We recently wrote about the EU’s new General Data Protection Regulation (“GDPR”) and how it might affect your business operations.  You may recall that the main focus of the GDPR is the protection of personal data and digital privacy. If you offer products and services to EU citizens or collect, use, or share personal information belonging to EU citizens then you will want to make sure that your online presence is compliant with GDPR rules.

The European Commission’s GDPR website provides some guidance so we thought it would be useful to summarize some of the major subject areas that your business’ privacy policy must address to be GDPR compliant.  The GDPR sets forth eight principles:

1) the right to be informed;
2) the right of access;
3) the right of rectification;
4) the right to erasure;
5) the right to restrict processing;
6) the right to data portability;
7) the right to object; and

8) the right of automated decision-making in profiling.

With this framework in mind, your privacy policy must address the following areas in plain, non-legalese language.

1.  Communication

You should tell users who you are (contact information), when you request data, why you process their data, how long their data will be stored, and who receives it.

2.  Consent

Users of your web site must consent to your collection and use of their personal information.  Recital 32 of the regulation provides “Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement.”  So, if assent to your terms of use or privacy policy is the affirmative act necessary to give consent, it must be clearly stated and there should be, at a minimum, a click-through “agreement” button.

3.  Accessibility and Data Portability

Users should be given access to their personal data and be permitted, upon request, to move it to another location, for example, another company’s website.

4.  Data Breaches

Should your web site or servers suffer a data breach, you must inform users of the occurrence and the seriousness of risk to them.

5. The Right to be Forgotten

Users must be accorded the right to request that his/her personal information be deleted from your system.  You must comply with such requests “but only if it doesn’t compromise freedom of expression or the ability to research.”

6.  Profiling

Profiling is defined under the GDPR as “any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements”.  Some companies process applications for legally-binding agreements by way of “profiling”. If your company does this, you must inform customers, ensure that a person, not a machine, checks the process if the application ends in a refusal, and offer the customer the right to appeal a refusal decision.

7.  Marketing

Users should be given the right to opt out of direct marketing

8.  Safeguarding Data

“Extra” safeguards should be implemented to protect information about users’ health, race, sexual orientation religion and political beliefs.

9.  International Transfer of Data

The GDPR requires businesses to inform customers should their personal data be transferred to a different country or an international organization.  Your privacy policy should address this issue.

With these principles in mind, you are ready to draft a GDPR compliant privacy policy. If you need assistance, the lawyers at LWH we would be pleased to help.

— Adam G. Garson, Esq.