1. Provide company details
You are required to provide certain basic details such as:
who is the data ‘controller’ including full company name and details of the group (if applicable);
whether there is a data protection officer (if applicable) or who else to contact with any data protection questions or requests; and
details of your rep in the European Union (“EU”) if applicable.
2. What data is collected and how?
Under GDPR you are required to list out the type of information collected such as the obvious name, email address etc. but also whether you collect location data, data on website use etc. and any special categories of personal data (such as genetic, biometric of sexual orientation). You should also inform the users how this data is collected (e.g. via them providing the information on the website or via public searches or technical measures).
You are required to inform the user which data is mandatory for them to provide and the consequences of not providing such data (e.g. if you don’t have their physical address you can’t deliver the goods).
3. How will the data be used?
Where the data subject has consented (although such consent can be revoked at any time so full reliance shouldn’t be placed on this – other than for third party marketing);
Where you need to perform the contract you are about to enter into or have entered into;
Where it is necessary for your legitimate interests (or those of a third party) and the data subject’s interests and fundamental rights do not override those interests. When using this option, you are required to provide details of what those ‘legitimate interests’ are; and
Where you need to comply with a legal obligation.
You should also inform the user if you intend to use any automated decision-making (e.g. automatically assessing applications for loans based purely on a credit score).
4. Who will you share the data with?
You are required to provide details of who the data will be disclosed to (or at least the categories e.g. to third party delivery companies).
5. Will the data be transferred internationally?
The GDPR requires you to inform the users where their data will be transferred and what mechanism you will use to legalise the transfer. GDPR places restrictions on transfers of data to countries which are not deemed to have an “adequate level of protection”. The list of countries found to be adequate is fairly short (currently only Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland, Uruguay and the United States (subject to the Privacy Shield Framework) and does not include any GCC countries. The full list is available on the European Commission website and should be checked for the latest position.
6. How long will the data be kept?
The GDPR requires you to explain how long you will retain the data or, where that is not possible, at least explain the criteria you will use to determine the retention period (e.g. for legal or compliance requirements).
7. Set out the data subject’s rights
These are some of the key new requirements under GDPR and include the right of the data subject:
of access (i.e. to their personal data and details of how it is being processed);
of correction (e.g. to have their information updated if it is incorrect);
of erasure (i.e. the right to be forgotten / request deletion where there is no compelling reason for its continued processing);
to restrict processing (i.e. the right to block the processing of data in certain circumstances);
data portability (i.e. the right to move their data from one IT system or supplier to another);
to object to processing (i.e. to certain activities such as direct marketing, including profiling);
rights in relation to automated decision making and profiling (e.g. to object to decisions being made without human intervention);
to withdraw consent; and
to complain to the local data protection authority.
If you would like assistance on any data protection matters please contact us at firstname.lastname@example.org. Our data protection lawyers are recognised specialists in this field (Band 1 ranked TMT Lawyer in the UAE by Chamber, Legal 500 and Who’s Who Legal: Data) and have extensive experience of helping companies in the Middle East and globally comply with regional and international data protection laws.