GDPR - drop in the outgoing train
The general data protection policy, also known as the GDPR, was adopted by the European Union back in 2016. Everyone was given 2 years to go and adapt. But judging by the hype that arose in early 2018, who will do everything on time? Updates to the privacy policies of many very and not very large projects fell in May, 2-3 weeks before the final entry into force of the law. And it seems to me that smaller projects will still catch up with the train for some time after May 25. If you have not made the necessary changes to your policies or did not quite understand what they should be, this article is for you.
GDPR has been active for several days. On the very first day, a certain Austrian privacy advocate Max Schrems rolled out multibillion-dollar claims from Google and Facebook for non-compliance with the policy. In particular, the claims touched Instagram, WhatsApp and Android OS. However, this had never been easy before. And a musical fan with a sense of humor created the “I love GDPR” playlist on Spotify.
')
In general, the fuss around Europe's GDPR has penetrated different spheres. At the moment I live in Latvia, and recently I had to get a parcel in the mail. One of the fields in the form to receive the parcel is the personal code. I reflexively filled it, which somewhat disturbed the postman. She crossed it out, and beside her simply wrote the type of document presented. In response to my surprise, I learned that it is connected "with this new law." They even write about him in the newspapers, by the way. Ordinary. Paper.
Some sources who doubt the honesty and decency of all European lawyers, without exception, are wagging off a wave of GDPR-related claims filed for profit rather than for the protection of users. Other sources at the same time say that due to the vagueness of some formulations of the law, only well-established judicial practice can bring some clarity. And since none of us would like to set an example for others, showing how not to do it, let's go through the basic concepts and requirements once more, as far as available sources allow. At the end of the article I will give practical advice on how to make a privacy policy. If you are not interested in definitions and other lyrics, scroll right there.
Legal disclaimer. This post is the author’s vision, not legal advice. Both the author himself and the sources used by him recommend in the case of incomprehensible situations to contact compliance experts. Or try to independently digest 85 pages of the original source . A more readable version is also available.
One of the difficulties of the new regulations is the introduction of new concepts, some of which have not previously been used massively, while others are indicated in a very abstract way and allow some freedom of interpretation.
Data Subject (data object) - an individual who owns the data. There seems to be no difficulty.
Personal Data - any information related to an identified or identifiable individual. An identifiable individual — one that can be identified directly or indirectly, in particular by referring to an identifier, such as a name, personal code, online identifier, or one or more factors related to physical, physiological, genetic, mental, economic, cultural or social identity of the person.
Further in the text we will return to this, but briefly mention that personal data are divided into two categories. For processing of some of them, the direct consent of the data object is not always required, for others it is always required (it concerns more “personal” categories, such as religious beliefs, diseases, etc.). Also pay attention to the fact that there is already starting vague wording. Under the online ID you can understand a lot of things.
Processing - any actions performed on data or data arrays, automatically or manually, such as collecting, recording, organizing, structuring, storing, adapting or modifying, retrieving, consulting, using, disclosing by transmitting, publishing or granting access otherwise, combining, limiting, deleting, or deleting. Formally, the collection of business cards at the conference falls under the processing of personal data. I hope no one will bring the situation to this level of absurdity, however.
Controller (controller) - a natural or legal person, an organization, and anyone in general who independently or with others determines the goals and means of processing personal data. You have a forum with registration function - you are a controller. Placed Google Analytics code on the site - you are also a controller.
Processor (processor, processor) - a natural or legal person or any other structure or structure that processes data on behalf of the controller. Keep your customer base on your computer or on the platform you are managing - you are a processor. Use a third-party CRM system - they will be the processor.
Consent (consent) of the data object is a freely provided, specific, informed and non-duality indication of the desire of the data object (by means of a statement or a clear confirming action), by which he or she consents to the processing of his data. We recall all these checkboxes “By clicking OK, I consent to the processing of my personal data.” Another question - how to deal with the above mentioned business cards? ..
In total, 26 terms are described in the “Definitions” section. Not all of them are so important to us, but if you think I missed something important, let me know.
There are several other key concepts related to the GDPR that should be considered separately.
