What data is recorded
For what period data is recorded and
For what purpose the data is recorded
In addition to informing, it is also mandatory to ask for permission to record data. This must be done explicitly. Clever tricks, such as pre-checking a box with which a person 'gives permission' for recording data, are not accepted. This means that you must be as specific as possible about what the person concerned agrees to. Make sure that an average user understands it all.
I was recently asked whether you also need to ask permission for retargeting people on Facebook based on their email address. Yes, you also need to explicitly ask permission for this, because you are using personal data that can be traced back to a person and you are exchanging this data with a third party. It is preferable to ask permission when obtaining the data from the consumer or at a later time, for example in a targeted mailing for this. More generally, you do this in the privacy hk phone number statement. I would like to briefly cite the example of FNV horeca from the article by Bart van der Kooi & Sabine Straver about the privacy bottlenecks of social media marketing . FNV horeca uses Facebook Custom Audiences and informs its members about this as follows:
FNV Horeca also uses its members' email addresses for Custom Audience targeting via Facebook. FNV Horeca creates a Custom Audience by uploading its members' email addresses to an advertising tool. This group can then be linked to a specific Facebook campaign: only these Facebook users will see the campaign. For more information about Custom Audience targeting, see (…).
If you (…) do not want to be part of a Custom Audience advertising tool, you can indicate this at any time via the following email address: [email protected] .
Accountability
The GDPR places more emphasis on the responsibility of organisations themselves to demonstrate that they comply with the law. For example, organisations have a documentation obligation, a burden of proof and the responsibility to reduce privacy risks.
This sounds simple, but how do you set up your database in such a way that it is clear for which use permission has been requested and obtained? And when this has happened? And how do you ensure that all systems are provided with up-to-date information? Which system is the source of your data? Many organizations still have a major task ahead of them, now that the reins are being placed more in the hands of the 'customer'.