THIS ARTICLE WAS WRITTEN BY TITHI NEOGI, A STUDENT OR KIIT SCHOOL OF LAW.
What is GDPR?
The General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA). It also addresses the export of personal data outside the EU and EEA areas. The GDPR aims primarily to give control to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. Superseding the Data Protection Directive 95/46/EC, the regulation contains provisions and requirements pertaining to the processing of personally identifiable information of individuals (formally called data subjects in the GDPR) inside the European Union, and applies to all enterprises, regardless of location, that are doing business with the European Economic Area.
IMPORTANT TERMS OF GDPR:
Article 4:- Definition of personal data- ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Article 12:- requires that information provided be in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child.
Article 13:- states the information to be provided where personal data are collected from the data subject.
Article 14-states the information to be provided where personal data have not been obtained from the data subject.
Article 37:- states the designation of the data protection officer.
Data Controller– It means any person or legal entity involved in determining the purpose and ways of processing the personal data.
Data processor– It means any person or legal entity involved in processing the personal data on behalf of controller.
SAFEGUARDS TO PROTECT THE DATA:
Standard Contractual Clauses (also referred to as “Model Clauses” or “Model Contracts”) means the agreement that helps in transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection.
The European Commission can decide that standard contractual clauses offer sufficient safeguards on data protection for the data to be transferred internationally.
It has so far issued two sets of standard contractual clauses for data transfers from data controllers in the EU to data controllers established outside the EU or European Economic Area (EEA).
It has also issued one set of contractual clauses for data transfers from controllers in the EU to processors established outside the EU or EEA.
- In the absence of a decision pursuant to Article 45(3), a controller or processor may transfer personal data to a third country or an international organization only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.
- The appropriate safeguards referred to in paragraph 1 may be provided for, without requiring any specific authorization from a supervisory authority, by:
- a legally binding and enforceable instrument between public authorities or bodies;
- binding corporate rules in accordance with Article 47;
- standard data protection clauses adopted by the Commission in accordance with the examination procedure referred to in Article 93(2);
- standard data protection clauses adopted by a supervisory authority and approved by the Commission pursuant to the examination procedure referred to in Article 93(2);
- an approved code of conduct pursuant to Article 40 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights; or
- an approved certification mechanism pursuant to Article 42 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights.
- Subject to the authorization from the competent supervisory authority, the appropriate safeguards referred to in paragraph 1 may also be provided for, in particular, by:
- contractual clauses between the controller or processor and the controller, processor or the recipient of the personal data in the third country or international organization; or
- provisions to be inserted into administrative arrangements between public authorities or bodies which include enforceable and effective data subject rights.
The policy is said to be GDPR compliant:
- Companies should have a lawful basis for processing personal data, it should outline these six circumstances-
- The consumer has provided consent.
- Processing is necessary for the performance of contract.
- Processing is necessary for the compliance with a legal obligation of data controller.
- Processing is necessary to protect vital interests of consumer or natural person.
- Processing is necessary of public interest.
- Processing is necessary for purpose of legitimate interest pursued by data controller or by a third party.
- Data retention – GDPR limits website operators from retaining data beyond a reasonable period of time.
- Contact Information for data controller and processor-Article 13 and article 14 speaks about this.
- Do not use complicated language- it does not require users to confuse with complex legal language. (art 12)
- Inform users of their rights-
- Right to be informed.
- Right of access.
- Right of rectification.
- Right to erasure.
- Right to restrict processing.
- Right to data portability.
- Right to object.
- Right of automated decision making.
- Name and contact details of the organization- the customer giving his/her personal data must be able to identify and contact your organization. You need to appoint a representative in European Union and disclose how to contact that representative.
- Name and contact details of Data Protection Officer (DPO)- Since your core activities consist of processing operations which require regular and systematic processing of data subjects on a large scale, you need to appoint a DPO. The contact details of your DPO can be used by data subjects to submit their questions or concerns about their processing of their personal data.
- Categories of personal data you collect- it outlines the types of personal data that your organization processes (Art 4)
- The legal basis for processing-
- consent of data subject
- to fulfill contractual obligations with a data subject for the legitimate interests of a data controller to a third party
- to perform tasks of a data subject who is in the process of entering into a contract with a data controller
- to protect the vital interests of the individual.
- Identify your/customer’s legitimate interest if you are using them as a lawful basis
- Define recipients/categories of recipients of the personal data- natural or legal person, public authority, agency, to which data is disclosed. Includes your vendors, contractors, business partners etc.
It makes expectations for customers and site visitor’s behavior clear and provide a standard against which behavior can be measured in the event of a law suit or job action. It makes them feel more comfortable using the company’s services. Doing also makes visitors more comfortable transmitting their private information electronically.
- PAYMENT PROCEDURE POLICY-
The company must ask its customers to provide contact information like name and shipping address and financial information like credit card no., debit card no., expiration date etc. the customer must be informed that these details will be used for billing purposes and to fill his orders. The company must further make it clear that it uses an outside shipping company to ship orders, and a credit card processing company to bill users for goods and services. These companies do not retain, share, store or use personally identifiable information for any secondary purposes beyond filing the customer’s orders.
- CANCELLATION POLICY– It is in two stages:
- Before Shipment- organization must provide for an email address or contact no where the customer can reach company if customer wants to cancel the order before shipment. Clear details of refund policy must be provided on the website.
- Post Shipment- The duration of refunding the money, or the customer returning the product after delivery must be clearly mentioned in the website.
The website material must be marked with “All rights reserved” or the copyright symbol to prevent any potential offenders from infringing upon the website. A website is a compilation of many things like text, graphics, photographs, videos and computer programs created by different people. The company will own the copyright to only those parts of the website that it created, unless copyright to other parts has been transferred to the company. The registration of copyright serves as public record of copyright ownership. It cannot sue someone for copyright infringement unless it has registered its copyright.
- The privacy notification does not need to be obstrusive or interrupt the user experience completely. The notification window may be programmed as such to slide into the bottom left hand corner of the screen and fade way after few seconds or when you click the screen.
- Anytime you collect data for the first time in the new way ,you must notify the data subject immediately and once again, if your legal basis is going to be consent make sure to disable cookies, until you receive that consent. On the other hand if you collect data from third party sources and not directly from data subject, you must notify within 1 month with the following two caveats:-
- If you are using data to contact the Subject you need to notify at the first contact.
- If you are disclosing the data to third party, you need to notify the data subject before the disclosure.