This article is written by Garima Gunjan, pursuing Diploma in Advanced Contract Drafting, Negotiation, and Dispute Resolution from LawSikho. The article has been edited by Anahita Arya (Senior Associate, LawSikho) and Dipshi Swara (Senior Associate, LawSikho).
General Data Protection Regulation (GDPR) is a game-changer framework that came into existence on May 25, 2018. GDPR was launched across every country in the European Union (EU) in alignment with the then prevalent data protection policies. However, it brought an increase in the protection level for EU citizens. The law helps its EU citizens to gain control over their data and is at par with the current tech era. Nowadays as every site that you visit collects data, GDPR has created a standard for the way data-related laws should be implemented in order to protect a private citizen’s privacy.
Meaning of GDPR
All the global companies irrespective of the countries they are based in, need to comply with GDPR if they are involved in business transactions with citizens based in the EU countries. The European Parliament and Council came up with GDPR so that global ventures with desktop & mobile apps along with sites can collect personal data with the consent of EU citizens.. If a company is involved in the procession or collection of personal data belonging to EU citizens, it must comply with GDPR and non-compliance of which may result in the company being slapped with hefty fines by the authorities.
GDPR is legislation according to which companies are required to adopt both technological and organizational steps to protect users’ data. Being an organization that deals with EU customers, they need to appoint Data Protection officers and train their staff regarding the handling of sensitive data. Under technological measures, the staff should be taught about data encryption, classification, deletion of data, management of consent, making changes according to requests made, and data loss prevention.
By complying with GDPR policies, the company needs to inform its site users of the reason their data is being processed and the period for which it will remain stored with this company in a clear and simple language.
For example, if you run a start-up that has users and customers from the EU countries, and your start-up is involved, then you will have to provide information to these users regarding what personal information is being collected, what is the process to collect it, how the data shall be utilized, how it shall be secured, whether data shall be shared with third parties, or shall users have any control over this data.
How are user rights being addressed?
Under the GDPR provisions, users have been granted certain rights so that they may be able to gain control over their data. Some of these rights are:
- The right to be informed,
- The right of access,
- The right to rectification,
- The right to erasure,
- The right to restrict processing,
- The right to data portability,
- The right to object.
These rights can be related to any personal information that the company collects from its users.
For example, suppose there is an Indian start-up called ‘Fellon’ with customers from the EU, it will address the user rights under GDPR via the following clause:
“You have the right to ask us not to process your personal information for marketing purposes. You can exercise your right to prevent such processing by checking or unchecking a few boxes on the forms we use to collect your data. If you wish to exercise this right, please drop us a mail at firstname.lastname@example.org.”
How does the user’s consent have to be obtained?
As per Article 7 of GDPR, If the users freely give their affirmative consent to a company regarding their personal data collection, in such a case, the company has managed to obtain users’ consent regarding the collection of personal data.
Suppose if ‘Fellon’ wishes to obtain its users’ consent before collecting personal info, it may do in the following manner:
“We want you to know exactly how our services work and why we require your registration details. Please state that you have read these terms before you continue.
__ I agree to the terms and conditions.”
How can data be modified or deleted?
According to Article 4(11) of GDPR, if a user believes that their data has become out of date or contains errors, they can request the company to get their data modified. The company has to oblige to this request without any due delay.
For example, ‘Fellon’ shall include this right as a clause given below:
“If you have registered an account on Fellon, we provide you with tools and account settings (link) to access, collect, delete, or modify the personal data you provided to us or associated with your account. You can download certain account information, by following instructions here (link redirects to page with details). You can request the correction, deletion, or modification of your data, and download account information, by following instructions here (redirects to a page with details).”
How can personal data be utilized for some other purpose?
According to Article 4(10) of GDPR, If the company that collects its users’ personal data wishes to utilize this data for some purpose other than those users have provided consent, the company will be able to do this only after the users agree to the same.