Preexisting legislation allowed for various options of "tacit consent." Oh, that just did not go to the company to fill the base for mailings. Prechecked checkboxes, hidden deeply in the rules and policies of consent to receive news, checkboxes to unsubscribe from the newsletter, implying initial consent.
All this is in the past. The GDPR requires that in cases where the legal basis is consent, it must be explicit and informed. Those. the user must understand that, by marking a specific checkbox, he gives his consent to store his e-mail and receive marketing mailings, and not just agree with something there. The absence of an explicit expression of will should be considered a refusal and nothing else.
In itself, the concept of the right to be forgotten comes from the next idea that a person should have the opportunity ...
In some cases, the concept is correct (for example, minor nonsense in childhood, which leaked to the press with names and persons). In others, it may step on the freedom of expression of another person and lose socially valuable information (for example, an attempt to use the right to forget about the relatively poor reviews on the freelance market).
In the GDPR, the application of this right is described in article 17. In brief, at the request of the data owner (the individual to whom they relate), the data must be erased by the controller without undue delays. Also, if the data has been disclosed to other controllers, the current controller must apply economically reasonable efforts to send them a delete request. However, only data used for direct marketing are subject to unconditional deletion.
In other cases, you may have reasons that are superior to the right to oblivion. For example:
There are also other reasons, such as public interest, scientific or statistical processing, but I will not go into them particularly.
Clause 1 of Article 9 prohibits the processing of the following categories of personal data:
Paragraph 2 of the same article immediately describes in which cases the ban does not work. As a rule, this is either the consent of the person himself, or if data processing is required to fulfill the obligations regulated by law, protect the vital interests of the data owner or third parties, and if the data are of public or scientific interest. In addition, a member country may prohibit a data object to consent to the processing of any data from a special category. Ban on prohibition and prohibition chases ...
Also, the processing of criminal records and criminal offenses should be conducted under the supervision of the authorities and in no other way.
GDPR spawned a new position for the legal department of large companies and a new business line (and a potential expense item) for smaller companies. In essence, this is a specialist in compliance with the GDPR, which can be both an employee of the company itself and work under a contract.
Fortunately, not everyone needs it. Unfortunately, the definition of who needs it is somewhat vague. The presence of such a specialist is required in cases where:
And if everything is clear with the first paragraph, then what is “large volumes” is not specified in the law. Google and Facebook exactly fall under this, but where is the bottom line? Some sources claim that the draft of the law contained the figures "more than 250 employees" and "more than 5,000 entries." They did not get into the final text, therefore, before establishing the judicial practice, it is better to take care of yourself and, if possible, act according to the principle “it is better to outbid than to subdue”.
Some lawyers advise to go along the following conservative path: everything that is more than a specialist in some sphere is able to serve is considered to be large. Say, do you process medical data on your head, and even in volumes larger than the average doctor serves patients? Take care of the data protection contract. An option that is more acceptable in realities outside the EU - quietly observe court practice and do not shine. As the first ones get in, you will understand for yourself what amounts to consider large.
To understand what exactly you will write in the privacy policy, you need to carry out a little preliminary preparation in order to clearly understand how and with what data you work.
[sarcasm] Is there anyone who does not like to document everything and in a timely manner? .. [/ sarcasm] For a long time working on a project, you can successfully lose track of all that, where, how and why you collect. And it would be necessary to correspond to the GDPR a couple of weeks ago, and you just can’t say what user data you collect, and do you really need all of them? .. Take some blank A4 sheets or one clean Google Document and answer the following questions:
In terms of what is your role in thefood processing chain? Are you a controller, processor or both? In other words, do you only collect and use data or also keep it at your place? Check the definitions of the controller and processor above.
The GDPR clearly defines on what grounds (some also translate as “legal basis”) you can collect data. Choose an option for yourself.
One of the requirements of the GDPR - the privacy policy should be set forth in an accessible and understandable manner. Ideally, one document in which it is clearly and clearly stated, without abstruse legal phrases, without kilometer texts. Imagine that it will be read by your grandmother (I exaggerate a little, but the general concept is approximately as follows).
