Sign up to a Zegal plan today
The General Data Protection Regulation (“GDPR”) is a new Privacy law in the  Union (“EU”)....European
The General Data Protection Regulation (“GDPR”) is a new Privacy law in the European Union (“EU”), which came into force on 25 May 2018. The GDPR regulates the protection of personal data, which includes any information that can be used to identify a person, such as a name, identification number, location data, an online identifier, and a wide range of other types of information. 

What is GDPR?

Privacy Policy 
A statement that is placed on a website specifying how a business collects, uses, and manages a user's personal data.

Read more.

Key GDPR Compliant Documents

Contact

All GDPR compliant documents are available on Zegal's Professional and Premium Plans  

Telephone
+852 5804 9889

 

Zegal is a technology company. We are not a law firm and we do not give legal advice.
Security Audit Form
Security Audit Form is a form to help you document the technical and organisational measures in your business to ensure security of personal data. 

Read more. 

Data Processing Addendum
Ensures your existing data processors comply with applicable data protection laws

Read more.

Get GDPR Compliant Today!  


View our documents

The EU's General Data Protection Regulation comes into effect on May 25.   Zegal's GDPR-compliant documents can help your organization to meet the requirements quickly and effectively

How do I obtain consent?

One of the main change introduced by GDPR is that consent (e.g. for direct marketing) may no longer be given by letting data subjects opt-out, instead they must opt-in to give consent.

Under the GDPR, a request for consent must be concisely written in simple language, cannot be a condition of a service, and cannot be bundled together with other terms. You have to make clear what exactly the subject is consenting to, e.g. “I consent to you using my email address to send me updates and promotions about your product”. You cannot rely on generic consent such as “I consent to your use of my personal data”.

The data subject must give explicit consent either by a statement or by “clear affirmative action”. The GDPR states that silence, pre-ticked boxes or inactivity do not constitute consent. One example of affirmative action is to have an empty checkbox at the end of your request for consent, that the data subject can select.

If you rely on consent, you must also make clear to the data subject that they may withdraw their consent at any time.



What should I do?

Am I affected by the GDPR?

The GDPR applies to all business in the EU, including the UK. However, if you are a business outside the EU that collects personal data from individuals in the EU, and you make decisions about how and why the personal data is used, you will be considered a “controller” under the GDPR, and be subject to its rules regarding the data of those individuals in the EU. If you process personal data of individuals in the EU on behalf of a controller, you will be considered a “processor”, and will also need to comply with the GDPR. 
A processor may only process data under and to the extent of the controller’s instructions. Where a controller uses the services of a processor, the responsibility for protecting and ensuring the security of the personal data processed, as well as properly informing data subjects of their rights, remains with the controller.

What will change under the GDPR?

The GDPR offers stronger protection of personal data, and places more responsibility on data controllers and processors. New requirements are introduced on record-keeping, technical security measures, and transparency in the collection and use of personal data. The GDPR also introduces potential heavy fines for non-compliance, of up to €20 million.
Privacy Notice for Employees and Contractors
Informs your employees and contractors of their privacy rights.

Read more.

Information Audit Form
Helps you map data flows in your organisation

Read more.

View our documents

All GDPR compliant documents are available on Zegal's Professional and Premium Plans  

Privacy Policy is a notice that informs your customers and website visitors what you do with their personal information.  


Why use this document:  
One of the key requirements imposed by GDPR is the transparency on the collection and use of personal information. Individuals have the right to be informed about what you do with their personal information. A clear and concise Privacy Policy is a fundamental step towards GDPR compliance, as well as general good practice in data privacy protection.    

The Privacy Policy sets out:  
  1. what information you collect about users/visitors when they visit your website or use your products or services;
  1. how you use, share, store, and secure the information; and
  1. how users/visitors may access and control their information.
 To prepare a Privacy Policy that suits your business, we recommend that you first conduct an information audit to have a clear idea of the different categories of personal information you collect and hold in your business, as well as the purpose for collection and the legal basis for doing so. You may use our Information Audit Form for assistance.     


 
 
 

Bear in mind that the Privacy Policy must be clear and concise, and presented in a way that is easy to access, read and understand. Be as factual and straight forward as possible when answering questions in this Privacy Policy. In some sections, our helptext provides you with examples of information that may go into the relevant section. Our helptext is for reference only. It is crucial that you answer each question with specific information that is applicable in your business. 

Privacy Policy

Information Audit Form is a form to guide you through the process of establishing a comprehensive inventory of personal data held in your business. 


Why use this document:
The Information Audit Form is a non-legal tool, intended as an aid in creating a record of the personal data held by your company. A comprehensive inventory of personal data held is a fundamental step towards GDPR compliance, as well as general good practice in data privacy protection. 


This Information Audit Form is structured around reasons for collecting and processing personal data. Please consider all areas of your business when deciding whether or not a section of this form applies to your company. 


In-depth knowledge of the GDPR is not required to fill in this audit form, but honest answers are necessary for the integrity of record-keeping. If you are not sure of the answer, don’t know, or need to check, fill in the field accordingly. Please also take note of the location(s) of data storage, to fill in the last part of the audit.

Information Audit Form

Security Audit Form is a form to help you document the technical and organisational measures in your business to ensure security of personal data. 


Why use this document: 
The Security Audit Form is a non-legal tool, intended as an aid for documenting the technical and organisational measures in your business to ensure security of personal data. A comprehensive security audit is a fundamental step towards GDPR compliance, as well as general good practice in data privacy protection.  


