One click system's Privacy Guide
Privacy Laws and Regulations
Privacy laws regulate the storage and usage of personally identifiable information, personal healthcare information, and financial information of individuals that is collected by governments, public or private organisations, or other individuals. The laws may vary by country, region, territory, state, or otherwise, but there are some commonalities amongst most privacy laws in terms of the rights, obligations, and enforcement provisions.
If you collect, store, or use information that is subject to privacy regulations, then you are required to take certain steps to protect that information based on the location of the individual from whom you are collecting data. For example, if you collect personally identifiable information from your customer in the EU, you must comply with the EU’s General Data Protection Regulation (GDPR). If you collect personally identifiable information from a customer in California, United States, you must comply with the California Consumer Privacy Act (CCPA). If you are based in Victoria, Melbourne, Australia, and collect personally identifiable information, you must comply with Australia's privacy laws, including the Privacy Act 1988, which outlines the Australian Privacy Principles (APPs) that govern the handling of personal information.
How To Use This Guide
Privacy laws and regulations are rapidly evolving, and we’re going to be honest—these laws are complex! But, One Click System wants to make it easy for our customers to stay compliant with the latest privacy laws. While One Click System makes efforts to be compliant with privacy regulations, our customers also have to take steps to be compliant.
This guide is not meant to explain all the applicable privacy laws and regulations. It is intended to be a resource to help you use the One Click System Platform in a way that complies with privacy requirements. That being said, our lawyer wants us to make it very clear that this document does not constitute legal advice nor is it intended to ensure compliance with privacy laws and regulations.
DISCLAIMER: One Click System is not a licensed legal representative and cannot provide legal advice or interpret the law for you. Please consult
your own legal advisor. This document does not constitute legal advice and should not be used as such.
Now, let’s dive in…
Data Roles
Privacy laws impose various obligations on a person depending on whether they are a controller or a processor of personal data. A controller is an entity which decides to process personal data and makes decisions regarding the basis of processing and the methods which will be used. Controllers have certain obligations regarding personal data, which you should familiarise yourself with before collecting personal data from your customers. A processor is an entity which processes data for and on behalf of a controller. They make no independent decisions regarding the data or its processing, as they only process it on behalf of the controller and must comply with all instructions given by the controller. When you use the One Click System Platform, you are a controller. You are in control of the data you upload to the One Click System platform, what you do with that data, and why. As a result, you are responsible for ensuring that you have a legal basis on which to process the data, and that you do not retain the data for any longer than is necessary. You should ensure that you understand your obligations as a controller and update your own systems and policies to allow the lawful transfer of personal data to One Click System. We recommend you consult your own legal counsel to ensure you fully understand your obligations as a controller. In the meantime, you can use the checklist below to get started on your compliance journey!
Controller Checklist
One Click System makes efforts to provide our customers with the functionality they need to ensure that the One Click System portion of your business can comply with privacy laws, specifically adhering to the Australian Privacy Principles (APPs) under the Privacy Act 1988 in Australia. Below, you will see recommended steps that you should take in your One Click System Platform account. You’ll also see recommended steps that you should take outside of your One Click System Platform account for compliance purposes.
And just as a reminder, One Click System is not a legal representative. The recommendations below are simply that—just suggestions! We cannot interpret the law or give you legal advice, and we recommend that you consult with your own lawyer.
By the way, this checklist is intended to cover privacy laws in general. GDPR is considered to be one of the most restrictive privacy laws, so we have tailored this checklist to reflect controller obligations under GDPR. However, as we mentioned earlier, privacy laws are rapidly evolving.