If your product is very large, and the data is collected and used in completely different parts and in different ways, you should think about several documents.
You have already decided on the main points (what role do you play, what data and why do you collect, etc.). Depending on how you collect the information - directly or indirectly, it will be slightly different what needs to be included in the final document. Roughly speaking, direct collection is the filling of a form by the user, indirectly any background processes (the same cookies, for example), parsing of open sources, receiving from partners, etc. Below is a summary table of the aspects that need to be addressed in the final version of the document.
By the end of this episode, you should be ready to text your privacy policy. But that is not all. When collecting data, you need to notify the user.
The method of notification differs depending on the method of collection (direct or indirect). So, in the case of direct collection, you need to notify each time the first time you use a new method or collect new data. In this case, the notification does not necessarily have to tightly block the work of the user, but should be readable, linger on the screen long enough for awareness and refer to more detailed information.
If you collect data indirectly (for example, you receive from partners), this does not mean at all that you do not need to notify you about this. Clause 3 of Article 14 requires the controller to notify the data object:
In the previous steps you have already determined which parts of your product and which data you collect. You also know your audience and what questions it may have. Some examples are:
However, dumping it all at once on the user can be a bad idea. It is better to limit the initial notification only to the main issues. For example, what is going and why. And at the end give a link to more detailed information in a pop-up window or to a privacy policy page. Think over the moment in which the notification will be shown. For example, a good idea would be to show a pop-up window when a user clicks on an input field. Alternatively, simply post a short notice directly above the form.
Be concise, use the most accessible vocabulary to a wide range of people. To check, let the text read to several people far from your line of business, get feedback from them.
Additionally, if you collect data indirectly, try to establish trust. Specify in more detail who you are, what you do, why do you need this data, what benefits will the data object receive.
Extremely careful need to be if your resource can use children. Article 8 states that persons not younger than 16 years old can consent to processing themselves. In other cases, you must make reasonable efforts to make sure that consent to the processing is confirmed by the parents of the child. Members have the right to lower this age, but in any case it cannot be lower than 13 years. Anyway, tracking these details can be a daunting task if your product is geographically oriented.
Special attention deserves the question of the language of information. The law itself does not contain any requirements, however local laws may impose additional requirements regarding the language of the notification. If you are clearly focused on the market of any specific countries, it will be reasonable to translate notifications and privacy policies into the languages ​​used in them.
Although this article came out a bit late, I really want to hope that it will help someone once again to clarify for themselves and sort through what is waiting for them, build a plan, perhaps build several pages of internal documentation.
It will not be superfluous to remind once again not only of serious fines, which have already been said a lot, but also of the main goals of the new law - protecting the personal space of citizens in the context of globalization and informatization from aggressive and not always decent business actions. Respect your users, and they will certainly answer you with loyalty.
Thank you for staying with us. Do you like our articles? Want to see more interesting materials? Support us by placing an order or recommending to friends, 30% discount for Habr users on a unique analogue of the entry-level servers that we invented for you: The whole truth about VPS (KVM) E5-2650 v4 (6 Cores) 10GB DDR4 240GB SSD 1Gbps from $ 20 or how to share the server? (Options are available with RAID1 and RAID10, up to 24 cores and up to 40GB DDR4).
Dell R730xd 2 times cheaper? Only we have 2 x Intel Dodeca-Core Xeon E5-2650v4 128GB DDR4 6x480GB SSD 1Gbps 100 TV from $ 249 in the Netherlands and the USA! Read about How to build an infrastructure building. class c using servers Dell R730xd E5-2650 v4 worth 9000 euros for a penny?
GDPR has been active for several days. On the very first day, a certain Austrian privacy advocate Max Schrems rolled out multibillion-dollar claims from Google and Facebook for non-compliance with the policy. In particular, the claims touched Instagram, WhatsApp and Android OS. However, this had never been easy before. And a musical fan with a sense of humor created the “I love GDPR” playlist on Spotify.
