SWANSEA | MUMBLES | PORTHCAWL | 01792 65 00 00
Author: Douglas-Jones Mercer
Date: 29 March 2021
GDPR AND THE INTERNET: COOKIES AND SOCIAL MEDIA
WHAT IS GDPR?
The General Data Protection Regulation (GDPR) is a European Union law passed in 2018 that is the most significant change to data privacy regulation in decades. It not only regulates how companies use individual’s data across the EU but also extends to any company worldwide who interacts with EU residents. The United Kingdom implemented the GDPR through the Data Protection Act 2018 (DPA). The GDPR not only applies to information such as someone’s name, birthdate, address, and other personal data, but also data such as browsing history, medical information, personal interests, and shopping habits. These other categories are especially important to be aware of if your company interacts with customers through social media or a website.
REQUIREMENTS FOR PROCESSING PERSONAL DATA
When a company holds personal data about any individual they are considered a ‘data controller’ under the GDPR. To collect and hold personal data as a data controller, Article 6 of the GDPR sets out six ‘lawful bases’ under which data may be collected. If a company cannot show that one of the following bases apply, they are not entitled to collect any personal data:
HOW DO WEBSITES AND SOCIAL MEDIA FACTOR INTO GDPR?
The GDPR contains several rules for companies to follow regarding the personal data they retain for any individual. Regarding social media and internet browsing, some of the important requirements are:
CAN I STILL USE COOKES TO COLLECT DATA ON VISITORS TO MY WEBSITE?
Cookies, which are text files with small pieces of data used to identify unique visitors to a website, are a ubiquitous part of browsing the internet and one of the most common ways to collect and share personal data. While cookies are only mentioned once in the GDPR legislation, it is an easy way for website owner to commit a breach. To comply with the rules, a website must ensure that each visitor is given the opportunity to consent to which cookies they will allow the website to collect, or to opt out of them completely. This is usually accomplished by a pop-up banner that appears the first time an individual visits your website. According to guidelines released by the European Data Protection Board in May 2020, the banner may not have pre-ticked checkboxes and users must freely give a clear and affirmative consent if they agree to allow cookies. Consent must also be easy to withdraw if an individual wishes to do so and their consent must be renewed at least every year. Failure to follow these protocols could result in your company breaching the GDPR resulting in fines of up to €10 Million or 2% of its global turnover.
WHAT RULES NEED TO BE FOLLOWED FOR SOCIAL MEDIA?
Individuals using social media must agree to the data privacy notices that each social medial company provides as well as their terms of use. If a company has a social media presence, most of its activity will take place within the third party social media platform under those agreed terms. However, when a company takes personal data from one of those social media platforms for its own use, then that company also becomes responsible for GDPR in respect of that data. At that point the same lawful bases apply as they would for any other personal data collection.
HOW DO I RESPOND TO A RIGHT OF ACCESS REQUEST?
Article 15 of the GDPR gives an individual the right to request a copy of certain types of information that a company holds on them by making a Subject Access Request (SAR). This can be made verbally or in writing, which includes messaging through social media. A response must be provided without undue delay and within one month of the request at the latest, although the deadline may be extended by up to two months if the request is complex or involves a large amount of data. It is best practice to verify the ID of the requester and if a request is made the response period doesn’t start until it is received. A fee cannot be charged for responding to a SAR except for reasonable administrative costs, such as photocopying. An SAR may be refused if the request is vexatious, if it is a repeat request from the same person, or if the costs to staff required to respond are too high, however the individual must be advised of the reason for it, and that they have a right to make a complaint to the ICO or that they may seek to enforce their right through the courts.
HOW DOES THE RIGHT TO ERASURE WORK?
Article 17 of the GDPR gives an individual the right to instruct a data controller to erase their personal data without undue delay. Some of the most common circumstances for this are:
There are however certain exceptions where a company can decline the right to erasure, including when:
When one of these exemptions applies, the company can either fully or partly refuse to comply with the request. If a request is made that is ‘manifestly unfounded or excessive’ a company can also either refuse to take action or charge a reasonable fee to deal with it. The definition of manifestly unfounded or excessive is not clear, however, and whether it applies needs to be considered on a case by case basis.
GDPR AND BREXIT
While the GDPR is an EU regulation and no longer applies to the UK following the end of the Brexit transition period on 31 December 2020, the Data Protection Act 2018 is still in effect and mirrors the terms of the GDPR. At present, the UK Government has not announced plans to amend the DPA so the existing data protection laws are currently unchanged. Any data collected prior to 1 January 2021 must comply with the GDPR, but from 1 January 2021 onward, only the terms of the DPA will apply to data collected in the UK. With regard to data exchange and collection with the EU, there is currently a transition period that expires on 30 June 2021 that allows the free flow of data to the UK from the EU. Negotiations are ongoing as to whether the UK regulations will be granted adequacy with the EU regulations, meaning the EU considers them to be essentially equivalent to their own rules and data exchange can continue uninterrupted.
If you have questions or need support with GDPR related issues, please contact DJM’s Corporate and Commercial department on 01792 650000.
Next article >
Commercial Property
Construction Law
Corporate
Dispute Resolution
Employment
Insurance
Office Opening Announcements
Practice Management
Property Litigation
Residential Property
Selling online? Seven useful legal FAQs: https://t.co/eeuULDZanP
Our useful guide to #accidents at work and what to do if you need to make a claim against your #employer: https://t.co/dbsX9ZvuQf
Customers are increasingly concerned about the #environmental impact of products. Learn how to source 'green' suppl… https://t.co/1Q1aS5P7uy
© 2021 Web Development by Flex Systems
This site uses cookies. More info