If ‘Fellon’ wishes to utilize its users’ data for some other purpose, it may draft that privacy clause in the following manner:
“Fellon provides you with a means to download the information you have shared through our services by clicking here (redirects to a page with details). We provide you with a means to download the information you have shared through our services by clicking here (redirects to a page with details).”
How to resolve complaints?
To resolve complaints received from the users, ‘Fellon’ will have to draft a clause as follows:
“If you have any concern about the way Fellon is handling your User Personal Information, please inform us immediately. You can email us at email@example.com so that your complaint reaches our Data Protection Officer (DPO) directly.
Whether data is being used in automated decision making?
According to Article 22 of GDPR, If a company wishes to utilize collected data in automated decision making after processing personal data, the users are to be informed about the same.
If ‘Fellon’ decides that it shall be using automated decision making in order to provide services to its customers, the clause shall be drafted as follows:
“Fellon may use automated decision making in processing your personal information for some services and products. You can request a manual review of the accuracy of an automated decision if you are unhappy with it.”
The purpose for collecting data
According to Article 13 of GDPR, information has to be provided from when data is being collected from the data subjects.
As ‘Fellon’ collects personal data of its users to process them accordingly, it may inform users about it by drafting the following clause:
“Fellon collects the data of its users to introduce new people to its products, improve the site quality, for personalization for optimizing content and to display ads on other sites.”
Period for which data shall be stored with the company
According to Article 5(e) of GDPR, the users are to be informed about the specific period for which their data shall be stored and analyzed for different purposes.
As ‘Fellon’ has the policy to store users’ data for 36 months according to GDPR, it has to be described as under:
“Fellon collects and uses data provided by its users only for providing services. The maximum period for which your data shall remain with us is 36 months.”
Right to be forgotten
Also known as ‘Right to erasure,’ under Article 17(1) of GDPR, users can request the data controller of the company to remove their personal information without undue delay. Once the companies have achieved their target regarding the processing of data collected from the users, these users have the right to request to get their data erased from the company database. It is also famous as a right to data deletion.
Appointment of Data Protection Officers (DPO)
Article 37 of GDPR talks about the appointment of the DPO. In order to deal with GDPR issues, few companies can be asked to appoint a DPO. The need depends on the way user data is processed and company size.
Timely breach notification
According to Article 33 of GDPR, if a site complying with GDPR faces a security breach, the concerned company is required to report this issue to both its data controllers and customers within 72 hours. If this step is not taken within a given time frame, the company can attract a fine.
Privacy by design
According to Article 25 of GDPR, companies should design their sites in a manner that complies with cybersecurity protocols. The data collection process should also be regulated. If a company fails to comply with this, it may face a fine.
According to Article 7 of GDPR, the companies are required to clearly state their terms for consent. The terms and conditions should be explained in simple language for the users. Sites should allow the users to withdraw their consent anytime freely.
According to Article 20 of GDPR, users reserve their rights to the data that they have consented to a company. Users can obtain that data from the company and it can be used for another purpose by another company.
|1. Privacy statement|
2. How do we use your personal data?
We will always process your personal data based on one of the legal basis provided for in the GDPR (Articles 6 and 7). In addition, we will always process your sensitive personal data, for example, concerning your trade union membership, religious views, or health condition, in accordance with the special rules provided for in the GDPR (Articles 9 and 10). We may collect and process your personal data for the purposes detailed below, which are required so that we can pursue our legitimate interests and provide you with adequate services and products:
a. To ensure that content from our site is presented in the most effective manner for you;
b. To notify you about changes to our service(s);
c. To manage your customer account;
d. To offer you products and services;
e. To inform you about our policies and terms;
f. To promote safety and security, such as by monitoring fraud and investigating suspicious or potentially illegal activity or violations of our terms or policies;
g. To provide, improve, and develop our products, services, and advertising;
h. To use personal information for purposes such as data analysis, research, and audits;
I. To ensure business continuity.
3. What type of personal data do we use?
a. Name and surname,
c. Home Address,
d. Identification number (e.g., customer number),
e. Location data,
f. Email address (personal/professional),
g. Telephone number (personal/professional),
i. Credit card/bank account information,
j. Recorded customer phone calls,
k. Record of employee performance assessment,
l. Recruitment information (e.g., CV, certificates, marital status, date of birth, reference letters).