')
In general, the fuss around Europe's GDPR has penetrated different spheres. At the moment I live in Latvia, and recently I had to get a parcel in the mail. One of the fields in the form to receive the parcel is the personal code. I reflexively filled it, which somewhat disturbed the postman. She crossed it out, and beside her simply wrote the type of document presented. In response to my surprise, I learned that it is connected "with this new law." They even write about him in the newspapers, by the way. Ordinary. Paper.
Some sources who doubt the honesty and decency of all European lawyers, without exception, are wagging off a wave of GDPR-related claims filed for profit rather than for the protection of users. Other sources at the same time say that due to the vagueness of some formulations of the law, only well-established judicial practice can bring some clarity. And since none of us would like to set an example for others, showing how not to do it, let's go through the basic concepts and requirements once more, as far as available sources allow. At the end of the article I will give practical advice on how to make a privacy policy. If you are not interested in definitions and other lyrics, scroll right there.
Legal disclaimer. This post is the author’s vision, not legal advice. Both the author himself and the sources used by him recommend in the case of incomprehensible situations to contact compliance experts. Or try to independently digest 85 pages of the original source . A more readable version is also available.
Basic concepts
One of the difficulties of the new regulations is the introduction of new concepts, some of which have not previously been used massively, while others are indicated in a very abstract way and allow some freedom of interpretation.
Data Subject (data object) - an individual who owns the data. There seems to be no difficulty.
Personal Data - any information related to an identified or identifiable individual. An identifiable individual — one that can be identified directly or indirectly, in particular by referring to an identifier, such as a name, personal code, online identifier, or one or more factors related to physical, physiological, genetic, mental, economic, cultural or social identity of the person.
Further in the text we will return to this, but briefly mention that personal data are divided into two categories. For processing of some of them, the direct consent of the data object is not always required, for others it is always required (it concerns more “personal” categories, such as religious beliefs, diseases, etc.). Also pay attention to the fact that there is already starting vague wording. Under the online ID you can understand a lot of things.
Processing - any actions performed on data or data arrays, automatically or manually, such as collecting, recording, organizing, structuring, storing, adapting or modifying, retrieving, consulting, using, disclosing by transmitting, publishing or granting access otherwise, combining, limiting, deleting, or deleting. Formally, the collection of business cards at the conference falls under the processing of personal data. I hope no one will bring the situation to this level of absurdity, however.
Controller (controller) - a natural or legal person, an organization, and anyone in general who independently or with others determines the goals and means of processing personal data. You have a forum with registration function - you are a controller. Placed Google Analytics code on the site - you are also a controller.
Processor (processor, processor) - a natural or legal person or any other structure or structure that processes data on behalf of the controller. Keep your customer base on your computer or on the platform you are managing - you are a processor. Use a third-party CRM system - they will be the processor.
Consent (consent) of the data object is a freely provided, specific, informed and non-duality indication of the desire of the data object (by means of a statement or a clear confirming action), by which he or she consents to the processing of his data. We recall all these checkboxes “By clicking OK, I consent to the processing of my personal data.” Another question - how to deal with the above mentioned business cards? ..
In total, 26 terms are described in the “Definitions” section. Not all of them are so important to us, but if you think I missed something important, let me know.
There are several other key concepts related to the GDPR that should be considered separately.
A little about the consent of the data object
Preexisting legislation allowed for various options of "tacit consent." Oh, that just did not go to the company to fill the base for mailings. Prechecked checkboxes, hidden deeply in the rules and policies of consent to receive news, checkboxes to unsubscribe from the newsletter, implying initial consent.
All this is in the past. The GDPR requires that in cases where the legal basis is consent, it must be explicit and informed. Those. the user must understand that, by marking a specific checkbox, he gives his consent to store his e-mail and receive marketing mailings, and not just agree with something there. The absence of an explicit expression of will should be considered a refusal and nothing else.
The right to be forgotten
In itself, the concept of the right to be forgotten comes from the next idea that a person should have the opportunity ...
... determine the development of your life in an independent way, without being constantly or periodically branded due to a specific act committed in the past.
