Welcome to Episode 2 of “GDPR for dive centers”! Customer data collection is the first step to check to make your business GDPR-compliant. How do you collect your customers data?
Now go back to each section and try to cross out some of the fields. Is it possible or there’s a specific reason why you absolutely need all of them? This part is related to data minimisation. E.g. if your form contains passport number and nationality, is there a reason why you need these information? If yes, great! Just be ready to provide the reason. If you don’t need to collect these data, cross them out. At this point your forms are looking better already or at least they are closer to a GDPR-like form. 🙂 Good job! 
The next exercise is a writing one. At the bottom of the form you need to write the consents. Yes, plural. This part is related to the lawfulness of processing. You need to ask your customer a separate consent for each data processing purpose. Each consent should have an empty checkbox next to it because the consent must be ‘freely given’. So what should you write? The first part is related to the ‘contract’ between your dive center and your customer. You need to write a sentence in simple words explaining that you need to keep a record of their data in order to offer your services (e.g. for insurance reasons). If collecting your customer’s data is mandatory in order to provide your services, then you don’t need to have a checkbox next to it. You just need to inform your customer that this is the main reason why you need the data written above (GDPR Art.6(b)). Don’t forget to write how long you need to keep these data (storage limitation) and why. The next consent is the 3rd party one. Think of all the companies, authorities or any other entity that you need to disclose your customer’s data to. Examples:
Do you do any marketing campaign? If you use your customer’s email address to send them your regular newsletter, then you need to ask for their consent. Write a simple question like “Would you like to receive our news and promotions?” Duh, boring! Be creative and make them want to subscribe or they’ll miss out on some cool stuff! 🙂 Here you need to have a checkbox and it needs to be empty. Let your customers freely choose to tick it or not. If you share your customers data with other companies to send them promotional information you need to have a separate consent. Write which company you want to share your customer’s data with and the purpose and add an empty checkbox. Add your email address or contact information and invite your customers to contact you in case any of their personal data changes (accuracy) or if they want you to delete their data (right to be forgotten). According to the GDPR, revoking their consent, update their data or request to be deleted must be easy, so provide an email address or any other easy way to contact you. Remember that all the above information and consents need to be written in a very simple language (no legalese!), they need to be easy to understand both by young teenagers and non-native speakers. If you translate your forms in other languages, make sure that they are correctly written and kept simple. Don’t forget to add a final consent for young customers (not yet 16) where you need to have their parent or guardian’s approval. After collecting your customers data, you need to commit to use it only for the purposes that they agreed to (lawfulness of processing). I.e. If they don’t want to receive your newsletter, you cannot add their email address to your mailing list. Congratulations! You now have a customer’s data collection form that observes the most important principles of GDPR! 
Remember that you need to guarantee integrity and confidentiality, so don’t leave the paper forms with customers data lying around in your dive center, don’t allow anybody to access your administration software and make sure that your customers data are protected from unauthorised access. Do you need to have separate forms for European and non-European customers? This is entirely up to you! You could ask your customers if they want to fill out the European version or the standard one, but then you need to have two separate internal processes to collect, store and process your customers data and you need to maintain both. Additionally, the GDPR is extremely vague in terms of who the “data subjects” are: EU residents? EU citizens? Are you 100% sure that the person in front of you does not fall under the GDPR? Even if you collect passport number, nationality and home address information, are you sure that your customers don’t have a second passport, maybe a European one? If you want to be on the safe side, use your brand new form and your customers will appreciate the extra care that you show about their personal data! Why don’t you turn it into a key point of your business? 😉 GDPR for everybody! 🙂 This is the end of the second episode of GDPR for dive centers. Come back to blog.geekdivers.com for more episodes: we’ll dive deeper into the little practical steps that you need to take to make sure that your business is compliant. You want to be informed when a new episode is available? Join our newsletter or follow us on Facebook, Twitter and Instagram to receive real time updates. See you soon! Go to the previous episode here. Go to the next episode here. Disclaimer: Geek Divers is not a law firm, nor is backed up by one. All the information provided above here are not intended to replace any legal advice by a professional. Please use any or all of the above information at your own risk.
- Paper forms
- Electronic version of the paper form that you send to your customers via email
- Online form with a URL embedded in your web page
- Other?