This Security Audit Form comprises 10 sections. It’s possible that not all sections or questions are applicable to your business. 


Take this as a starting point and revisit this form periodically. 
Security audit often touches upon highly confidential information in your business. This audit should be taken by a senior officer in your business who is familiar with the technical and administrative procedures and measures adopted in the business. 


In-depth knowledge of the GDPR is not required to fill in this audit form, but honest answers are necessary for the integrity of record-keeping. If you are not sure of the answer, don’t know, or need to check, fill in the fields accordingly. 


In some sections, our helptext provides you with examples to give you a sense of direction in answering those questions. These examples are by no means the “right answer”. It is crucial that you answer each question with factual, accurate and specific information that applies in your situation.  

Security Audit Form

Data Processing Addendum  is a document that supplements the service agreement between a data controller and a data processor, to ensure that the processing of personal data by the data processor on behalf of the data controller is in compliance with data protection laws.


Why use this document: 
One of the key changes introduced by the GDPR is that a clear framework of responsibility is established for data protection. A data controller may only appoint processors that provide “sufficient guarantee” that the requirements of the GDPR will be met. A data processor may only act on “documented instructions” of the controller and must comply with a number of requirements to ensure that the controller will fulfil its obligations under the GDPR.  


The Data Processing Addendum supplements any service agreement (or terms of service) already in place. The Data Processing Addendum is not just “nice to have”. The GDPR requires that processing of personal data by a service provider on behalf of a data controller must be governed by a binding contract. 


The Data Processing Addendum contains various pieces of information mandated by the GDPR. It sets out details of the personal data to be processed by the processor on behalf of the controller and each party’s responsibilities in such processing.

Data Processing Addendum

1. Map your data flow and review your privacy practices
  • Conduct an information audit of the categories of personal data you hold
  • List the purposes for which you collect each category of personal data
  • Ensure the accuracy of data held
  • Ensure processors of personal data collected by you comply with applicable data protection laws
  • Conduct an information audit of the categories of personal data you hold 
  • Make sure data is not retained longer than necessary for the purpose of processing
  • Establish good record-keeping practices (you're exempt from the requirement if your company has less than 250 employees) 
2. Determine the legal basis you rely on for processing personal data. There are 6 possible grounds under the GDPR:  
  • Consent (must be explicit, opt-in, and separate from other terms)
  • Performance of a contract
  • Compliance with a legal obligation
  • Protection of vital interests (of data subject or another natural person)
  • Task in the public interest or in the exercise of official authority
  • Legitimate interests of the controller or third party (unless overridden by data subject’s rights)
3. Be prepared to comply with data subjects' rights to:  
  • Be informed about the collection and use of their data
  • Have access to their information and details of processing
  • Have you rectify inaccurate or incomplete personal data
  • Have you delete their data in certain circumstances (“right to be forgotten”)
  • Restrict processing in certain circumstances
  • “Data Portability”, i.e. receive their personal data in a commonly used, machine-readable format free of charge
4. Communicate privacy information to data subjects
  • Update your privacy policy or notice, inform your customers of their rights
  • Where consent is relied on, obtain their explicit consent by letting them opt-in
  • Issue internal privacy notices and hold internal training
5. Implement security measures proportionate to risks:  
  • Conduct a security audit of how data is protected when it is collected, transferred and stored
  • Determine who has access to view, edit and delete data
  • Document how security breaches are detected, reported and managed
  • Data Breach Notification - if there is accidental, unauthorised or unlawful access to personal data, you must report the breach to the supervisory authority within 72 hours. In serious cases, you will need to communicate the breach to the data subject as well
6. Check whether a Data Protection Impact Assessment (“DPIA”) is necessary
  • A DPIA assesses the impact that a processing operation, especially ones that use new technology, will have on the protection of personal data
  • The GDPR requires the supervisory authority of each country to publish a list of processing operations which require a DPIA
7. Consider whether your organisation needs a Data Protection Officer (“DPO”)  
  • Appointment of a DPO is mandatory under the GDPR if data processing is one of your core activities, and requires regular and systematic monitoring of data subjects on a large scale. Please note that whether or not it is mandatory for you to appoint a DPO, you need to have someone in charge of data related communications for your company. 
  • The DPO should be involved in all issues regarding the protection of personal data. They will have the responsibility to monitor internal compliance, inform and advise on your company's data protection obligations, provide advice regarding DPIAs, and act as a contact point for data subjects and your supervisory authority.
  • A DPO should be "independent, an expert in data protection, adequately resourced, and report to the highest management level" (according to guidelines published by the UK Information Commissioner’s Office). 
Employee Privacy Policy is a notice that informs your employees, workers and contractors what you do with their personal information.  


Why use this document: 
One of the key requirements imposed by GDPR is the transparency on the collection and use of personal information. Individuals have the right to be informed about what you do with their personal information. While you create a Privacy Policy to inform your customers about your privacy practices, you also need to do the same with your employees, workers and contractors.  

The Employee Privacy Notice sets out: 
  1. what information you collect about employees, workers and contractors;
  2. how you use, share, store, and secure their information; and
  3. how they may access and control their information.
 
 
Apart from issuing this Employee Privacy Notice, you may also wish to amend the personal data provision in existing contracts with employees by the Letter to Amend Employment Contract. 
You may wish to invite employees, workers and consultants to acknowledge their receipt and understanding of this Employee Privacy Notice by signing on a copy of the Employee Privacy Notice.

Employee Privacy Notice