Escaping from the GDPR patrol
Numerous Ukraine-based companies offer their goods and services to the EU-based users or, more importantly, they monitor their users’ online behavior within their corporate marketing models. Consequently, obtaining a consent to data processing and communicating data processing terms and conditions using privacy policies has become an important GDPR compliance indicator for these Ukrainian companies. It is important since users and controlling authorities can easily identify it. In addition, the procedures of informing users and getting them agree to data processing are exactly what you have to check and bring in line with the GDPR.
There is this fantastic word in modern English ‘gobbledygook’, which means a language full of complicated and unintelligible words that make it hard to understand. When it comes to informing on personal data use, lawyers should avoid gobbledygook unless they fancy the idea of getting penalties. Therefore, make sure that the document you’ve produced does not look like gobbledygook and make someone read it to check whether or not your reader falls asleep while going through it. You may as well use some tricks that will make your reader smile:-)
This story is a great example of how approaches to drafting legal papers for users and consumers are changing because of the GDPR. Just to be clear, all the strictest rules contained in the GDPR were taken from the German personal data protection laws. While drafting my legal papers, I try to use refined legal language. So, getting a notice like that would totally freak me out and make me ask myself existential questions like what’s the use of being a lawyer when one of my best legal texts turned out to be a failure. However, now I am coming to believe that leaving this gobbledygook thing behind creates perfect conditions for professional growth and legal writing skills upgrade.
To make this visualizing thing work, you will have to hire designers, artists, and cameramen. If you do not go for this and hire only a lawyer, you should think how to make this fossilized legal language simple and readable. Our team has already worked out privacy policies in compliance with the GDPR for our clients. From our own experience, reducing the word count is not an easy task. First of all, you want to include every single requirement contained in Article 13 and other articles of the GDPR. Second of all, making a document intelligible means rewriting it in plain language, which does not necessarily mean making it shorter. And finally, taming this legal snobbery takes much effort as well. I mean, sometimes it seems that cutting down on red tape will make a paperless valuable in your fellow lawyers’ and clients’ opinion.
Therefore, leaving complex definitions behind and using comparisons is a great tool for a lawyer who wants the text to be easily readable and cause no troubles for the customer.
Don’t overuse pop-up windows
Let us focus on the three of those:
Tell what you collect and what for
You should do some research on what kind of data the service is collecting and what for. After that, you have to ask yourself whether you need the complete list of the data collected for your service to work properly, or maybe some data is being collected mechanically and is not actually required to provide services and perform properly. The thing is, the GDPR requires to avoid collecting any unnecessary data. This means that if BlaBlaCar is processing some data about its users’ age and sex, it is quite clear that the company needs to inform its users about people they can share a ride with. If a pizza-delivery service requires such information, the question is, why would they actually need it.
We should as well give our special focus to cookie files, i.e. pieces of a certain code installed on a user’s PC or mobile device when a user goes to this or that website that collects information about a user and passes it to numerous recipients on the Internet. While the 1995 Directive did not even mention cookies, the GDPR, in clause 30 of its preamble, expressly indicates cookies as information that together with other information can help identify a person, and that’s why they can contain personal data.
You can no longer steak to “by using this website you agree that cookies are installed on your device.” Wordings like that no longer serve as legal grounds for using cookies. Therefore, you have an obligation to notify your users about cookies and before using them, you should a get every user explicitly agree to cookies’ installation.
The purpose of processing
The requirement to define the purpose of data processing is not anything new. The 1995 Data Protection Directive and even the Ukrainian data protection law (Article 12) put the purpose of processing at the heart of clauses that define the rights and obligations of personal data providers, controllers, and processors.
The GDPR provides some additional options for users whose data is being collected. Most importantly, users may refuse from this or that purpose without compromising any other purposes of data collection and processing. Here is how it works. If a user has not agreed to data collection for marketing purposes, a service provider may not refuse to deliver the services that were supposed to be rendered in the first place based on data collection. This means that it is prohibited to link the purposes of data collection and create conditions where whether this or that service is going to be provided depends on whether a user has agreed to data processing for this or that particular purpose.
A controller who collects the data and defines purposes and means of processing has an obligation to provide a person who provides his or her data with a list of data recipients or categories of data recipients.
Let us say, a Delaware corporation is a data controller bound by the GDPR. This means that the company has an obligation to inform its customers that their data is being stored on Amazon Web Services servers, that the company uses the relevant CRM system and Chargify to process payments, and that all data is being transferred to Ukraine, where a number of independent contractors get access to such data. The question is, is it necessary to provide the list of all independent contractors and update this list from time to time?
It seems that a notion of data recipient categories has to do with controller’s employees in the first place since they can access the data while performing their job duties. However, if you point out that a number of Ukraine-based independent contractors have data access under processing agreements that provide data protection, this will do to comply with the GDPR requirements. At least until there will be some clarification statement that will prescribe otherwise.
You’re not required to give a list of all your independent contractors (for now)
If a consent is used as grounds for data processing (more often than not, this is exactly the case), this consent should be explicit and represent an action indicating that a user has given his or her consent. In addition, it should enable the data recipient to provide evidence certifying that the recipient actually obtained the user’s consent. From now on, the popular wording ‘by using the service, you agree to its term and conditions’ is actually out of the law.
Every user has to tick ‘I agree to data processing terms and conditions’. In addition, if your client is going to use this data to reach out to customers with commercial offers or newsletters, it’s better that users agree to things like that. Be aware that it is necessary to inform the users that they can refuse from being reached out to with offers, newsletters, etc.
Another pressing issue for data controller companies is the requirement to get current users agree to data processing once more. The GDPR states that if the terms and conditions of a previous consent comply with the GDPR, there’s no need for another consent. However, when well-known online periodicals and services ask me to renew my consent, I am starting to get this feeling that there are not so many forward-thinking companies that managed to update their policies in accordance with the GDPR. So, lots of companies will actually need to ask their users to tick ‘Agree’ once more.
Holy cow, here’s another request to tick ‘Agree’
- Say ‘No’ to fossilized legalese and gobbledygook;
- Say ‘Yes’ to plain language and examples. Show the users how exactly their data is being collected and used;
- Make sure that users are free to choose whether or not they agree to certain kinds of data processing;
- Make sure that all information contained in Articles 13 and 14 of the GDPR have been communicated to all users.