We created this template because templates intended for use within the EU are insufficient in addressing GDPR requirements unique to businesses outside of the EU.
The three components for businesses outside of the EU and their bases in GDPR requirements are as follows:
EU representative (Articles 13 & 27): Businesses outside of the EU that offer goods or services to or monitor the behavior of data subjects in the EU are required by the GDPR to appoint a representative in the EU. The original ICO template, intended for UK businesses, does not address this requirement.
EU-U.S. Privacy Shield (Articles 13 & 46): Data controllers and processors in the United States and participating in EU-U.S. Privacy Shield Framework are required to include certain disclosures as part of their participation. While the EU considers these businesses to have adequate data protection measures, the ICO template does not address it.
The EU-U.S. Privacy Shield section is only applicable if you are a participant of that program. We, as blucheq, are certified under the EU-U.S. Privacy Shield Framework, and our clients benefit from our status of being allowed to transfer data to us from the European Union freely.
List of supervisory authorities (Articles 13, 56 & 57): The ICO template only lists itself as an authority for complaints. In the case of a business outside of the EU, the competent supervisory authority can be any one of the national data protection authorities based on the residence of the data subject filing the complaint.
Our contact details
Name: [insert your company's name]
Address: [insert your company's address]
Phone number: [insert your company's phone number]
Email address: [insert your company's email address]
The type of personal information we collect
We currently collect and process the following information:
Personal identifiers, contacts, and characteristics (for example, name and contact details)
[Add to this list as appropriate]
How we get the personal information and why we have it
Most of the personal information we process is provided to us directly by you for one of the following reasons:
[Add the reasons you collected personal information]
[If applicable] We also receive personal information indirectly, from the following sources in the following scenarios:
[Add the source of any data collected indirectly and why you collected the personal information]
We use the information that you have given us in order to [list how you use the personal information].
We may share this information with [enter organizations or individuals].
Under the General Data Protection Regulation (GDPR), the lawful bases we rely on processing this information are: [delete as appropriate]
Your consent. You are able to remove your consent at any time. You can do this by contacting [contact details].
We have a contractual obligation.
We have a legal obligation.
We have a vital interest.
We need it to perform a public task.
We have a legitimate interest.
How we store your personal information
Your information is securely stored [enter location].
We keep [type of personal information] for [time period]. We will then dispose of your information by [explain how you will delete their data].
Your data protection rights
Under data protection law, you have rights including:
Your right of access: you have the right to ask us for copies of your personal information.
Your right to rectification: you have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
Your right to erasure: you have the right to ask us to erase your personal information in certain circumstances.
Your right to restriction of processing: you have the right to ask us to restrict the processing of your personal information in certain circumstances.
Your right to object to processing: you have the right to object to the processing of your personal information in certain circumstances.
Your right to data portability: you have the right to ask that we transfer the personal information you gave us to another organization, or to you, in certain circumstances.
You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you.
Please contact us at [insert email address, phone number, and/or postal address] if you wish to make a request. If you are a national data protection authority in the EU or a resident of the European Economic Area, in addition to the ability to contact us directly, you may contact our EU representative at [insert email address, phone number, and/or postal address]. [Visit blucheq.com to appoint an EU representative]
How to complain
If you have any concerns about our use of your personal information, you can make a complaint to us at [contact details for data protection inquiries].
If you are a resident of the European Economic Area, you can also complain to your national data protection authority if you are unhappy with how we have used your data. You can locate the contact information for your national data protection authority by visiting https://edpb.europa.eu/about-edpb/board/members_en.
EU-U.S. Privacy Shield [if applicable]
In compliance with the Privacy Shield Principles, we commit to resolve complaints about our collection or use of your personal information. EU individuals with inquiries or complaints regarding our Privacy Shield policy should first contact us at [insert email address, phone number, and/or postal address]. We have further committed to refer unresolved Privacy Shield complaints to [insert alternative dispute resolution provider's name], an alternative dispute resolution provider located in [insert location of the alternative dispute resolution provider]. If you do not receive timely acknowledgment of your complaint from us, or if we have not addressed your complaint to your satisfaction, please visit [insert website address for filing a complaint with your alternative dispute resolution provider] for more information or to file a complaint. The services of [insert alternative dispute resolution provider's name] are provided at no cost to you. If your complaint remains unresolved, you have the right to invoke binding arbitration under certain conditions.
The template we provide addresses the following pieces of information included in the regulatory guidance as part of the data subjects' right to be informed:
The name and contact details of your organization
The name and contact details of your EU representative
The purposes of the processing
The lawful bases for the processing
The source of personal data obtained from other parties
The recipients or categories of recipients of the personal data
The details of transfers of the personal data to any third countries or international organizations
The retention periods for the personal data
The rights available to individuals in respect of the processing
The right to withdraw consent
The right to lodge a complaint with a supervisory authority
Additional information that is not included in the template, but may still apply to your business are the following:
Data protection officer: The contact details of your data protection officer (DPO)
Automated decision-making: The aspects of automated decision-making, including profiling, if used
Legal obligations: The details of whether individuals are under a statutory or contractual obligation to provide their personal data
Data protection officer
Data protection officer vs. EU representative
You should be aware that the EU representative is an entirely separate role from that of the data protection officer (DPO) as mandated by Article 37. They are required to be separate entities due to the potential for a conflict of interest in their duties: your DPO cannot serve as your EU representative and vice versa. The EDPB guidance on this point is clear:
The EDPB does not consider the function of representative in the Union as compatible with the role of an external data protection officer (“DPO”) which would be established in the Union.
Although we won't address the DPO requirements in detail here, in general, you are required to appoint a DPO if you:
are a public authority other than a judicial court,
regularly and systematically monitor the behavior of data subjects as part of your core activities, or
process special categories of data or criminal conviction data on a large scale.
A comparison that is useful here is the difference between a single physician's office and a hospital. While the former would not be considered a large scale processing operation, the latter certainly is, and a hospital would be required to appoint a DPO.
The two most common forms of automated decision-making we encounter with online businesses are behavioral advertising and fraud protection used by payment processors.
In some cases, you may be required to collect certain personal information either due to statutory laws or terms of your contracts with customers. In these cases, since it's unlikely that this obligation will apply to all collected data, you should be specific about the personal data collected due to a legal obligation.
While I've written this article to be as helpful as possible, it cannot and does not contain legal advice. The legal information is provided for general informational and educational purposes only and is not a substitute for professional advice. Accordingly, before taking any actions based upon such information, I encourage you to consult with the appropriate professionals. We do not provide any kind of legal advice. The use or reliance of any information contained on this site is solely at your own risk.
If you require legal assistance, I am happy to refer you to an attorney specializing in privacy laws and regulations. You can write to me or schedule time to discuss your specific situation in more detail.