The purpose with GDPR is to give the individual stronger rights about how their personal data is used - one of these new rights is the right to be informed. But what does it mean for you and your organisation?
"By clicking submit you agree to the use of your personal data..."
This sounds good - but what does it really mean? And is this enough to fulfill the invidual's right to be informed in GDPR? The simple answer is No - it's not enough.
The right to be informed encompasses your obligation to provide ‘fair processing information’, typically through a privacy notice
If you are a data controller, i.e. the organisation that is collecting and processing personal data you must provide information to the individual at the time of collecting the personal information.
The information must be provided free of charge in a concise and intellligble way written in a clean and plain language. Prefferably in writing (can be digital).
In short the information you must present to the individual at the time of collecting the personal data is:
- Contact details to the data controller (you and your organisation)
- The lawful basis on which you process the personal data
- The purpose of collecting and processing the personal data
What do I need to do to fulfill my obligation to provide information to individuals regarding my organisations processing of personal data?
It's not difficult at all - you have to create (or update) a privacy notice and make sure that it is easy to reach from all your website pages, for example in the page footer. But when you have a form in which you collect data the privacy notice should be more clear, perhaps right above the submit button.
Your privacy notice should containt the following information:
Your organisations contact details.
The purpose with the processing of personal data and on which lawful basis you process it.
If you are basing your processing on "legitimate interest" you must describe it.
Any recipient of the personal data (who has access to them?)
For how long you process the personal data and why you choose that retention period. For example as long as you are a member plus 1 year from cancelling membership.
If the data is processed in a third country (for example the US) and what safeguarding measures have been taken.
You must describe the individuals rights: The right of access - You can receive a copy of the personal data we hold about you.
Right to rectification - You can request your personal data to be up to date and accurate
Right to erasure - You can request to have your personal data erased unless it is needed to fulful a legal obligation.
Right to data portability - You can request to have your data available to you in a structured format.
Right to restrict processing - You can request the organisation to stop processing your personal data.
Right to lodge a complaint - You have the right to file a complaint with the data processing authority in your local country.
The right to withdraw consent (if you are using consent).
If you are using the personal data for automatic decision making or profiling - (which a association rarely does but your sub vendors might) you must describe how the individual can request to stop this processing.
Konsento helps associations, companies and sports clubs create and manage membership agreements, consents and keep a record of your personal data processing activities. Do you want to know how Konsento can help you? Contact fredrik@konsento.io