WHY and HOW do you need to update your Privacy Policy?

Please click here to read the details. 

Data protection has become an incredibly important issue among international businesses, as supervisory authorities are very strict with their fines. Thus, there are various trends on how to build privacy as a culture in your company. However, it is not the private companies only that are promoting the privacy-as-a-culture approach.


One of the latest updates was published on February 24, 2022, by the Digital Cooperation Organization (“DCO”) in a form of a Joint Statement Regarding the Terms of Service and Privacy Policies of Global Technology Companies in which DCO has proposed several ideas on how to protect internet users from violations of their data protection right by Global Tech Companies (“Companies”). You may get acquainted with the full statement by the link.


First of all, WHAT IS DCO? 


DCO is a global multilateral organization that was established in 2020 by seven countries (Bahrain, Jordan, Kuwait, Nigeria, Oman, Pakistan, and Saudi Arabia). It has a goal to drive greater collaboration and cooperation across entrepreneurship, innovation, business growth and employment in a shared digital economy.


For your information: not all of the DCO member states have a comprehensive data protection legislation. Only Bahrain, Nigeria and Saudi Arabia have a separate and effective data protection law, while other countries have only drafts and proposals. Nevertheless, it is still important to track updates of privacy legislation all over the world in order to be prepared for any new rules and regulations. 




DCO has issued a joint statement which has a recommendatory legal nature, proposing the following: 

  • Companies shall not use personal data of their users for the purpose other than the user has consented for.
  • Companies shall not perform profiling of user’s personal data without adequate consent, therefore not making skewed decisions against the rights of users.
  • Companies shall transfer data across borders to third parties only after ensuring alignment with the data policies of the DCO member states.
  • Users shall have the right and sufficient time to migrate their invaluable personal data.  


Even though DCO has a low number of its member states, their recommendations may be in use for every company in the world, as these recommendations are covering the  promising or potential markets and are in alignment with the best worldwide data protection practices. Moreover, DCO covers almost half a billion users, therefore their data may be possibly processed by your company and following the rules of such processing is always a good practice.




According to the highlighted issues, some Privacy Policies (“PP”) need to be reviewed and updated. 

  1. You need to review sections in which you describe what data you collect in your PP, where the legal grounds for processing are pointed out. Make sure that you have obtained consent for EVERY processing activity you perform with personal data which requires obtaining consent. If your company processes personal data without user consent, ensure that legal ground is fully lawful and do not violate any applicable laws and users’ rights. In case you have no legal grounds for processing, it is a must to create a new procedure for collecting consent for such processing activity. 
  2. If your processing activities include users’ profiling, namely automated decision making against users which is based on their personal data, you shall be certain to obtain consent for such profiling. In case you do not perform profiling, you need to directly point it out in your PP, e.g., by adding the following clause:


“We DO NOT use automated decision-making and profiling.”


  1. If your processing activities cover cross-border data transfers to the member-states of the DCO, you need to be completely sure to comply with all the national laws of such member-states on data transfers, including providing sufficient safeguards, considering necessary organizational and technical measures of data protection. 
  2. Company shall provide in its PP users’ right to migrate and/or remove their personal data from the platform and available methods for exercising such right via any accessible for you and your users’ methods: communication with you via email, phone, special form on the website; or provide a separate functionality for this purpose.  


Data protection compliance has become a very complicated issue, therefore sometimes it is more effective to hire specialists in this field who have enough experience to perform any privacy-related tasks and define all risks associated with entering foreign markets. Thus, Data Protection Officer service from Legal IT Group is definitely a good option! 


All in all, it is very important to observe and implement best data protection practices in your company’s business activities to be compliant and not to put your business at risk of being fined by the supervisory authorities. Please note, that Privacy Policy is a big deal and it is better to shall be by the professional lawyers, so the Legal IT Group privacy team will be happy to help you with any data protection issues ☺ 

Reminder: to make a donation please click here.


    Your question to IT lawyers