Andrew Leahey

Posts tagged gdpr
GDPR Special Category Data

If you’d like to discuss the GDPR and how it impacts your business, get in contact.

The General Data Protection Regulation (GDPR) of the European Union (EU) has been shaking up the web in terms of privacy policies and procedures for some time now — I have written at some length on the general best practices for a GDPR compliant privacy policy and the potential “loophole” of the legitimate interests exception.

The GDPR requires a heightened level of protection for certain sensitive data categories. The categories are:

  • Health Data (including genetic data);

  • Biometric data;

  • Trade union memberships;

  • Political opinions;

  • Religious or philosophical beliefs;

  • Race and ethnicity; and

  • Data related to sexual preference or orientation.

The directive takes a policy position that these particular data are of a uniquely sensitive nature and, thus, a business must have a specific, legitimate reason for collecting the individual data type.

The GDPR restricts the collection and processing of the data unless one of the following circumstances are met:

  • The data subject has given explicit consent for the collection or processing of that particular data AND the EU or the Member State of the data subject has not explicitly prohibited the collection or processing of that data type;

  • Processing is necessary for carrying out the obligations and exercising specific rights of the controller or the data subject in the field of employment, social security, and social protection law;

  • Processing is necessary to protect the vital interests of the data subject or another natural person;

  • Processing is carried out in the course of the legitimate activities of a foundation, association, or other not-for-profit body with a political, philosophical, religious or trade union aim;

  • Processing relates to personal data which is made public by the data subject — i.e. a published materials exception;

  • Processing is necessary for the exercise or defense of legal claims;

  • There is a substantial public interest in the data;

  • Processing is necessary for public health; AND

  • Processing is necessary for archiving purposes as it relates to subjects with a substantial public interest — i.e. an historical record exception.

Importantly, these special categories are not exhaustive, and act more as a floor than a ceiling — individual member states can define other categories of data as being “special categories” for purposes of data collection and processing. Care must be taken to not only ensure compliance with the EU through the GDPR, but to ensure you are compliant with any individual member state laws, when your business entails handling especially sensitive data.

Please get in touch if you want to discuss any of the ramifications for your business.

GDPR Compliant Privacy Policy Template

The GDPR is complex and can have serious ramifications for your business. If you’d like to discuss the GDPR and how it impacts your business, get in contact.

I have written on privacy policies a bit before and covered in some detail the rise of the General Data Protection Regulation (GDPR) in the European Union (EU) and the various GDPR “loopholes.” It is real, it is here, and any business that may be doing business with a person or entity in the EU needs to comply.

To catch you up, the GDPR is a privacy regulation from the EU that took effect in 2018. It aimed to create a unified data privacy legal framework in the EU and to codify EU resident’s rights to data protection. It broadly applies to people and businesses that interface with EU residents — that is to say, you need not have an office in the EU for the GDPR to apply to you.

What does the GDPR require?

In short, it requires that you have a privacy policy and you abide by that policy. You need to lay out your policy in plain language and make it readily available to anyone you could plausibly collect information from — i.e. visitors to your site, customers on your online store, etc. Your policy should lay out at least the following points:

  • The identity of the data controller and data processor;

  • if you have a data protection officer, the contact information for that officer;

  • for what purpose you are utilizing collected data — legitimate interest;

  • how data is being processed;

  • where consent is required and how it is obtained;

  • data subject rights;

  • any vendors or subsidiaries you share data with and assurances they will comply with the GDPR;

  • whether and where you will transfer data across jurisdictions — especially out of the EU;

  • your data retention policies; and

  • how an individual can request their data be removed.

Generally speaking your GDPR privacy policy will be placed prominently on your website. Best practice now is to request users to read and agree to it using an overlay upon first visiting the site. You should also refer users to it any time they are providing you with new information — e.g. submitting a form, signing up for a mailing list, etc.

Please note, this list is not exhaustive. The GDPR applies in different ways and to different degrees depending on the kind of data collecting and processing you are doing, where you are doing it, and why you are doing it. Simply reading off the above list (or any broad list you find on the internet) and comparing it against your privacy policy is almost certainly not enough.

GDPR Compliant Privacy Policy Template

Download my boilerplate GDPR Compliant Privacy Policy Template (PDF)

Please note, this is a boilerplate — that means it is not tailored at all to your specific needs. It should not be taken and used without thought, nor should sections be lifted from it and used unless you know their meaning and utility. Please get in touch if you want to discuss any of the ramifications for your business.

GDPR and the "Legitimate Interests" Loophole

If you’d like to discuss the GDPR and how it impacts your business, get in contact.

The General Data Protection Regulation (GDPR) is a European Union (EU) regulation outlining new policies for data privacy and protection for individuals within the EU. The regulation's stated aim is to protect a natural person's "fundamental right" of protection in relation to processing of personal data. In sum, the GDPR applies broadly to any entity controlling, collecting or processing data containing personal information regarding a person in the EU -- they need not be a resident of the EU or any member country. "Personal information" is defined broadly as well and includes names, photographs, addresses, email addresses, social media handles and posts and even an IP address. In essence, if you have a web presence or in any way process any data and you aren't explicitly excluding the EU from it, the GDPR applies to you.

However, as broad as the GDPR is, it contains a potential rule-swallowed exception:

The legitimate interests of a controller, including those of a controller to which the personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller. Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller. At any rate the existence of a legitimate interest would need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place. ... The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned. The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.

Regulation (EU) 2016/679 (47)

In essence, processing of personal information for a "legitimate interest," as long as it does not explicitly contravene the interests or expectations of the owner of the personal information, is permissible. The regulation explicitly calls out direct marketing as a potential legitimate interest of the data processor (note the "may be regarded" language). 

In addition to direct marketing, the GDPR outlines several more "legitimate interests" for processing, including: processing and transmitting data between affiliated data controllers for internal administrative purposes; processing data to the extent strictly necessary for the purposes of ensuring network and information security; and processing personal data for purposes compatible with those purposes for which the personal data were initially collected. Compatible purposes include archiving, processing for purposes in the public interest, and scientific, historic or statistical research. Additional potential compatible purposes should be evaluated by the data controller by balancing "any link between those purposes and the purposes of the intended further processing; the context in which the personal data have been collected, in particular the reasonable expectations of data subjects based on their relationship with the controller as to their further use; the nature of the personal data; the consequences of the intended further processing for data subjects; and the existence of appropriate safeguards in both the original and intended further processing operations."

In sum, the GDPR is almost certain to upend the balance of power between consumers and corporations the world over. While the GDPR largely does away with the "disclaim game" in privacy policies, its scope is undercut by its exceptions. As businesses scramble to comply by the May 25, 2018 enforceability deadline, time will tell how much of a game changer this latest move by the EU will be.