Transparency and keeping the customer happy!
It’s YOUR job as a data controller to be transparent, using clear and plain language, to make sure that your customers and or perhaps clients, understand, and are happy!
The GDPR sets out certain information that must be provided to the data subject at the time when the data is being obtained from them. Note that you have to tell the data subject then, not when or if they ask for it, but when you are collecting the data in the first place! And must ensure that you can provide satisfactory documentation to show them if you’re asked to.
What you should tell them:
- Who you are i.e. your real identity;
- Your contact details;
- If you have a Data Protection Officer, their contact details;
- Why you are using their data;
- The legal basis you are relying on for processing;
- If legitimate interest is the legal basis, what those interests are;
- The recipients or categories of recipients of the data;
- Whether the data will be transferred to a third country, and if so the basis for that;
- How long you will hold the date for, i.e when you will delete it; or how you decide that if not known at the moment;
- The fact that the data subject has the right of access, rectification, erasure, and to restrict or object to processing, and the right of data portability;
- That they can withdraw consent, if that is the legal basis for processing;
- The right to complain to the Data Protection Commissioner;
- Whether the provision of the data is a statutory or contractual requirement;
- Whether the data subject is obliged to provide the data and the consequences of not doing so;
- Whether automatic decision-making is involved and clear information about it;
- That no further processing will take place without prior notice and information.
If you also get data from another source, then in addition to the above you must tell them, promptly, the source of the data, and whether it is publicly accessible.
There are some exceptions in respect of data obtained from other sources, which may remove the obligation to inform, but basically, if you’ve done the above you hopefully will be both compliant AND have a happy client or customer!
UK Data Protection: Class action clouds gather over employers as Morrisons loses appeal