Protecting Your Online Business from GDPR Privacy Complaints

Last updated on 31 August 2019 by Maria Pirzada
Protecting Your Online Business from GDPR Privacy Complaints

The General Data Protection Regulation (GDPR) addresses data protection and privacy laws that work to protect individuals located in the European Union. As an online business owner, if you fail to comply with the regulation you could face privacy complaints filed by your consumers or supervisory authorities.

Here, we'll cover what the GDPR is, what it requires, and what your consumers' rights are. We'll take a look at how your consumers can file complaints against your business under the GDPR. Finally, we will discuss strategies to mitigate the risk of non-compliance with a sound Privacy Policy and important notices to consumers.


What is the GDPR and What Does it Require?

The General Data Protection Regulation (GDPR) is a law in the European Union (EU) that addresses data protection and privacy for all individuals in the EU. The GDPR is directly applicable to each of the member states of the EU. It aims to give EU residents control over their personal data, and to make it simpler for international companies to conduct business within the EU.

GDPR Chapter 1, Article 1

The GDPR was adopted in April of 2016 and went into effect on May 25, 2018. It replaced the Data Protection Directive of 1995. There are a number of key changes to the regulation that affect how commercial entities communicate with their end users and how they handle and process personal data.

The GDPR applies to both data controllers and data processors.

One of the biggest changes posed by the GDPR is the extended jurisdiction. According to the regulation, if your business processes the personal data of EU residents, then you are required to comply with the GDPR, regardless of whether the data processing takes place within the EU.

In addition to this, if your business is based outside of the EU, you are required to comply with the GDPR if you:

  • Offer goods or services to EU-based residents, or
  • Monitor online consumer behavior within the EU member nations

If your business breaches the terms of the GDPR, you will be fined the greater of four percent of annual global turnover or €20 million.

Finally, the GDPR strengthens the conditions for user consent. You are required to acquire user consent through an intelligible and easily accessible form. Additionally, you must state in your consent notice why you need to process that data.

The regulation also requires you to use easy to understand language when communicating your terms and conditions, not legalese.

Finally, withdrawing consent for your end users must be as easy as giving it.

Allowing Customer Inquiries

According to Article 57 of the GDPR, supervisory authorities are responsible for handling consumer complaints.

GDPR Article 57: Handling complaints

It states that the supervisory authority should investigate the issue brought up by the consumer and let them know about the progress of the investigation and its outcome within a reasonable period of time. In addition to this, it also states that if further investigation by another supervisory authority is necessary, then the complainant should be informed of that as well.

GDPR Complaint Process

The GDPR empowers and encourages individuals to seek judicial relief for damages that may have been caused by a breach. Consumers can file formal administrative complaints with supervisory authorities against your business if they suspect a breach.

According to the GDPR, a complaint can be initiated by the data subject (the consumer) or by a supervisory authority. This is illustrated in the GDPR Complaint-Process Map.

GDPR Complaint Process Map

Data subjects can file complaints with the courts of the EU member state where they reside, where they work, or where the alleged infringement occurred.

GDPR Chapter 8, Article 77: Right to lodge a complaint clause

Consumers are also given the option to file a complaint against a supervisory authority if the supervisory authority fails to handle the complaint in accordance with the GDPR or fails to inform them about the status of their complaint for three months.

GDPR Article 77: Right to an Effective Judicial Remedy Clause

How a Privacy Policy Can Mitigate Risk of Complaints

As an online business owner covered by the GDPR, a GDPR-compliant Privacy Policy is your best defense against the possibility of privacy complaints.

It's important to understand that the GDPR requires you to communicate how your business collects and processes user data in a way that is concise, intelligible, in easy to understand language (not legalese), transparent and easily accessible.

With this in mind, in order to comply with the GDPR, it's recommended that you have a Privacy Policy posted on your website and make sure it's detailed yet easy to understand. Your Privacy Policy should mention who the data controllers in your company are, and provide contact information for them.

The GDPR also recommends that you post privacy notices on your website at the points where you collect personal data from your end users and, when necessary, obtain their consent.

For example, uSwitch displays simple, easy to understand notices on its energy comparison forms. The privacy notice for the email address field, for instance, briefly explains why you are required to enter your email address. It says that the website requires the email address in order to send you a copy of your comparison results.

uSwitch help key explaining why personal data is collected

uSwitch also provides a link to its Privacy Policy from the About section of the website footer.

Screenshot of uSwitch footer with Privacy Policy Link

Amazon's complete Privacy Policy is far more detailed than the simple privacy notice displayed on the energy comparison form.

The Information you provide to us section of the Privacy Policy explains how the company collects the information users provide when searching for a price comparison. It also itemizes the types of information the company collects.

Privacy Policy of uSwitch: Information You Provide Clause

Important

If you're running an online business that is based in the EU or collects personal information from EU residents, then you're required to comply with the GDPR. You should be aware that a consumer can file a complaint against your online business if there's a breach of GDPR or if the rights granted to them by the GDPR aren't met.

Having a compliant Privacy Policy published on your website is a requirement. You also should display user-friendly privacy notices wherever you collect personal data to further your efforts to comply with the GDPR.

By taking these steps, you are mitigating your liability risks and ensuring your compliance with privacy laws.

Article categories
Maria Pirzada

Legal writer.