GDPR, how do business comply? Don’t risk severe penalties

General Data Protection Regulation (GDPR) Compliance

The EEA/EU and UK GDPR regulate the collection, use, transfer, storage and other processing of personal data of persons[1] in those jurisdictions when they access or purchase goods and services anywhere in the world. So it's important when conducting business, or monitoring the behaviour of persons, in the EEA or the UK, to comply with the GDPR. Penalties are severe.

GDPR

When will the GDPR apply?

Your business must comply with the GDPR if:

  • it is established in the EEA and/or UK and you collect the personal data of persons in the EEA and/or UK;
  • it offers goods and services to persons in the EEA and/or UK and it collects their personal data;
  • it monitors the behaviour of persons in the EEA and/or UK and it collects their personal data.

GDPR compliance is required when your business:

  • collects a person’s email address;
  • collects personal data in the process of selling or offering your goods and services;
  • ships products to the person;
  • refers to the person in testimonials;
  • has a branch, administrative office or company registered in the EEA or UK;
  • processes personal data on behalf of an EEA or UK company;
  • monitors the person’s behaviour, for example through Google analytics or Facebook pixels installed on your website.

GDPR controller or processor?

The controller determines the purposes and means of processing data. A business owner will be a controller. An employee who handles data will be a controller.

Data processing is an action performed on data whether automated or manual. Examples include collecting, recording, organising, structuring, storing, using or erasing data.

The data processor processes data on behalf of a GDPR controller. If you are using third party suppliers to process your data, that supplier will be the processor. If that supplier subcontracts the processing of data, those subcontractors will be sub-processors.

GDPR compliant privacy policy

A business must address the rights of persons in the EEA and UK in its privacy policy, which are the right to:

  • be informed of the business contact details and any data protection officer details (if applicable);
  • be informed of any transfer of their personal data to a third country and reference to the safeguards in place and how they are made available for inspection;
  • be informed about the personal data the business is collecting and how it will be used;
  • be informed as to how long the business will store their personal data;
  • unsubscribe from emails at any time;
  • access their personal data;
  • correct any inaccurate personal data;
  • data portability (ie to export their personal data in an electronic format);
  • restrict processing of specific types of personal data;
  • opt out of having their personal data used for profiling in automated systems; and
  • be forgotten (ie ask that their personal data be deleted and third parties stop using their data).

GDPR Consent

Contrary to popular belief, you are not required to obtain consent before using personal data for business purposes[2].  However, consent is the easiest way to allow the use of their data for other specified purposes. For example, you might want to use the personal data for marketing. Thus, you must explain that in your privacy policy and obtain explicit permission. And you must also point out that the person can withdraw their consent at any time.

GDPR - use of Standard Contractual Clauses (SCCs) for a restricted transfer of personal data

Under the GDPR, SCCs are pre-approved model data protection clauses and the most common mechanism for transferring personal data.

The European Commission has made adequacy decisions for some countries recognising they have an ‘essentially equivalent’ level of data protection to that which exists within the EEA. At the time of writing, Andorra, Argentina, Canada, Faroe Island, Guernsey, Israel, Isle of Mann, Jersey, New Zealand, Switzerland, Uruguay, Japan, United Kingdom and South Korea are secure third countries and data transfers to these countries are expressly permitted.

So just to be clear, the transfer of data between the EEA and the UK or between the EEA or UK and the abovementioned countries are secure third countries and the SCCs are not required.

Unfortunately, Australia has not been certified as having an adequate level of data protection and thus is not a secure third country. You should include SCCs in a restricted transfer of personal data.

When SCCs should be used for a restricted transfer of personal data

Australian business processing personal data on behalf of EEA or UK organisation

An Australian business processing the personal data of EEA or UK employees on behalf of an EEA or UK organisation should include the SCCs in any agreement between the parties to ensure compliance with the GDPR.

Australian business selling goods and services via its website

If an Australian retailer is selling clothes in the EEA and/or UK via its website, the processing of their customer's personal data is subject to the GDPR. The Australian retailer must comply with the GDPR. However, given EEA and UK customers are exempt from the GDPR, it is not a restricted transfer. You do not need to include the SCCs in any agreement with that customer.

However, if the Australian retailer transfers that personal data to another organisation in Australia that does not fall within the scope of the GDPR, then the SCCs can be used. For example, an Australian travel company offers holiday packages to persons in the EEA. The EEA customer purchases a holiday package from the Australian travel company and provides their personal information. The travel company arranges hotel accommodation in Australia for that EEA customer and transfers their personal information to that hotel. That is a restricted transfer and the travel company agreement with the hotel should include the SCCs.

Australian business is a data exporter of EEA/UK customers' personal data

Likewise, if a business in Australia is a data exporter of an EEA and/or UK customer’s personal data to a third country that is not subject to an adequacy decision and not a secure third country (for example the USA), the Australian business can use the SCCs to ensure compliance with the GDPR. Let’s say your business offers online education services to EEA and UK customers and you have an account with Stripe for making payment of your services. Stripe processes the EEA and UK customer’s personal data in the USA. Your business is exporting that personal data to the US and so that is a restricted transfer and any agreement with Stripe should include the SCCs. At the time of writing, Stripe has a standard Data Processing Agreement (DPA) which includes the SCCs and if you ask Stripe, they will include that DPA in your services agreement with them.

To ensure GDPR compliance, carefully read the services agreement and the DPA to ascertain the categories of personal data collected by Stripe and whether Stripe will only collect the personal data in the performance of their services or will it be used for other specified purposes. Whatever is agreed with Stripe should also be reflected in your privacy policy. As I indicated above, if the data will be used for other specified purposes, you will need to get informed consent.

The key takeaways

  1. If you are offering/selling goods or services to persons in the EEA and/or UK via your website and/or monitoring their behaviour and you are collecting their personal data, make sure you have a GDPR compliant privacy policy.
  2. If it’s a restricted transfer of personal data under the GDPR, include the SCCs in any contract with the other party. In any contract with a service provider/data processor, be clear on how they can use or disclose the personal data and ensure your privacy policy is consistent with that contract. If the service provider wants to use the data for other specified purposes, for example, marketing, you must get the person’s informed consent.
  3. Implement your GDPR compliant privacy policy into your business practices.

[1] Under the GDPR, there is no requirement that a person be a citizen or resident of a country that is a member of the EEA or the UK.

[2] See Article 6

Contact me for a free 30 minute discovery call at www.trudicase.com.au or email trudi@trudicase.com.au.

DISCLOSURE. This blog is general information only. It is not legal advice. You should seek independent legal advice for your particular circumstances.