In our previous article on GDPR in the Middle East: Impact, Reach and Compliance, we looked at which companies here in the Middle East are required to comply with the General Data Protection Regulation (“GDPR”). For those that it does apply to, we recommended a review of your current privacy policy to assess whether it meets the new requirements. GDPR came into effect on 25 May 2018 but may companies in the Middle East are still not compliant and it is fairly quick and easy to check by looking at the publicly available website privacy policies.
For those of you that still have GDPR on your “to-do list”, here is a checklist of key requirements that a privacy policy will need to contain to bring that it in line with GDPR.
1. Provide company details
You are required to provide certain basic details such as:
who is the data ‘controller’ including full company name and details of the group (if applicable);
whether there is a data protection officer (if applicable) or who else to contact with any data protection questions or requests; and
details of your rep in the European Union (“EU”) if applicable.
2. What data is collected and how?
Under GDPR you are required to list out the type of information collected such as the obvious name, email address etc. but also whether you collect location data, data on website use etc. and any special categories of personal data (such as genetic, biometric of sexual orientation). You should also inform the users how this data is collected (e.g. via them providing the information on the website or via public searches or technical measures).
You are required to inform the user which data is mandatory for them to provide and the consequences of not providing such data (e.g. if you don’t have their physical address you can’t deliver the goods).
3. How will the data be used?
The privacy policy will need to state the purpose of collecting and processing the data (e.g. for fulfilling an order, billing etc). In addition, the GDPR introduced a new requirement to state what the legal basis is for using personal information. These are a narrow list of activities and include:
Where the data subject has consented (although such consent can be revoked at any time so full reliance shouldn’t be placed on this – other than for third party marketing);
Where you need to perform the contract you are about to enter into or have entered into;
Where it is necessary for your legitimate interests (or those of a third party) and the data subject’s interests and fundamental rights do not override those interests. When using this option, you are required to provide details of what those ‘legitimate interests’ are; and
Where you need to comply with a legal obligation.
You should also inform the user if you intend to use any automated decision-making (e.g. automatically assessing applications for loans based purely on a credit score).
4. Who will you share the data with?
You are required to provide details of who the data will be disclosed to (or at least the categories e.g. to third party delivery companies).
5. Will the data be transferred internationally?
The GDPR requires you to inform the users where their data will be transferred and what mechanism you will use to legalise the transfer. GDPR places restrictions on transfers of data to countries which are not deemed to have an “adequate level of protection”. The list of countries found to be adequate is fairly short (currently only Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland, Uruguay and the United States (subject to the Privacy Shield Framework) and does not include any GCC countries. The full list is available on the European Commission website and should be checked for the latest position.
6. How long will the data be kept?
The GDPR requires you to explain how long you will retain the data or, where that is not possible, at least explain the criteria you will use to determine the retention period (e.g. for legal or compliance requirements).
7. Set out the data subject’s rights
These are some of the key new requirements under GDPR and include the right of the data subject:
to be informed (i.e. to be provided with information about how the personal data will be used – this is normally set out earlier on in the privacy policy);
of access (i.e. to their personal data and details of how it is being processed);
of correction (e.g. to have their information updated if it is incorrect);
of erasure (i.e. the right to be forgotten / request deletion where there is no compelling reason for its continued processing);
to restrict processing (i.e. the right to block the processing of data in certain circumstances);
data portability (i.e. the right to move their data from one IT system or supplier to another);
to object to processing (i.e. to certain activities such as direct marketing, including profiling);
rights in relation to automated decision making and profiling (e.g. to object to decisions being made without human intervention);
to withdraw consent; and
to complain to the local data protection authority.
If you would like assistance on any data protection matters please contact us at info@thebenchlaw.com. Our data protection lawyers are recognised specialists in this field (Band 1 ranked TMT Lawyer in the UAE by Chamber, Legal 500 and Who’s Who Legal: Data) and have extensive experience of helping companies in the Middle East and globally comply with regional and international data protection laws.