Organizations established in the EU and those processing personal data of EU-based individuals are, in almost all cases, required to comply with the GDPR as of May 25, 2018. The GDPR updates and harmonizes the framework for processing personal data in the European Union and brings with it new obligations for organizations and new rights for individuals. The United Kingdom, in its implementation of GDPR, incorporated these rights into UK law, effective 25 May 2018.

Handle Data is GDPR Compliant
The team at Handle Data is fully committed to the requirements of the GDPR. Our legal and policy experts have closely analyzed the requirements of the GDPR and continue to monitor new guidance on best practices for implementing the requirements of the GDPR.

GDPR defines eight lawful bases for the processing of Personal Data. Of these eight the one that Handle Data relies on for the purposes of processing data and making it available to customers is ‘Legitimate Interest’.

Handle Data relies on the legitimate interest precedent as an appropriate legal basis under the applicable Data Protection Laws to provide Data to its customers.

Customers may use the Data to send direct marketing communications provided they do so in accordance with the applicable laws. In this respect, should an individual receive a communication for the purposes of direct marketing and or sales, the initiator will always include the option to unsubscribe / opt-out to remain compliant under the GDPR.

Your Rights Regarding Your Personal Information
We respect your privacy rights and therefore you may contact us at any time, and we shall work diligently to respect your choices and requests regarding your Personal Information. The purpose of the list stipulated below is to allow Users and Contacts to exercise their rights under applicable privacy and data protection regulations:

Right of Access: You may request access to your personal information and obtain a copy of your personal information which is being processed by Handle Data. If you wish to find out what personal information is being processed by Handle Data, we will provide you with the following, free of charge: purposes of processing, categories of personal information processed, recipient(s) of personal information, length of time during which the information will be stored; your privacy rights; and information on data transfers.

Right of Rectification: You may request to change, update or complete any missing data we process about you. Please note that we may rectify, replenish or remove incomplete or inaccurate information, at any time and at our own discretion.

Right of Erasure: You may at any time request the deletion of your personal information.

Right of Restriction of Processing: You may request that we restrict processing your personal information if the accuracy of the Personal Information is contested by you.

Right to Data Portability: You have the right to receive personal information in a structured, commonly used and machine-readable format.

Right to object to processing Data: You have the right to object to the processing your data.

However, please note that these rights are not absolute, and may be subject to our own legitimate interests and regulatory requirements. If you are not satisfied with our response or believe we are collecting or processing your Personal Information not in accordance with the laws, you can complain to the applicable data protection authority.

Retention
Personal Information will be retained by Handle Data for as long as necessary to provide our services, and as necessary to comply with our legal obligations, resolve disputes and enforce our policies. Retention periods will be determined taking into account the type of information that is collected and the purpose for which it was collected, bearing in mind the requirements applicable to the situation and the need to destroy outdated, unused information at the earliest reasonable time.

You may request deletion of your personal data, as specified above. Please be notified: If your information is fully deleted from the Handle Data Database, it may be obtained again in the future, if it is collected through public platforms or our business partners. In this case, since we have complied with your deletion request, we will not have records regarding your contact data and your contact information may be reintroduced into the Handle Data Database.

We recommend you to periodically check your profile or the Services to ensure that your then-existed profile or account include only the Information you chose to have displayed.

The categories of recipients of the personal data
In order to provide our service, we may share certain personal data with companies and individuals that subscribe to our service. We may also share personal data with the following recipients: (i) our subsidiaries; (ii) subcontractors and other third-party service providers (e.g. payment processors, advertisers and marketers, hosting services, etc.); (iii) auditors or advisers of our business processes; and (iv) any potential purchasers or investors in Handle Data.

Transfer of Data to a Third Country
If we transfer personal data outside of the EU or EEA, we only do so in accordance with the legal mechanisms set out in the GDPR (for example, the Privacy Shield or to territories which have been deemed by the European Commission as providing an adequate level of protection).

Copy of Legal Advice
Handle Data instructed EM Law SRA No: 597075 to review our software and work with us to ensure we were fully GDPR compliant in line with ICO guidelines. The below is the advice received explaining how Handle Data fully meets these requirements.

Re: Handle Data Ltd (Company) – GDPR Compliance

The Company wishes to offer its customers (Customers) some code (Snippet) which, when added to the code for a Customer’s website, makes it possible for the Company to collect the names and email addresses of individuals who visit the website (Visitors). The Company then makes this information available for the Customers to use for email marketing purposes. To enable the Company to collect this information, Visitors must enter their name in a pop up notice (Notice) that is displayed on the Customer’s website thanks to the Snippet.

The Company also wishes to offer Customers a cookie auditing service which makes it easier for Customers to identify the cookies that they wish to set on Visitors’ devices and which therefore makes it easier for Customers to comply with cookie laws. So the Notice not only serves as a means to collect Visitors’ names and email addresses but also works as a cookie notice.

