Welcome to Episode 2 of “GDPR for dive centers”!
Customer data collection is the first step to check to make your business GDPR-compliant.
How do you collect your customers data?
- Paper forms
- Electronic version of the paper form that you send to your customers via email
- Online form with a URL embedded in your web page
Let’s do a practical exercise and go through your forms together. At this point I’d like you to have your forms in front of you, whichever version you use. We’ll talk about the course forms in another episode. Let’s now concentrate on your customer data collection form.
The first thing that you need to consider is the data collection purpose. Divide your form in sections containing data that can be grouped together. E.g. Name, Last name, Date of birth can go into the section ‘personal data’; Email address, Phone number, Home address can go into the section ‘contact information’. Go through your form, divide the data in sections and name each section.
Now that you have a name for each section, describe the reason why you’re asking for this data. E.g. “We ask you to provide us the data in ‘contact information’ because we need to identify you uniquely in our records. Additionally, there are minimum age requirements for certain dive activities, therefore we need your date of birth. “ Go to the next section and repeat the exercise.
Now go back to each section and try to cross out some of the fields. Is it possible or there’s a specific reason why you absolutely need all of them? This part is related to data minimisation. E.g. if your form contains passport number and nationality, is there a reason why you need these information? If yes, great! Just be ready to provide the reason. If you don’t need to collect these data, cross them out.
At this point your forms are looking better already or at least they are closer to a GDPR-like form. 🙂 Good job!
The next exercise is a writing one. At the bottom of the form you need to write the consents. Yes, plural. This part is related to the lawfulness of processing. You need to ask your customer a separate consent for each data processing purpose. Each consent should have an empty checkbox next to it because the consent must be ‘freely given’. So what should you write?
The first part is related to the ‘contract’ between your dive center and your customer. You need to write a sentence in simple words explaining that you need to keep a record of their data in order to offer your services (e.g. for insurance reasons). If collecting your customer’s data is mandatory in order to provide your services, then you don’t need to have a checkbox next to it. You just need to inform your customer that this is the main reason why you need the data written above (GDPR Art.6(b)). Don’t forget to write how long you need to keep these data (storage limitation) and why.
The next consent is the 3rd party one. Think of all the companies, authorities or any other entity that you need to disclose your customer’s data to.
- local authorities – if you are required to register every guest in your dive resort at the local authorities
- dive agency – if your customer decides to do a course, you need to transfer some of the data to the dive agency to process and issue the dive certification
- accountant – your accountant will collect and process all your bills and invoices and therefore he/she will read some of your customer’s data
- software providers – think of any kind of software that you use to collect, store and process customers data (e.g. Google Docs, Geek Divers, accounting and/or marketing software…etc.)
If all the above is a natural consequence of you providing a service to your customer, then again, just write a simple sentence to inform your customer that their personal data will be communicated to the local authorities according to the local law, to the dive agency in case they choose to do a course (add that there will be a separate form for each course), they will be confidentially shared with tax and/or law professionals in order to fulfill your duties as business owner and entered in administration software used by your company and staff members (more on administration software in one of the next episodes!). Reassure your customer that you won’t share their data unless they first agree to that.
Do you do any marketing campaign? If you use your customer’s email address to send them your regular newsletter, then you need to ask for their consent. Write a simple question like “Would you like to receive our news and promotions?” Duh, boring! Be creative and make them want to subscribe or they’ll miss out on some cool stuff! 🙂 Here you need to have a checkbox and it needs to be empty. Let your customers freely choose to tick it or not.
If you share your customers data with other companies to send them promotional information you need to have a separate consent. Write which company you want to share your customer’s data with and the purpose and add an empty checkbox.
Add your email address or contact information and invite your customers to contact you in case any of their personal data changes (accuracy) or if they want you to delete their data (right to be forgotten). According to the GDPR, revoking their consent, update their data or request to be deleted must be easy, so provide an email address or any other easy way to contact you.
Remember that all the above information and consents need to be written in a very simple language (no legalese!), they need to be easy to understand both by young teenagers and non-native speakers. If you translate your forms in other languages, make sure that they are correctly written and kept simple.
Don’t forget to add a final consent for young customers (not yet 16) where you need to have their parent or guardian’s approval.
After collecting your customers data, you need to commit to use it only for the purposes that they agreed to (lawfulness of processing). I.e. If they don’t want to receive your newsletter, you cannot add their email address to your mailing list.
Congratulations! You now have a customer’s data collection form that observes the most important principles of GDPR!
Remember that you need to guarantee integrity and confidentiality, so don’t leave the paper forms with customers data lying around in your dive center, don’t allow anybody to access your administration software and make sure that your customers data are protected from unauthorised access.
Do you need to have separate forms for European and non-European customers? This is entirely up to you! You could ask your customers if they want to fill out the European version or the standard one, but then you need to have two separate internal processes to collect, store and process your customers data and you need to maintain both. Additionally, the GDPR is extremely vague in terms of who the “data subjects” are: EU residents? EU citizens? Are you 100% sure that the person in front of you does not fall under the GDPR? Even if you collect passport number, nationality and home address information, are you sure that your customers don’t have a second passport, maybe a European one? If you want to be on the safe side, use your brand new form and your customers will appreciate the extra care that you show about their personal data! Why don’t you turn it into a key point of your business? 😉 GDPR for everybody! 🙂
This is the end of the second episode of GDPR for dive centers. Come back to blog.geekdivers.com for more episodes: we’ll dive deeper into the little practical steps that you need to take to make sure that your business is compliant. You want to be informed when a new episode is available? Join our newsletter or follow us on Facebook, Twitter and Instagram to receive real time updates. See you soon!
Disclaimer: Geek Divers is not a law firm, nor is backed up by one. All the information provided above here are not intended to replace any legal advice by a professional. Please use any or all of the above information at your own risk.