Also, think about the language your data subjects speak. How can you best communicate this information to them?
If your content or service is directed at children, you must adapt your language appropriately.
If you are unsure of what counts as ‘personal data’ and who ‘data subjects’ are, check out our post about the GDPR and what it means for you, and then come back.
the identity and the contact details of the controller and, where applicable, of the controller’s representative
This includes name, address, email address and phone number of the company or of its representatives. If the data controller is not established in the European Union, a representative in the Union must be designated and indicated here.
the contact details of the data protection officer, where applicable
If you are a public authority/body or if you process particularly personal data or carry out systematic monitoring on a large scale, you’ll have a data protection officer, whose information should also be included.
the legal basis for the processing of data
You must choose at least one of the legal bases for the collection and processing of data outlined in the GDPR which legitimises your actions. Note that you will need additional bases for legitimation if you are processing one of the special categories of data (health, religion, etc.) or data about crimes and criminal offences.
The 6 general legal bases are:
- the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
- processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
- processing is necessary for compliance with a legal obligation to which the controller is subject;
- processing is necessary in order to protect the vital interests of the data subject or of another natural person;
- processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
The purposes of the processing
Here, you have to outline the objectives. Why are you collecting and processing this personal data?
It’s a good idea here to set out all of the different ways that you and your website collect data. For example:
- contact or feedback forms
- registering online or signing up to the email list
- data entry fields (such as when a client inputs their payment details)
- third party content (e.g. social media)
Three purposes that you have no doubt seen being used are analysis of user behaviour for website optimisation, for the designing of more personalised content or for marketing purposes.
Note that if you have chosen ‘legitimate interests’ as your legal basis for processing, you should specify what these legitimate interests at this point and check that you are meanwhile protecting the interests and fundamental rights of the user.
the recipients or categories of recipients of the personal data
If you send the personal data that you collect to third parties or third countries, you must make that clear at this point. For example, if you use online payment platforms or external contractors who receive personal data about your data subjects, this will apply to you.
Don’t forget cookies, social buttons and plugins. In the case of cookies, you must get user consent before you use any cookies except those which are strictly necessary and you must make your data subjects aware of the types of data the cookies track and what the purpose is of collecting that data.
If you will be transferring data to a third country or international organisation, you will need to outline the existence or absence of an adequacy decision by the European Commission or make reference to the appropriate safeguards put in place and where to find them.
the data retention period
How long will you store the data? The time frame cannot be infinite, it has to be reasonable taking into consideration your purposes.
If you can’t give an exact time frame, refer to the criteria used to determine the time frame. For example, do you have any data that is automatically set to delete after a certain period of time? Is a certain type of data only stored and processed under a certain condition?
The rights of the data subject
Those people whose personal data you are collecting have a collection of rights themselves and these must be made clear. For example, they have rights to request that the controller give them access to the personal data about them, or rectify or erase that data. They can restrict the processing of their data, object to it or request that the data be transferred to someone else. If they have consented to data processing, they can withdraw that consent at any time and they have the right to lodge a complaint with a supervisory authority.
The statutory or contractual necessity to collect data (if applicable)
If the provision of personal data is a statutory or contractual requirement, or is necessary in order to enter into a contract, that must be referred to here, outlining whether the data subject is obliged to provide that data and what the possible consequences would be if they didn’t provide that data.
The use of automated decision-making, including profiling
In the case of the existence of automated decision-making, meaningful information must be provided about the logic involved in that decision-making and about the significance and envisaged consequences of that processing. Bear in mind that, pursuant to Article 22 of the GDPR, data subjects have the right to not be subject to such decision-making unless to do so is necessary for a contract between them and the data controller, is authorised by the EU or the Member State whose law the controller is subject to, or is based on the data subject’s explicit consent.
You will also want to bear in mind that, according to Article 21 of Ley 34/2002, de 11 de julio, de servicios de la sociedad de la información y de comercio electrónico, electronically sending advertising or promotional communications that have not previously been requested or expressly authorized by the recipients thereof is prohibited. There is an exception if you have a contractual relationship with the data subject. Nonetheless, the service/good being promoted must be sufficiently similar to that of the original contract and the data subject must be given the opportunity to oppose such promotion both when the data is first collected and each time promotional communications are sent.
If after reading this article, you still feel a little overwhelmed by the concept of the GDPR and its resulting obligations, we can help you. We offer advice on how to implement the GDPR in Spain.
Get in touch here: