The General Data Protection Regulation (GDPR) is a privacy law that went into effect on May 25, 2018, with the goal of protecting the personal data of residents of the European Union. As arguably the most comprehensive and most frequently enforced privacy law in the world, GDPR provides extensive privacy rights to consumers, requires certain websites to have a Privacy Policy that makes specific disclosures and has a broad application, applying to websites all over the world. In this compliance guide, we will discuss the following as it relates to GDPR:
- Who this law applies to;
- How GDPR defines personal data;
- How you can process personal data under GDPR;
- The privacy rights that this law provides;
- GDPR Privacy Policy disclosure requirements; and
- The penalties for failing to comply.
Table of Contents
Who does GDPR apply to?
You need to comply with GDPR if you:
- Are located in the European Union;
- Offer goods or services, regardless of payment to European Union data subjects, regardless of where you are actually located; or
- Monitor the behavior of European Union residents, regardless of where you are actually located.
Due to the fact that GDPR is not specific to the location of the data processor or controller, it is imperative that you comply with its requirements if you meet the conditions stated above.
How GDPR defines personal data
Privacy laws start applying to websites as soon as they collect personal data, which means that if you do not collect personal data as defined by the law, then you do not need to comply with that law. GDPR defines personal data as any data relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identified.
GDPR provides the following examples of identifiers:
- Name;
- An identification number;
- Location data;
- Online identifier (IP address); or
- One or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
If you are collecting any of the information specified above and if GDPR applies to you, then your website needs to have a compliant Privacy Policy.
How you can process personal data under GDPR
GDPR is unique in that it prohibits the processing of personal data unless a specific exception applies. This means that by default, the collection, use and disclosure of personal data of residents of the European Union is not allowed. However, the following exceptions (otherwise called “legal Bases”) do allow for the processing of personal data:
- The data subject has given consent to the processing of his or her personal data;
- Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
- Processing is necessary for compliance with a legal obligation to which the controller is subject;
- Processing is necessary in order to protect the vital interest of the data subject or of another natural person;
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- Processing is necessary for the purposes of legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.
When it comes to small business websites, personal data is usually processed under the consent, contract or legal obligation exceptions. If you are allowed to process personal data under one of the above exceptions, you need to make sure that your Privacy Policy has all of the disclosures required by GDPR. You can read more about the legal bases for processing GDPR here.
Privacy rights
GDPR ensures the protection of personal data by providing residents of the European Union with the following privacy rights;
- Right to transparent information – data controllers and processors are required to have a Privacy Policy that contains the required disclosures;
- Right of access – the data subject has the right to know whether his or her personal data is being processed and to receive additional context on what is done with that personal data;
- Right to rectification – the data subject has the right to correct the personal data that a business holds on him or her that is incorrect and to complete the personal data that is incomplete;
- Right to erasure – the data subject has the right to have his or her personal data erased;
- Right to restriction of processing – the data subject has the right to have his or her data be processed for specific purposes only;
- Right to data portability – the data subject has the right to receive all of the personal data that a business holds about them and the right to have that personal data be sent to a different business; and
- Right to object to automated decision-making, including profiling – the data subject has the right to not be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning that data subject.
Termageddon’s Privacy Policy generator can be used to help you with the transparent information requirement by helping you ensure that your Privacy Policy has all of the required disclosures discussed below.
Privacy Policy disclosure requirements
Since GDPR provides for transparency of personal data into practices as a concrete right, it prescribes very specific requirements on what a Privacy Policy must contain. A GDPR compliant Privacy Policy will contain the following disclosures:
- The identity and contact details of the controller and, where applicable, of the controller’s representative;
- The contact details of the Data Protection Officer, where applicable;
- The purposes of the process for which the personal data is intended;
- The legal basis for the processing;
- Where processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, the legitimate interests pursued;
- The recipients or categories of recipients of the personal data, if any;
- Where applicable, the fact that the controller intends to transfer personal data to a third country or an international organization. If such transfers are intended, you may need to make additional disclosures.
- The period for which the personal data will be stored, or if that is not possible, the criteria used for determining that period;
- The existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability;
- Where processing is based on consent, the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
- The right to lodge a complaint with a supervisory authority;
- Whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary for entering into a contract, as well as whether the data subject is obliged to provide the personal data and the possible consequences of failure to provide such personal data;
- The existence of automated decision-making, including profiling and, in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
Your Privacy Policy needs to include all of the above disclosures to be GDPR compliant. It is important to note that non-compliance with GDPR can lead to heavy fines and penalties.
The penalties for failing to comply with GDPR
GDPR is one of the most heavily enforced privacy laws in the world, imposing heavy fines for not honoring the privacy rights of data subjects, not having a compliant Privacy Policy, failing to properly process personal data and more. For less severe violations, data controllers and processors can be fined up to €10,000,000 or up to 2% of total global annual turnover for the preceding fiscal year, whichever is higher. Especially severe violations can garner fines of up to €20,000,000 or up to 4% of global annual turnover for the preceding fiscal year, whichever is higher. With hundreds of fines already levied on businesses both large and small, compliance with this privacy law is crucial to get correctly.
If GDPR applies to you, then you need to have a compliant Privacy Policy. Use Termageddon’s Privacy Policy generator to create your GDPR ready Privacy Policy today and help avoid fines.