| Posted by Miks Ulmanis
You should know by now that there is no such thing as FREE services or products. You either pay your money or you pay with your data.
Not so long ago, the Cambridge Analytica scandal was revealed regarding their misuse of personal data. It's only a question of when someone else will take your data and misuse it or sell it again.
When using personal data, you must tell your users what you are using their data for, how you use their data, and what are your users' rights.
Personal data is information that can identify an individual (natural person). It can be a name, a number, an IP address, a cookie identifier or a person’s business email.
Business data that does not relate to any specific individual (such as email email@example.com) is not personal data.
More examples of what is personal data can be found on the European Commission website.
The GDPR (General Data Protection Regulation) is a law of the European Union, which was put into effect on May 25, 2018. It is safe to say that it is the toughest data protection and security regulation in the world and it applies to all sizes of businesses.
For your reference, here is the full GDPR text.
First, the GDPR can apply to you if you use personal data and have an establishment in the EEA. An establishment in the EEA can be your company, branch, subsidiary, employee or agent in the EEA. If you use personal data in the context of the activities of such an establishment, the GDPR applies to you.
Second, the GDPR also applies if you are not located in the EEA and use the personal data of individuals in the EEA in relation to:
That means that the GDPR may apply to you even if you are not a European company unless you happen to be a very rare business that does not use the personal data of EEA citizens or residents in the above-described ways.
If you do not have any establishment in the EEA but you have a website or application available to individuals in the EEA, it does not automatically mean that the GDPR applies to you.
However, if you intend to offer products or services to individuals located in the EEA, then the GDPR will apply. For example, if you have launched marketing campaigns directed at an EEA country audience or if you have special contact details for clients from an EEA country.
In such cases, the GDPR will apply irrespective of whether your products or services are free or paid.
The monitoring may take place, e.g., by tracking the individuals on the internet by cookies or through wearable or other smart devices. Here again, an important criterion is whether you specifically intend to monitor the individuals in the EEA. If yes, the GDPR will apply.
If you don't comply with the GDPR, you may face a fine of up to €20 million or 4% of global revenue (whichever is higher), plus any compensation for damages that your users may claim.
The relevant authority will look at various factors to determine the amount of the fine, including how serious and long was the violation, whether the violation was intentional or done by accident and many other factors.
We suggest not using the FREE options! We have checked almost all of them and they are not GDPR-compliant and many are outdated.
Privacy policies are dynamic documents that need to be updated regularly. It is important that you use a generator that follows the latest changes in privacy laws and practices, and allows you to update your policies regularly, such as Ligalio.
Also, make sure to check if you use special category data - then you will have stricter obligations (check for more info on special category data at the end of this article).
It can be quite an extensive list. Below, we have included a few examples that are most common.
In an ideal world, you should update your policy after every change you make regarding personal data practices. However, we suggest reviewing your policy at least every quarter. Definitely make sure to update it in case you make any major changes, such as adding new functionalities to your products or services.
There are types of data that qualify as special category data and need more protection due to their sensitive nature. If you use any special category data, your business will have to comply with additional GDPR obligations.
Special category personal data examples:
Additional care should also be taken when using personal data regarding criminal convictions and offences.
Other Ligalio blog posts you may be interested in: