GDPR Email Traps
Fed up of seeing those pesky GDPR emails? As we are helping a large number of clients with their privacy programs, we have been assisting them with wading through the deluge of Privacy Notices and Data Protection Addendums (DPAs) that are appearing in everyone’s inboxes.
Here are a couple of thoughts on these emails from a Commercial Lawyer’s perspective:
1. IMPLIED ACCEPTANCE
If you try to impose a DPA on a business by implied acceptance (i.e. by saying if you don’t sign, you will be deemed to have agreed to the terms if you don’t reply), it’s probably not going to be binding.
Some businesses have even tried to assert a one day review period before the DPA is deemed to be accepted. If you are going to use this approach, reasonable notice should be provided and you will need a right to update the contract terms in this manner in the underlying agreement. The reality is that the DPA could amount to a unilateral variation of the underlying contract and be unenforceable.
If you are a controller that is relying on implied acceptance of DPAs then you run the risk of the DPA being ineffective and consequently you will not be able to demonstrate that you have a written agreement in place with each of your processors, which is required by the GDPR.
2. DON’T CAUSE A DATA BREACH
If you are going to send out emails regarding your new Privacy Notice, don’t cc. all of the other customers / suppliers you are sending it to…you’ve just created a data breach.
3. MAKE SURE YOUR DOCUMENTS ARE RELEVANT
Make sure the documents you are sending out are relevant to the receiving party. Senders of GDPR emails should have mapped out whether each of their customers and suppliers are either controllers / processors / joint controllers and allocated the correct documents for each category.
A scatter-gun mail-out of just one type of DPA is unlikely to work across the spectrum of your commercial relationships. It is likely that the ICO will look at the true nature of the relationship rather than following the labels attached by the parties in a DPA. If a DPA is not fit for purpose then it will just lead to ambiguity and potential disputes down the line. Distinguishing between the processing relationships of each controller, processor or joint controller is therefore key to ensuring that you can rely on the data processing terms which you agree with the other side.
4. DON’T ASK FOR CONSENT IF YOU DON’T NEED IT
Some emails also ask for you to sign a consent that you agree to their Privacy Notices. This is completely irrelevant if they are processing the Personal Data under other legal grounds e.g. contractual necessity (as is often stated within the Privacy Notices that they are asking you to consent to).
So in conclusion, if you are thinking about sending out DPAs or Privacy Notices to your customer or supplier base, please ensure that you don’t get caught by the above traps.
With the GDPR implementation date only a day away there is a clear temptation for most businesses just to fire out a load of emails and hope that makes them compliant.
However, having a well thought through plan for compliance and assessing what you actually need will ensure that you stay on the right side of the law and avoid harassing customers and suppliers unnecessarily.
If you would like to discuss our Data Protection Packages or our outsourced DPO Service with us, please get in touch by calling us on 01603 339044 or email firstname.lastname@example.org.
Please note: the content of this article is for general information only and does not constitute legal advice. Specific legal advice should be taken in any specific circumstance.