Since the outbreak of the corona crisis, the world has become a little more digital by the day. If we can’t leave our homes to buy our necessities and other products and services, more and more people are reasoning, then why not do it online? Both large and small companies are being forced to respond to this trend: they are setting up webshops and other online platforms at breakneck speed – thus assuring their customers that they can come to them even in times of lockdown. Understandable, because those who do not exist online are in danger of falling by the wayside. But are all these companies also paying sufficient attention to their customers’ privacy? Are they working in compliance with the GDPR?
Inform your customers
Since May 25, 2018, the General Data Protection Regulation or GDPR (General Data Protection Regulation) guarantees minimum protection when processing personal data in European Union countries. If you ask visitors to your website or your app to leave their data, you must not only inform them of this, you must also clearly explain to them what you do with that data and how you will process it. That’s called: a transparency obligation.
For example: someone ordering takeout in your restaurant needs to know what you intend to do with his name, address and phone number. Or: someone who inquires in your webshop about the range of gardening products must know which cookies you install on his computer or smartphone. And not only that: for non-essential cookies, he even has to give his consent first.
What information you collect, how you store and process it, you record in a privacy statement. A cookie statement can be part of that, or a separate document.
What about foreign platforms?
In addition, it is important to know whether the digital platform hosting the personal data is inside or outside the European Union. After all, countries outside the EU are not bound by the GDPR, and that has its implications for your customers’ and users’ data.
The former EU-US Privacy Shield did ensure that US companies could still lawfully process personal data from the EU – read: with the same level of protection. But that certainty was undermined in July 2020 in the so-called Schrems II case: the Court of Justice ruled that the Privacy Shield does not provide the necessary protection at all. Indeed, U.S. authorities – under their PATRIOT Act and Foreign Intelligence Surveillance Act – are given smooth access to personal data from the EU. And that’s an absolute no-go under the GDPR.
So watch out if you use convenient platforms like Amazon Web Services or MailChimp: they may bypass the protections that the GDPR does provide. So should you ignore them? Not necessarily. But in the meantime, ask yourself these four questions:
- On what platforms do you store and process personal data?
- Does the processing of the data on that platform take place inside or outside the European Union? If possible, always choose a server within the EU.
- Don’t have the choice? Then ask yourself whether processing the data on this platform is essential to the operation of your business. Switching to a European platform is then an alternative.
- Do you really need the platform anyway? Then it’s best to have a technical audit done to check if you can still provide protection in line with that of the GDPR.
For this it is best to take a legal specialist under your wing – feel free to contact us, our Data Protection Officer will explain how it works.
The GBA is watching
In case you’re wondering if anyone is checking to see if you’re in compliance with the GDPR: definitely. The Belgian Data Protection Authority (GBA) is far from sitting idly by waiting for someone to complain about questionable handling of personal data. For example, it proactively searches for websites without a banner or pop-up alerting visitors to the privacy and cookie statement. If you indeed do not have these, you can be fined – such a slap on the wrist can cost you a lot of money.
It doesn’t have to get that far, of course. Provide a clear privacy statement and cookie statement. Choose a register for processing personal data that is GDPR-compliant. Designate a Data Protection Officer in your company (if necessary) or a Privacy Officer, someone who closely monitors that the processing of personal data is done correctly. Get assistance from a specialist. That way, your customers and visitors to your digital platforms can sleep on both ears: with you, their personal data is always safe.
Still unsure about what your company needs? Need help drafting the necessary statements and policies? Need an audit? Contact us, we’d be happy to help.