In some cases, the concept is correct (for example, minor nonsense in childhood, which leaked to the press with names and persons). In others, it may step on the freedom of expression of another person and lose socially valuable information (for example, an attempt to use the right to forget about the relatively poor reviews on the freelance market).
In the GDPR, the application of this right is described in article 17. In brief, at the request of the data owner (the individual to whom they relate), the data must be erased by the controller without undue delays. Also, if the data has been disclosed to other controllers, the current controller must apply economically reasonable efforts to send them a delete request. However, only data used for direct marketing are subject to unconditional deletion.
In other cases, you may have reasons that are superior to the right to oblivion. For example:
- the exercise of the right to freedom of expression and information (we recall the example of reviews on the freelance market);
- filing, enforcing or defending against lawsuits (for example, if a scammer has messed up your service and now requires you to delete his data, referring to the GDPR, refer him to subparagraph 3 (e) of article 17);
- EU or Member State law requires the controller to process data (and here an interesting situation may arise when the law, say, the Russian Federation, requires you to store some data, but the EU law requires you to remove it; controllers from third countries themselves);
- the data is obtained on the basis of not requiring direct consent, and they are still needed for the purposes for which they were collected (the simplest example is that the contract is still in force, but generally use this item, consult a lawyer better).
There are also other reasons, such as public interest, scientific or statistical processing, but I will not go into them particularly.
Special categories of personal data
Clause 1 of Article 9 prohibits the processing of the following categories of personal data:
- racial or ethnic origin;
- political views;
- religious or philosophical worldviews;
- union membership;
- genetic data;
- biometric data to identify individuals;
- health data;
- data relating to sexuality and sexual orientation.
Paragraph 2 of the same article immediately describes in which cases the ban does not work. As a rule, this is either the consent of the person himself, or if data processing is required to fulfill the obligations regulated by law, protect the vital interests of the data owner or third parties, and if the data are of public or scientific interest. In addition, a member country may prohibit a data object to consent to the processing of any data from a special category. Ban on prohibition and prohibition chases ...
Also, the processing of criminal records and criminal offenses should be conducted under the supervision of the authorities and in no other way.
Data Protection Officer (data protection officer)
GDPR spawned a new position for the legal department of large companies and a new business line (and a potential expense item) for smaller companies. In essence, this is a specialist in compliance with the GDPR, which can be both an employee of the company itself and work under a contract.
Fortunately, not everyone needs it. Unfortunately, the definition of who needs it is somewhat vague. The presence of such a specialist is required in cases where:
- data processing by government agencies and authorities, with the exception of the courts performing their standard duties;
- the main activity of the controller or processor is operations that, by their nature, scope and / or objectives, require regular and systematic monitoring of data objects on a large scale;
- The main activity of the controller or processor is the processing of large arrays of special data, which I described a little higher.
And if everything is clear with the first paragraph, then what is “large volumes” is not specified in the law. Google and Facebook exactly fall under this, but where is the bottom line? Some sources claim that the draft of the law contained the figures "more than 250 employees" and "more than 5,000 entries." They did not get into the final text, therefore, before establishing the judicial practice, it is better to take care of yourself and, if possible, act according to the principle “it is better to outbid than to subdue”.
Some lawyers advise to go along the following conservative path: everything that is more than a specialist in some sphere is able to serve is considered to be large. Say, do you process medical data on your head, and even in volumes larger than the average doctor serves patients? Take care of the data protection contract. An option that is more acceptable in realities outside the EU - quietly observe court practice and do not shine. As the first ones get in, you will understand for yourself what amounts to consider large.
Your path to updated privacy policy
To understand what exactly you will write in the privacy policy, you need to carry out a little preliminary preparation in order to clearly understand how and with what data you work.
Step 0. Data Audit
[sarcasm] Is there anyone who does not like to document everything and in a timely manner? .. [/ sarcasm] For a long time working on a project, you can successfully lose track of all that, where, how and why you collect. And it would be necessary to correspond to the GDPR a couple of weeks ago, and you just can’t say what user data you collect, and do you really need all of them? .. Take some blank A4 sheets or one clean Google Document and answer the following questions:
- What data do you collect? Write in a column everything that you store in your databases, and that belongs to the category of personal data: names, e-mail, IP-addresses, postal addresses and phone numbers, preferences in intimate life (suddenly you have a dating site, how do I know) . Those that fall into a special category (see above, in vain listened to the advice at the beginning of the article and immediately scrolled here), select a separate color and think carefully about the legal justification for collecting such data. Mark, in which points of your site / application you collect data in order to put down the privacy policy there.
