Communication: Use plain language. Tell them who you are when you request the data. Say why you are processing their data, how long it will be stored and who receives it.
Consent: Consent is one of the legal grounds for processing data (together with contract, legitimate interest, legal obligations, etc.).If you rely on it, consent should be given by a clear affirmative action.
Access and Portability: Let people access their data and give it to another company.
Warnings: Inform people of data breaches if there is a serious risk to them.
Erase Data: Give people the ‘right to be forgotten’. Erase their personal data if they ask, but only if it doesn’t compromise freedom of expression or the ability to research.
Marketing: Give people the right to opt out of direct marketing that uses their data.
Safeguarding Sensitive Data: Use extra safeguards for information on health, race, sexual orientation, religion and political beliefs.
Childrens Data: Collecting data from children under 16? Under the GDPR you must get parental consent. However, each EU Member State can lower this threshold to between 13 and 16 years of age, so check the age limit.
Data Transfer Outside of EU: Make legal arrangements when you transfer data to countries that have not been approved by the EU authorities.
Profiling: If you use profiling to process applications for legally-binding agreements like loans you must:
- Inform your customers;
- Make sure you have a person, not a machine, checking the process
if the application ends in a refusal;
- Offer the applicant the right to contest the decision.