collected for specified, explicit and legitimate purposes only);
- Data limitation (collection of personal data should be limited to what is necessary);
- Accuracy (every reasonable step must be taken to ensure that personal data that are inaccurate are erased or rectified without delay);
- Storage limitation (storage of personal data should be no longer than is necessary);
- Integrity and confidentiality (protection against unauthorised or unlawful processing and against accidental loss, destruction or damage of personal data).
- the types of personal data you collect;
- how you collect and use personal data (or sensitive information if relevant);
- how you share or disclose personal data;
- how you retain and destroy personal data;
- how your customers can manage their personal data;
- how you deal with data security, data transfers and third-party links;
- how your customers can contact you to give feedback or submit complaints (including details of your business’ Data Protection Officer), and how you deal with any such complaint.
Final point about consent
The GDPR requires businesses to give a legal basis for processing their customers’ personal data. Consent is one of the six legal bases for processing personal data as provided by the GDPR.
A customer’s consent to your business’ processing of their personal data “should be freely given, specific, informed and unambiguous”, noting that “silence, pre-ticked boxes or inactivity should not constitute consent” (GDPR Recital 32). This means in order to obtain freely given consent, it must be given by the customer on a voluntary basis. Google incurred the fine from CNIL because it failed to provide enough information to users about its data consent policies and did not give them enough control over how their information is used.
This article was written by Commercial and Tech Lawyer Zuong Dang.
marshalls+dent+wilmoth lawyers can assist you to navigate the changing business and technology landscape. Please do not hesitate to contact us on (03) 9670 5000.
DISCLAIMER: We accept no responsibility for any action taken after reading this article. This is a guide to give you a better understanding of the GDPR only and is not a substitute for the expert legal advice you can get from marshalls+dent+wilmoth and other relevant experts.