GDPR checklist • step 3

No permission.

In this case, you are collecting personal data from your customers without asking for consent. This means you are not compliant to the GDPR. If you collect personal data, you have to ask consent before you do. People have to understand why you collect their data, and what you are going to do with their data. They need to have the option (opt-in) to choose what their data will be used for. Besides that they have to understand for what purpose you share their data with Belly & Brain. Asking consent can be done in different ways, for example by using checkboxes or a cookie-warning. As long as you are clear on your intentions and what 3rd parties will be involved. Give your customers the option to say no on collecting or sharing their data.

The next question you have to ask yourself is how do I collect the data? If you collect data within the closed platforms of Facebook or Google, you are not the processor* of this data. As long as you collect and use personal data within their platforms, they will take care of the opt-in and opt-out functions for their users. People have the option to block your advertisements or leave a target audience list they are part of (opt-out) within their privacy settings of those platforms. However, you do have to ask consent for collecting data (opt-in) outside of their platforms, for example with a pixel on your website.

If you extract the data from these platforms or you are collecting data outside of their ecosystem, you are now the controller** of the data. For example, if you make a (digital or physical) list with your customers’ email addresses, you are responsible for securely storing this data. Besides that, you can’t use or sell the data to a 3rd party without consent from the customers. You also need to think of an option to delete a customer data (opt-out) from this list when requested. That is why it is important to ask consent for the right intentions on when collecting personal data.

* “Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

** “Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, that determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.