Online entrepreneurs know very well-
THE BUSINESS IN THE INTERNET IS RELATED TO MORE OBLIGATIONS AND LIABILITIES THAN IN THE OFFLINE REALM.
Legislative requirements towards e-business are growing exponentially over the main and most serious menace in Internet called data security. The confidentiality of personal data and the control over the access and disclosure are key issues for both consumers and vendors of e-services and online sales. Every online entrepreneur must know that consumers are very sensitive in all matters affecting their personal data - who and for what purpose it collects, how provides technical and organizational measures against unauthorized access, is there a risk the personal information of the user profiles fall into the hands of other companies and organizations, etc.
Amid scandal with the "Prism" from which we learned that we no longer have any reason to believe that electronic communication via email and other online resources remain private and inviolable, the issue of privacy became an issue with painful sharpness. The conclusion: online service providers must not only have to draft and publish a reliable, clear and understandable for each user a Privacy policy (PP), but also to implement it in good faith.
This brief review aims to outline the main points of the rules on the personal data which site owners collect from their users.
The name and the importance of the document
In line with the latest fashion trend in the legal texts, the name of the document that governs the protection of personal data should be so called "Privacy Policy". It is quite logical to choose precisely this title, because it reveals a strong commitment in building a comprehensive strategy of the provider of services related to data privacy. The announcement of PP prominently on the website is important both for the user who can freely inquire about how the personal data are processed and for the providers, who can demonstrate their commitment and responsibility to the data security of its users.
Legal obligations
Registration in the Commission for Personal Data Protection (CPDP)
The lawful collection, processing and storage of personal data by automatic means is regulated by the Bulgarian Law on Personal Data Protection, the Law on Electronic Communications and Regulation № 1 of 30 January 2013 on the minimum level of technical and organizational measures and admissible type of personal data. These regulations are harmonized with the main European directives concerning the requirements for providers of services with regard to the protection of consumer privacy. Under the Law on Personal Data Protection, anyone who processes personal data of individuals must submit an application to the Commission for Protection of personal registration as a data controller. The certificate obtained by the Commission may be indicated in PP, which clearly means that the provider has met the first essential requirement in the processing of PD - a registration as a data controller in the CPDP.
The purposes of collecting PD
Essential element of the content of PP are purposes for which the data is collected from users. Usually there is one main purpose and that is the purpose of the site - to provide certain services, for online sales of goods and others. Additional objectives that can be listed in PP usually are related to the main purpose of the site and can be associated with the creation of user profiles for receiving orders, for online payments, for delivery to address the user, for participating in games, quizzes for reservations, for receiving newsletters, etc.
How and for what term the data is stored
Commonly PD are collected and stored until the user delete its profile. After the actions of the user for deleting the whole profile, its personal data must be deleted and storage discontinued. In some cases, explicitly listed in the Electronic Communications Act and other acts, service providers are obliged to store identifying information of users for a certain period of time, even when the user has stopped using the website or has deleted completely its profile.
The lawful storage of PD require the provider to undertake certain organizational and technical measures in line with those listed in the Law, as well as with the modern technological tools for data security.
User consent
The national legislation and the European regulations put in the focus of the PD collection the consent of user. Under the provisions of Article 17 of Directive 2002/58/EC concerning the processing of personal data and the protection of the right of privacy in the electronic communications sector –
„Consent may be given by any appropriate method enabling a freely given specific and informed indication of the user's wishes, including by ticking a box when visiting an Internet website.”
PP must be accepted unconditionally and unequivocally by the user before providing their personal data.
Trust
Well written PP with the language of the ordinary person without superfluous legal terminology and endless sentences, in which clarity of thought is lost, can be another solid stone in the castle called "confidence." It's always reassuring when written that someone cares for our peace and security. In many of the websites of large companies well known in the market with quality services, in the section on Privacy may encounter similar text:
"We take your privacy concerns very seriously. Our website privacy policy explains how we protect your information."
Trust can be built patiently, because without it, the success of online entrepreneur would not be possible. Privacy Policy is just another good opportunity to you to show customers that you respect the law in every aspect of your business.
Evgenia Gancheva
© 2013 1Legal.Net Blog
Materials published on this blog are copyrighted. No part of them can be copied or used without the express permission of the author.