- Where do you store data? The privacy policy will need to specify the geographic location and carrier. Something like “Your data is stored on our servers in Amsterdam, the Netherlands ” or “We print your names and phone numbers on yellow stickers and adhere to the walls and ceiling of our office in Ventspils, Latvia.”
- How do you protect data? Password access? Encryption? Restricting access over IP? Even just for yourself it is useful to deal with this.
- How long do you keep the data? The GDPR gives a very clear definition of how long user data can be stored: “Not longer than necessary.” Ideally, it is better not to store data longer than you really need. But how much you need - decide for yourself. The main thing - to be able to justify why it is so much. This may be the term of execution of the contract, for example, or the limitation period for some category of crimes that may be associated with the use of your service, for example.
- Do you really use all the data? And, accordingly, how and why? Collecting data about the addresses of users because this is required by the domain name registration system is not a question. Collect the same data simply because you so wanted - no longer ride. In the privacy policy you will need to indicate how and for what purpose you are using the data. Improving user experience, however, can also be a goal for some types of data.
- What is the process for satisfying data deletion requests? In other words, how will the right to be forgotten be realized? And there the regulations spell out the right of the data object to get everything that is available to it, so to speak. Find out for yourself how you intend to satisfy this right.
Step 1. Who are you?
In terms of what is your role in the
Step 2. What are your legal grounds?
The GDPR clearly defines on what grounds (some also translate as “legal basis”) you can collect data. Choose an option for yourself.
- Consent. You can collect data if the data object has explicitly consented.
- The need to fulfill the contract. Let's say you can not send goods to the recipient without knowing his name and address. Or you can not send data to access the server without knowing the e-mail.
- Compliance with legal duties. The law of an EU member state obliges you to collect certain data.
- Vital interests. Data collection is needed to address issues of life and death. But you are unlikely to be an ambulance.
- Public interest. You can collect data if you are a public entity or a private company operating in the public interest. If you suddenly use this basis - be prepared to justify.
- Legitimate interests. You may collect personal data in the legitimate interests of your company if such interests do not contradict the rights and freedoms of the data object.
- The data relate to criminal or administrative offenses. It is unlikely that this point concerns us in any way.
- The processing which is not demanding identification. You can process data if they do not allow unique identification of the data object. However, they must be ready to demonstrate the impossibility of identification.
Step 3. One document or several?
One of the requirements of the GDPR - the privacy policy should be set forth in an accessible and understandable manner. Ideally, one document in which it is clearly and clearly stated, without abstruse legal phrases, without kilometer texts. Imagine that it will be read by your grandmother (I exaggerate a little, but the general concept is approximately as follows).
If your product is very large, and the data is collected and used in completely different parts and in different ways, you should think about several documents.
Step 4. Putting it all together.
You have already decided on the main points (what role do you play, what data and why do you collect, etc.). Depending on how you collect the information - directly or indirectly, it will be slightly different what needs to be included in the final document. Roughly speaking, direct collection is the filling of a form by the user, indirectly any background processes (the same cookies, for example), parsing of open sources, receiving from partners, etc. Below is a summary table of the aspects that need to be addressed in the final version of the document.
| We collect directly | We collect indirectly | |
|---|---|---|
| The identity and contacts of your data protection officer (if any) | Yes | Yes |
| Purpose of processing, including legal grounds | Yes | Yes |
| The legitimate interests of your company or organization | Yes | Yes |
| Categories of personal data collected | Not | Yes |
| Recipients or categories of recipients of personal data | Yes | Yes |
| Information on transfers to third parties and protection measures for such transfers | Yes | Yes |
| How much will you keep the data, why exactly so much? | Yes | Yes |
| Data privacy rights to data object | Yes | Yes |
| Right to withdraw consent (where applicable) | Yes | Yes |
| The right to file a complaint with supervisors | Yes | Yes |
| Data source; Are data obtained from public sources? | Not | Yes |
| Statutory and contractual obligations, their consequences (if data collection is necessary to fulfill the contract) | Yes | Not |
By the end of this episode, you should be ready to text your privacy policy. But that is not all. When collecting data, you need to notify the user.