We can obtain such personal data either directly from you when you decide to communicate such data to us (i.e., when you fill in forms displayed on the Website) or indirectly where such personal data is provided to us by your electronic communication terminal equipment or your Internet browser. We ensure that the personal data processed is adequate, relevant and limited to what is necessary for relation to the purposes for which they are processed.
4. How do we share your personal data?
We may share your personal data with Company Group entities and with third parties in accordance with the GDPR. Where we share your data with a data processor, we will put the appropriate legal framework in place in order to cover such transfer and processing (Articles 26,28 and 29 GDPR). Furthermore, where we share your data with any entity outside the EEA, we will put appropriate legal frameworks in place, notably controller-to-controller and controller-to-processor Standard Contract Clauses approved by the European Commission, in order to cover such transfers (Articles 44 of GDPR).
Subject to your prior consent, your personal data may be transferred to, stored, and further processed by strategic partners that work with us to provide our products and services or help us market to customers. Your personal data will only be shared by us with the partners in order to provide or improve our products, services and advertising.
We may share your personal data with companies that provide services on our behalf, such as hosting, maintenance, support services, email services, marketing, auditing, fulfilling your orders, processing payments, data analytics, providing customer service, and conducting customer research and satisfaction surveys.
Corporate Affiliates and Corporate Business Transactions
We may share your personal data with all Company’s affiliates. In the event of a merger, reorganization, acquisition, joint venture, assignment, spin-off, transfer, or sale or disposition of all or any portion of our business, including in connection with any bankruptcy or similar proceedings, we may transfer any and all personal data to the relevant third party.
Legal Compliance and Security
It may be necessary for us; by law, legal process, litigation, and/or requests from public and governmental authorities within or outside your country of residence – to disclose your personal data. We may also disclose your personal data if we determine that, due to purposes of national security, law enforcement, or other issues of public importance, the disclosure is necessary or appropriate. We may also disclose your personal data if we determine in good faith that disclosure is reasonably necessary to protect our rights and pursue available remedies, enforce our terms and conditions, investigate fraud, or protect our operations or users.
5. Our records of data processes
We handle records of all processing of personal data in accordance with the obligations established by the GDPR (Article 30), both where we might act as a controller or as a processor. In these records, we reflect all the information necessary in order to comply with the GDPR and cooperate with the supervisory authorities as required (Article 31 GDPR).
6. Security measures
7. Notification of data breach to the competent supervisory authorities
In case of breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed, we have the mechanisms and policies in place in order to identify it and assess it promptly. Depending on the outcome of our assessment, we will make the requisite notifications to the supervisory authorities and communications to the affected data subjects, which might include you (Articles 33 and 34 GDPR).
8. Processing likely to result in a high risk to your rights and freedoms
We have mechanisms and policies in place in order to identify data processing activities that may result in a high risk to your rights and freedoms (Article 35 GDPR). If any such data processing activity is identified, we will assess it internally and either stop it or ensure that the processing is compliant with the GDPR or that appropriate technical and organizational safeguards are in place in order to proceed with it. In case of doubt, we will contact the competent Data Protection Supervisory Authority in order to obtain their advice and recommendations (Article 36 GDPR).
9. Links to other sites
We may propose hypertext links from the website on which this policy is stated to third-party websites or internet sources. We do not control and cannot be held liable for third parties’ privacy practices and content. Please read carefully their privacy policies to find out how they collect and process your personal data.
Start-ups should draft understandable and clear GDPR privacy policies with help of trained lawyers. If the start-ups have any site or application that collects certain data from its users, such an entity has a certain responsibility towards its users. Visitors should understand legal terms without any hurdle. The policies can vary depending on the needs of start-ups or the kind of services that they provide. The policies should be drafted according to the requirements of the venture.
Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.
LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join:
Follow us on Instagram and subscribe to our YouTube channel for more amazing legal content.