We’ll do our best to update this checklist on a regular basis, but if new laws are implemented or if existing laws are modified, this list might become outdated. Again, we encourage you to consult with your own lawyer to make sure you are taking all the appropriate measures to be compliant with privacy laws! We also welcome any feedback on how we can improve the One Click System Platform to make compliance even easier for our customers!
| Privacy Law Requirement | Explanation | What You Need To Do In Your One Click System Platform Account | What You Need To Do Outside of Your One Click System Platform Account |
|---|---|---|---|
| Right to Be Informed | You need to tell your customers how you plan to process their data, how you won’t process their data, and when you’ll be done processing their data. | You need to create a privacy notice and link to it on all webforms, landing pages, order forms, shopping carts, etc. (wherever you collect personal data). | If you choose to collect customer data through offline methods (i.e., in person), you need to make sure your privacy notice is accessible during that interaction |
| Lawfulness of Processing | In order to process someone’s data, you need to have a legal basis for doing so. A “legal basis” could be informed consent, performance of a contract, or other legitimate interests. This is where you should consult your own counsel to determine if you have a “legal basis” for processing someone’s data. | Create tags to track the lawful basis or create consent checkboxes to collect express consent. Create a regular process for removing EU contacts where you no longer have a lawful basis to process their data or if the contact withdraws their prior consent. | If you are ever audited in the future, you may need to provide records that indicate the lawful basis under which you collected your customers’ information. If you collect customer information offline, be sure to keep detailed records of those collections since you won’t have the records in your One Click System Platform account. |
| Consent | If you want to use consent as your lawful basis to process data for a contact, there are a few requirements that you should consider: 1) You must be clear about what consent you’re asking for (and make reference to your privacy notice); 2) Do not pre-check the consent checkboxes; customers need to explicitly consent by checking the box themselves; and 3) you need to be able to show proof of consent for prospects and customers who have granted it. | Update all your webforms and landing pages with consent checkboxes. | Implement these guidelines anywhere else in your business where you ask for consent or personal information. Consider creating documentation (with a time stamp) any time you make changes to your consent checkboxes or privacy notice. This is important so that you can show the exact text your contacts agreed to. This information is not captured in your One Click System account automatically. |
| Right to Erasure/ Delete; Right to Rectify/Correct Inaccuracies | If a person wants you to stop processing their data, they can request to be erased from your data records completely. | Create a simple way for your customers to request to be erased. For example, you can provide customers with a deletion request form that they must complete and return to you in order to request deletion. | You are responsible for carrying out your customer’s request to erase their data and can do so within your One Click System Platform account. Make sure you have an internal process to monitor requests and ensure they are handled in a timely manner. If you keep customer contact records or data outside of One Click System, you need to erase those as well upon request. |
| The Right to Data Access and Portability | Your customer has the right to know whether their data is being processed. If you are processing their data, they have a right to know what you’re processing and should be able to request access to see it in a portable, visually friendly fashion. | Create a simple way for your customers to request access to the data you are processing for them. There are a few ways you can do this within One Click System: 1) You can take a screenshot of the customer record and send it; or 2) You can export a contact’s details in a CSV file and send it. | You’re responsible for carrying out your customers’ requests promptly. Make sure you have an internal process to monitor requests and ensure they are handled in a timely manner. This right to access and portability is not limited to the data in your One Click System account. You’ll need to find a way to collect other pertinent data for your customers and transfer it to them securely. |
| Right of Rectification | Your customer has a right to see their data and ensure that it is accurate. If errors exist, they have the right to request you update that information in a reasonably expedient manner. | Create a simple way for your customers to request that you update their data. You could use a request form similar to the data deletion request form template we provided above. | Make sure you have an internal process to monitor data update requests and ensure they are handled in a timely manner. In addition to updating your contact information in One Click System, you’ll also need to update the customer’s information in other systems and notify any other authorised 3rd parties that process your customer’s data. |
| Right of Rectification | You may want to appoint a Data Protection Officer (DPO) or a Chief Data Security Officer for your organisation. In addition, if you have customers in the EU or the UK, and have not appointed an EU or UK Data Protection Officer, you will need a representative in each region to handle any data or security dealings. There are third party services that can serve this role for you. | Update your privacy notice to name the individuals who fulfil the EU and UK representative roles. Identify your Data Protection Officer and Chief Data Security Officer, if applicable | Update your privacy notice to name the individuals who fulfil the EU and UK representative roles. Identify your Data Protection Officer and Chief Data Security Officer, if applicable. |
© 2024 One Click.
All Rights Reserved