Step 5. Privacy Notices
The method of notification differs depending on the method of collection (direct or indirect). So, in the case of direct collection, you need to notify each time the first time you use a new method or collect new data. In this case, the notification does not necessarily have to tightly block the work of the user, but should be readable, linger on the screen long enough for awareness and refer to more detailed information.
If you collect data indirectly (for example, you receive from partners), this does not mean at all that you do not need to notify you about this. Clause 3 of Article 14 requires the controller to notify the data object:
- within a reasonable period after receiving the data, but not more than a month, without forgetting to include the circumstances of obtaining the data
- if the data is used to communicate with the object - no later than the first communication case;
- if disclosure of data to third parties is planned - no later than the moment of the first disclosure.
In the previous steps you have already determined which parts of your product and which data you collect. You also know your audience and what questions it may have. Some examples are:
- What data is collected?
- Who collects them?
- How do you collect them?
- Why do you collect them?
- How will you use them?
- Do you plan to transfer data to anyone?
- How long will you keep them?
- How can a data object manage them?
- Are there any negative consequences for the data object?
However, dumping it all at once on the user can be a bad idea. It is better to limit the initial notification only to the main issues. For example, what is going and why. And at the end give a link to more detailed information in a pop-up window or to a privacy policy page. Think over the moment in which the notification will be shown. For example, a good idea would be to show a pop-up window when a user clicks on an input field. Alternatively, simply post a short notice directly above the form.
Be concise, use the most accessible vocabulary to a wide range of people. To check, let the text read to several people far from your line of business, get feedback from them.
Additionally, if you collect data indirectly, try to establish trust. Specify in more detail who you are, what you do, why do you need this data, what benefits will the data object receive.
Extremely careful need to be if your resource can use children. Article 8 states that persons not younger than 16 years old can consent to processing themselves. In other cases, you must make reasonable efforts to make sure that consent to the processing is confirmed by the parents of the child. Members have the right to lower this age, but in any case it cannot be lower than 13 years. Anyway, tracking these details can be a daunting task if your product is geographically oriented.
Special attention deserves the question of the language of information. The law itself does not contain any requirements, however local laws may impose additional requirements regarding the language of the notification. If you are clearly focused on the market of any specific countries, it will be reasonable to translate notifications and privacy policies into the languages ​​used in them.
Epilogue
Although this article came out a bit late, I really want to hope that it will help someone once again to clarify for themselves and sort through what is waiting for them, build a plan, perhaps build several pages of internal documentation.
It will not be superfluous to remind once again not only of serious fines, which have already been said a lot, but also of the main goals of the new law - protecting the personal space of citizens in the context of globalization and informatization from aggressive and not always decent business actions. Respect your users, and they will certainly answer you with loyalty.
Thank you for staying with us. Do you like our articles? Want to see more interesting materials? Support us by placing an order or recommending to friends, 30% discount for Habr users on a unique analogue of the entry-level servers that we invented for you: The whole truth about VPS (KVM) E5-2650 v4 (6 Cores) 10GB DDR4 240GB SSD 1Gbps from $ 20 or how to share the server? (Options are available with RAID1 and RAID10, up to 24 cores and up to 40GB DDR4).
Dell R730xd 2 times cheaper? Only we have 2 x Intel Dodeca-Core Xeon E5-2650v4 128GB DDR4 6x480GB SSD 1Gbps 100 TV from $ 249 in the Netherlands and the USA! Read about How to build an infrastructure building. class c using servers Dell R730xd E5-2650 v4 worth 9000 euros for a penny?
Source: https://habr.com/ru/post/359314/
All Articles