The Company has instructed EM Law to draft the Notice so that it complies with applicable data protection and cookies laws.

1.     Notice for the collection of names and email addresses for marketing purposes

If an organisation collects the names and email addresses of individuals who browse a website then the organisation is processing the personal data of those individuals.

If the organisation is based in the UK then it is required to follow the rules around the processing of personal data as set out in:

·      The Data Protection Act 2018 (DPA)
·      The General Data Protection Regulation ((EU) (2016/679)) (GDPR)

The DPA, which will remain in force beyond the Brexit transition period, essentially says that organisations that process personal data must do so in accordance with GDPR. In this note when we refer to compliance with GDPR this is to be taken as compliance with GDPR and the DPA.

What impact does GDPR have on the Company’s and the Customer’s collection of Visitors’ names and email addresses for marketing purposes?

Firstly, we should note that in the context of the processing described above, it is the Customer that is the data controller and the Company that is a data processor. It is the Customer therefore that must ensure that Visitors’ personal data is processed lawfully and the Company must sign up to the usual processor clauses that will give the Customer control over how the Company process the personal data that it collects on behalf of the Customer.

Article 5 of GDPR requires organisations to process personal data lawfully. The lawful grounds are set out in Article 6 as follows:

“Article 6

Lawfulness of processing

1.    Processing shall be lawful only if and to the extent that at least one of the following applies:

the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
processing is necessary for compliance with a legal obligation to which the controller is subject;
processing is necessary in order to protect the vital interests of the data subject or of another natural person;
processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks.”

We consider that there is only one ground within Article 6 that the Customer (being the data controller) may rely on in these circumstances: Article 6(1)(a) “the data subject has given consent to the processing of his or her personal data for one or more specific purposes.”

So the Visitor (being the data subject) must consent to the processing of his or her name and email address.

How must ‘consent’ be given?

GDPR requires a high standard for consent. The key definition, at Article 4(11) of the GDPR, is that consent must be a “freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she by a statement or a clear affirmative action signifies agreement.”

Article 7 sets out further conditions for consent such as that written requests for consent must be “clearly distinguishable from other matters”, be intelligible, easily accessible and use clear and plain language. Article 7(4) states that when assessing if consent is freely given, “utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.”Article 8 of the GDPR contains specific consent conditions applicable to children which we do not go into here – we have assumed that none of your Customers publish websites aimed at children or which are likely to be accessed by children.

Recital 32 further clarifies the meaning of consent in the GDPR by stating that “silence, pre-ticked boxes or inactivity should not therefore constitute consent”but that ticking a box, an oral statement, choosing technical settings or other statements or conduct which in the specific context is clearly indicative of consent, can all be valid mechanisms. It further indicates that where the processing has multiple purposes, consent should be obtained for all of them. Recitals 42 and 43 provide more detail regarding when consent can be considered to be freely given.

Other GDPR provisions which are relevant to understanding consent can be found in Articles 6(1)(a), 9(2)(a), 13(2)(c), 22(2)(c) 49(1)(a) and Recitals 33, 38, 54, 65, 111, 155, 161, and 171.

Elements of consent

Freely given

The ICO Consent Guidance states that “freely given”should mean giving people “genuine choice and control”over the use of their data, allowing them to refuse consent without detriment and to withdraw consent easily at any time.

Affirmative action

It should be obvious when an individual has consented and what they have consented to as they have taken deliberate and specific action agreeing or opting-in to processing. This could include a consent statement, a binary choice presented with equal prominence or switching technical settings away from the default. Failure to opt out is not consent as it does not involve clear affirmative action.

Specific and informed

Article 7(2) of the GDPR specifies that consent requests must be clearly distinguished from other matters, and “in an intelligible and easily accessible form, using clear and plain language.”Recital 32 of the GDPR further indicates that amongst other things, consent must be specific and informed.

The view of the ICO Consent Guidance is that in order for consent to be specific and informed, it must be granular. In practice this means:

Identifying the name of the data controller and any third party controllers who will rely on the consent.
Obtaining separate consents for each processing purpose “unless this would be unduly disruptive or confusing”.
Obtaining separate consents for each processing activity “unless those activities are clearly interdependent.”
Including details of the right to withdraw consent at any time.

An additional aspect of specific and informed consent is that it must be “unbundled.”This means that the consent should not be bundled with other non-privacy related terms. The ICO Consent Guidance accepts that there may be exceptions to this rule where bundling is “appropriate,”but it does not clarify when this is likely to be the case.

The final ingredient of specific and informed consent is that it must include details of the right to withdraw consent at any time and the mechanism by which data subjects can do so. This is indicated by Article 7(3) of the GDPR and by the ICO Consent Guidance.

Why we consider that the Notice complies with GDPR

The relevant section of the Notice is the top half of the Notice.