THE BUSINESS IN THE INTERNET IS RELATED TO MORE OBLIGATIONS AND LIABILITIES THAN IN THE OFFLINE REALM.
Legislative requirements towards e-business are growing exponentially over the main and most serious menace in Internet called data security. The confidentiality of personal data and the control over the access and disclosure are key issues for both consumers and vendors of e-services and online sales. Every online entrepreneur must know that consumers are very sensitive in all matters affecting their personal data - who and for what purpose it collects, how provides technical and organizational measures against unauthorized access, is there a risk the personal information of the user profiles fall into the hands of other companies and organizations, etc.
Amid scandal with the "Prism" from which we learned that we no longer have any reason to believe that electronic communication via email and other online resources remain private and inviolable, the issue of privacy became an issue with painful sharpness. The conclusion: online service providers must not only have to draft and publish a reliable, clear and understandable for each user a Privacy policy (PP), but also to implement it in good faith.
This brief review aims to outline the main points of the rules on the personal data which site owners collect from their users.
The name and the importance of the document
In line with the latest fashion trend in the legal texts, the name of the document that governs the protection of personal data should be so called "Privacy Policy". It is quite logical to choose precisely this title, because it reveals a strong commitment in building a comprehensive strategy of the provider of services related to data privacy. The announcement of PP prominently on the website is important both for the user who can freely inquire about how the personal data are processed and for the providers, who can demonstrate their commitment and responsibility to the data security of its users.
Legal obligations
The lawful collection, processing and storage of personal data by automatic means is regulated by the Bulgarian Law on Personal Data Protection, the Law on Electronic Communications and Regulation № 1 of 30 January 2013 on the minimum level of technical and organizational measures and admissible type of personal data. These regulations are harmonized with the main European directives concerning the requirements for providers of services with regard to the protection of consumer privacy. Under the Law on Personal Data Protection, anyone who processes personal data of individuals must submit an application to the Commission for Protection of personal registration as a data controller. The certificate obtained by the Commission may be indicated in PP, which clearly means that the provider has met the first essential requirement in the processing of PD - a registration as a data controller in the CPDP.
Essential element of the content of PP are purposes for which the data is collected from users. Usually there is one main purpose and that is the purpose of the site - to provide certain services, for online sales of goods and others. Additional objectives that can be listed in PP usually are related to the main purpose of the site and can be associated with the creation of user profiles for receiving orders, for online payments, for delivery to address the user, for participating in games, quizzes for reservations, for receiving newsletters, etc.
Commonly PD are collected and stored until the user delete its profile. After the actions of the user for deleting the whole profile, its personal data must be deleted and storage discontinued. In some cases, explicitly listed in the Electronic Communications Act and other acts, service providers are obliged to store identifying information of users for a certain period of time, even when the user has stopped using the website or has deleted completely its profile.
The lawful storage of PD require the provider to undertake certain organizational and technical measures in line with those listed in the Law, as well as with the modern technological tools for data security.
User consent
The national legislation and the European regulations put in the focus of the PD collection the consent of user. Under the provisions of Article 17 of Directive 2002/58/EC concerning the processing of personal data and the protection of the right of privacy in the electronic communications sector –
„Consent may be given by any appropriate method enabling a freely given specific and informed indication of the user's wishes, including by ticking a box when visiting an Internet website.”
PP must be accepted unconditionally and unequivocally by the user before providing their personal data.
Trust
Well written PP with the language of the ordinary person without superfluous legal terminology and endless sentences, in which clarity of thought is lost, can be another solid stone in the castle called "confidence." It's always reassuring when written that someone cares for our peace and security. In many of the websites of large companies well known in the market with quality services, in the section on Privacy may encounter similar text:
"We take your privacy concerns very seriously. Our website privacy policy explains how we protect your information."
Trust can be built patiently, because without it, the success of online entrepreneur would not be possible. Privacy Policy is just another good opportunity to you to show customers that you respect the law in every aspect of your business.
Evgenia Gancheva
© 2013 1Legal.Net Blog
Materials published on this blog are copyrighted. No part of them can be copied or used without the express permission of the author.
There are no comments at the moment.