I started writing this post and got into so much detail and conditions that rather than a titbit it was becoming an essay. So here goes to a simpler version in what will turn out to be multiple instalments…
If you’re storing any form of personal data I’m going to assume that you’re collecting this through some form. Be it a registration form online or even manually. Whether you call this sign-up, registration, contact form etc… it is still a way to collect potentially personal data about clients, prospective clients or users of your system.
I’ll also go as far as to assume that this data is being collected for a purpose which under the regulation would be classified as processing. The regulators went nuts when defining this one and left no loop hole. See what I mean?
Definition: ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as: collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
In a nutshell if you so much as sniff at the data, you’re processing it and if you’re processing it then you need to not only inform the data subject what you’re using it for but also ask for their consent. This processing is generally required for the provision of a product or a service that the data subject/user himself wants and as such if the personal data supplied is required for the fulfilment of the service all that is required is to :
- In your terms and conditions disclose
- what data you’re keeping,
- for how long it’s being kept and
- what it is being used for
- Ensure those T&C’s easily accessible during the collection of the data e.g. at registration.
- Have a check box stating ‘I agree to these Terms and Conditions’.
- Make sure that the checkbox does not come up as pre-ticked – Silence or inaction does not constitute consent.
- Make sure that when storing the data, the version of the T&C’s that the data subject accepted and when.
Pro Tip #1
Store the acceptance in a separate record than the rest of the details and make sure that it includes the date and time stamp, userID, the version of T&C’s accepted and the channel through which they were accepted.
For example, at sign up, via an email notification or through the system. You will need this when you need to update your terms and conditions for some reason and would need to obtain consent on the latest version. This way you will have covered the auditing part when it comes to consent as well.
Pro Tip #2
Do not include the consent to send marketing material or notifications as part of the Terms and Conditions. Have these as a separate item.Want to learn why? Keep an eye out for the 3rd instalment of the GDPR & ePrivacy titbits series.
If you want to be notified when new posts come out, drop us a note via the contact us section of the website and we’ll add you to our mailing list.
2016. REGULATION (EU) 2016/ OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). [Online]. [6 April 2016]. Available from: http://data.consilium.europa.eu/doc/document/ST-5419-2016-INIT/en/pdf