GDPR checklist • step 3

Great job.

Great news! You are taking the right steps towards becoming GDPR compliant. It is still important to be really clear in the way you are collecting personal data. Your users have to understand to what purpose you share their data with Belly & Brain.

Make sure you make it interesting for them to share their data.

The next question you have to ask yourself is how do I collect the data? If you collect data within the closed platforms of Facebook or Google, you are not the processor* of these data. As long as you collect and use personal data within their platforms, they will take care of the opt-in and opt-out functions for their users. People have the option to block your advertisements or leave a target audience list they are part of (opt-out) within their privacy settings of those platforms. However, you do have to ask consent for collecting data (opt-in) outside of their platforms, for example with a pixel on your website.

If you extract the data from these platforms or you are collecting data outside of their ecosystem, you are now the controller** of the data. For example, if you make a (digital or physical) list with your customers’ email addresses, you are responsible for securely storing these data. Besides that, you can’t use or sell the data to a 3rd party without consent from the customers. You also need to think of an option to delete a customer data (opt-out) from this list when requested. That is why it is important to ask consent based on the right intentions on when collecting personal data.

* “Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

** “Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, that determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.