In this section we start off by including the name of the Customer. This satisfies the requirement that the data controller is identified to the Visitor.

The Notice then goes on to state that the Customer wishes to collect the name and the email address of the Visitor. This is the only personal data that will be collected and it is clear what personal data is being collected therefore satisfying the requirements imposed by GDPR around transparency and clarity in the context of obtaining consent.

The Notice then goes on to explain the purposes for which the Visitor’s personal data will be used: so that the Customer can keep Visitors informed of the Customer’s latest news and offers by email. Again, we consider that this language is sufficiently clear to adequately inform Visitors of the purposes for which their personal data will be collected. As there is only one purpose – email marketing – there is no risk of consent being ‘bundled’ for multiple purposes.

Consent must be freely given. By saying to Visitors that they need only provide their name so that their personal data can be collected “if you are happy”we consider that Visitors would not feel under any pressure to provide their consent. No conditions around obtaining consent are imposed. It is simple for Visitors to close the Notice by clicking on “Close” at the bottom right of the Notice.

Personal data will only be collected if the Visitor enters their name in the box where indicated and then clicks on “Submit”. We consider that entering a name and then clicking “Submit” would amount to clear, affirmative action on the part of the Visitor.

The Notice makes it clear to Visitors that they can withdraw their consent at any time. We placed this wording above the “Submit” button so that it is prominent and unlikely to be missed by a Visitor before they clicked on “Submit”.

The final wording, also placed above the “Submit” button, contains a link to the Customer’s privacy notice. Our wording lets Visitors know that they can find out more information in the privacy notice around how the Customer processes personal data and the means to withdraw consent.

Recommendations for Privacy Notices

It should be easy for Visitors to withdraw the consent they have provided. Article 7(3) of the GDPR states “…..it shall be as easy to withdraw as to give consent.” We therefore recommend that Customers’ privacy notices include a section headed “withdrawing your consent to email marketing” and within that section there is a link that, when clicked, takes Visitors to a form where they can enter their email address and then press “submit” to withdraw consent.

We recommend that reference is made in Customers’ privacy notices to the technical means through which Visitors’ personal data is collected i.e. through the use of autofill. Here is suggested wording that could be used:

“Our website contains code that enables us (if you enter your name and click ‘submit’ on our form) to collect your name and email which we will use to send you emails about our latest news and offers. How can we collect your email if you only give us your name? We use technology that activates ‘autofill’ on your device. What is autofill? Autofill is a function found in web browsers that fills in fields on web forms automatically according to the information that you have previously used. We only collect your name and email address, no other information. If autofill is not enabled on your device we are unable to collect your email address.”

2.     Cookie Notice

Current cookie law came into force in 2011 through the Privacy and Electronic (EC Directive) (Amendment) Regulations 2011 (SI 2011/1208) which amended the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426).

The law allows websites to set cookies on a website user’s device if either:

·      The cookies are strictly necessary or
·      The user has given his or her consent.

Strictly necessary cookies

These cookies are essential for users to browse a website and use its features, such as accessing secure areas of the site. Cookies that allow web shops to hold a user’s items in their cart while the user is shopping online are an example of strictly necessary cookies.

It is not necessary for websites to obtain users’ consent to set strictly necessary cookies.

The user has given his or her consent

For all cookies other than strictly necessary cookies, the user’s consent must be obtained before they can be set. The standard of consent required for cookie consent is the same high standard as set by GDPR for obtaining consent for the processing of personal data, irrespective of whether or not a cookie is processing personal data (Regulation 8(2) of the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019).

Consent to use cookies which are not strictly necessary must therefore be freely given, informed, specific, unambiguous and withdrawable at any time.

Why we consider that the Notice complies with cookie laws

Website users must be informed of cookies that are set on their devices, including necessary cookies. Usually, website operators provide this information in a cookie policy which is linked to from the footer of the website’s home page.

In this case, the short form cookie notice linking to the Customer’s cookie policy will appear more prominently which can only be a good thing from a compliance perspective.

The short form notice is clear and easy to understand. The Notice describes the cookies that the Customer is likely to set (more detail will be required in the cookie policies themselves) and provides a link to the cookie policy where Visitors can manage their cookie preferences.

The Notice also makes it clear that no unnecessary cookies will be set without Visitors’ consent (therefore demonstrating that the website is following the law while making the position easy for Visitors to understand).

The Notice invites Visitors to manage their cookie preferences by clicking on a link to the cookie policy but there is no pressure to do so. Visitors are able to click on “Close” without managing their cookie preferences in which case no unnecessary cookies may be set.

So, in summary, the cookie notice is clear, informative and complies with latest developments in cookie laws.

Contact

Individuals from the EU may contact our EU representative according to Art. 27 GDPR regarding all requests related to data protection and privacy:

Email us at: support@handledata.io

Write to us at:3 Trinity House
Bullace Lane
Dartford
Kent