Now go back to each section and try to cross out some of the fields. Is it possible or there’s a specific reason why you absolutely need all of them? This part is related to data minimisation. E.g. if your form contains passport number and nationality, is there a reason why you need these information? If yes, great! Just be ready to provide the reason. If you don’t need to collect these data, cross them out. At this point your forms are looking better already or at least they are closer to a GDPR-like form. 🙂 Good job! The next exercise is a writing one. At the bottom of the form you need to write the consents. Yes, plural. This part is related to the lawfulness of processing. You need to ask your customer a separate consent for each data processing purpose. Each consent should have an empty checkbox next to it because the consent must be ‘freely given’. So what should you write? The first part is related to the ‘contract’ between your dive center and your customer. You need to write a sentence in simple words explaining that you need to keep a record of their data in order to offer your services (e.g. for insurance reasons). If collecting your customer’s data is mandatory in order to provide your services, then you don’t need to have a checkbox next to it. You just need to inform your customer that this is the main reason why you need the data written above (GDPR Art.6(b)). Don’t forget to write how long you need to keep these data (storage limitation) and why. The next consent is the 3rd party one. Think of all the companies, authorities or any other entity that you need to disclose your customer’s data to. Examples:- local authorities – if you are required to register every guest in your dive resort at the local authorities
- dive agency – if your customer decides to do a course, you need to transfer some of the data to the dive agency to process and issue the dive certification
- accountant – your accountant will collect and process all your bills and invoices and therefore he/she will read some of your customer’s data
- software providers – think of any kind of software that you use to collect, store and process customers data (e.g. Google Docs, Geek Divers, accounting and/or marketing software…etc.)
Do you do any marketing campaign? If you use your customer’s email address to send them your regular newsletter, then you need to ask for their consent. Write a simple question like “Would you like to receive our news and promotions?” Duh, boring! Be creative and make them want to subscribe or they’ll miss out on some cool stuff! 🙂 Here you need to have a checkbox and it needs to be empty. Let your customers freely choose to tick it or not. If you share your customers data with other companies to send them promotional information you need to have a separate consent. Write which company you want to share your customer’s data with and the purpose and add an empty checkbox. Add your email address or contact information and invite your customers to contact you in case any of their personal data changes (accuracy) or if they want you to delete their data (right to be forgotten). According to the GDPR, revoking their consent, update their data or request to be deleted must be easy, so provide an email address or any other easy way to contact you. Remember that all the above information and consents need to be written in a very simple language (no legalese!), they need to be easy to understand both by young teenagers and non-native speakers. If you translate your forms in other languages, make sure that they are correctly written and kept simple. Don’t forget to add a final consent for young customers (not yet 16) where you need to have their parent or guardian’s approval. After collecting your customers data, you need to commit to use it only for the purposes that they agreed to (lawfulness of processing). I.e. If they don’t want to receive your newsletter, you cannot add their email address to your mailing list. Congratulations! You now have a customer’s data collection form that observes the most important principles of GDPR! Remember that you need to guarantee integrity and confidentiality, so don’t leave the paper forms with customers data lying around in your dive center, don’t allow anybody to access your administration software and make sure that your customers data are protected from unauthorised access. Do you need to have separate forms for European and non-European customers? This is entirely up to you! You could ask your customers if they want to fill out the European version or the standard one, but then you need to have two separate internal processes to collect, store and process your customers data and you need to maintain both. Additionally, the GDPR is extremely vague in terms of who the “data subjects” are: EU residents? EU citizens? Are you 100% sure that the person in front of you does not fall under the GDPR? Even if you collect passport number, nationality and home address information, are you sure that your customers don’t have a second passport, maybe a European one? If you want to be on the safe side, use your brand new form and your customers will appreciate the extra care that you show about their personal data! Why don’t you turn it into a key point of your business? 😉 GDPR for everybody! 🙂 This is the end of the second episode of GDPR for dive centers. Come back to blog.geekdivers.com for more episodes: we’ll dive deeper into the little practical steps that you need to take to make sure that your business is compliant. You want to be informed when a new episode is available? Join our newsletter or follow us on Facebook, Twitter and Instagram to receive real time updates. See you soon! Go to the previous episode here. Go to the next episode here. Disclaimer: Geek Divers is not a law firm, nor is backed up by one. All the information provided above here are not intended to replace any legal advice by a professional. Please use any or all of the above information at your own risk.