As of May 25, 2018, the General Data Protection Regulation (AVG) is applicable. From this date, the same privacy legislation will apply throughout the European Union (EU). The Personal Data Protection Act (Wbp) will then no longer apply. The new legislation has major implications for digital marketing, analytics and how organizations should handle privacy-sensitive data. We share a short GDPR checklist of what you need to consider from now on.
Starting May 25, you may only send marketing emails to people who have actively indicated that they want to receive that communication from you, this must be through a single opt-in and may not be pre-ticked. If you don't have this, the email addresses don't belong on your mailing list either.
Consumers and users may demand that your company be "forgotten" at any time. This means: removing personal consumer data from your database or systems. If you as a processor have passed that data on to other parties, such as an online marketing agency or a software provider, then it is your responsibility to make sure they delete the data there as well.
You should keep records of where and how you have collected the personal data present and what you do with it. The source and purpose of that data must also be retrievable at any time so that in the event of an audit or dispute, you can prove where you got the data. Data whose source you no longer know must therefore be deleted.
One of the requirements of the AVG is that you manage collected data properly and securely. That means: protecting the data from unauthorized access and protecting it from theft, misuse and destruction. If, despite all these measures, you still fall victim to a data breach, you are obliged to report this to the Personal Data Authority and to the users themselves.
If you use target groups in Google Analytics, e.g. for RLSA, Remarketing or for Facebook, chances are you are doing automatic profiling "creating target groups based on similar characteristics of visitors or based on visitor behavior". This is still allowed, but you should clearly state this in your privacy policy.
Like under the PDPA, under the AVG/GDPR it is mandatory to enter into an agreement with data processors. What is new is that the GDPR lists a number of mandatory components of this agreement, including:
- the purpose of the processing;
- The type of personal data being processed;
- the categories of data subjects;
- That appropriate security measures will be taken;
- That the processor cooperates in audits to verify the processor's compliance with all obligations and destroys or returns personal data to the controller upon completion of processing.
- Also, the processor may no longer engage a third party without the prior written consent of the controller
Do our scan!
This scan serves to identify what online changes are needed to comply with the AVG/GDPR law change. In this scan, we will use a checklist we created to map your website and check the following areas:
- Privacy Statement
- Processor Agreement
- Terms for all optins/forms on your website
- Cookies
- Information in mailings and existing email lists
Source: AVG new European privacy law
