Schedule Consultation Schedule Consultation

Research Report

Compass Consulting

URL: https://compassconsulting.com/privacy-policy/

Last Updated: February 16, 2024


 Key Elements Observed:

1. Privacy Policy Structure:

  • Clear introduction describing policies and procedures
  • Comprehensive data collection section (personal data, usage data)
  • Detailed tracking technologies and cookies section
  • Specific use cases for personal data
  • Data sharing scenarios
  • Security measures
  • Children’s privacy protection
  • Links to other websites disclaimer
  • Change notification procedures
  • Contact information

2. Data Collection Categories:

  • Email address
  • First and last name
  • Usage data (IP address, browser info, device info)
  • Mobile device information
  • Cookies and tracking technologies

3. Cookie Types:

  • Necessary/Essential Cookies
  • Cookie Policy/Notice Acceptance Cookies
  • Functionality Cookies

4. Legal Compliance Features:

  • Age restriction (under 13)
  • Parental consent requirements
  • Data security acknowledgment
  • Third-party service provider disclosure
  • Business transfer provisions

5. Notable Practices:

  • Explicit statement about not sharing data with third parties for marketing
  • Privacy Policy Generator mentioned
  • Clear contact information provided
  • Regular update notifications promised

 

Mott MacDonald

URL: https://www.mottmac.com/en-us/about-us/governance-and-policies/privacy-and-data-protection/website-privacy-notice/

Last Updated: September 2024

 

Key Elements Observed:

1. Comprehensive Privacy Framework:

  • Main website privacy notice
  • Separate specialized privacy notices:
  • Online tracking technologies privacy notice
  • Digital solutions privacy notice
  • Marketing and events privacy notice
  • People privacy notice (employees)
  • Recruitment privacy notice
  • Video surveillance and visitor privacy notice

2. Structured Privacy Policy Sections:

  • Personal information we process
  • How we collect your personal information
  • How we use your personal information
  • How we share your personal information
  • How we protect your personal information
  • How long we keep your personal information
  • Your privacy rights and choices
  • Contact us

3. Data Collection Categories:

  • Contact details: Full name, email, phone, postal address
  • Business information: Job title, seniority level, organization/employer
  • Online tracking information: ID numbers, location, IP address, browsing behavior, cookies, pixels, device ID, websites visited, language used
  • Account login information: Login ID, usage analytics, system access information
  • Health information: Dietary requirements, accessibility needs for events
  • Other information: Feedback, opinions, interests, queries

4. Legal Compliance Features:

  1. References to local legal requirements and supplementary notices
  2. Alignment with Privacy and Data Protection Policy and “Our Code”
  3. California supplementary privacy notice
  4. Proactive notification of material changes
  5. Regular review recommendations

5. Professional Standards:

  • Integration with corporate governance structure
  • Reference to “Our Code” (ethics/conduct)
  • Comprehensive approach to different stakeholder groups
  • Clear organizational accountability


KEO International Consultants

URL: https://www.keo.com/legal

Focus: Microsoft Teams User Disclaimer

Key Elements Observed:

1. Limited Website Legal Framework:

  • Primary focus on Microsoft Teams meeting disclaimers
  • Basic external links disclaimer
  • Confidentiality notice for communications
  • Trademark acknowledgments

2. Notable Practices:

  • Specific technology platform disclaimers
  • Clear liability limitations for meeting platforms
  • Confidentiality provisions for business communications
  • Third-party service provider disclaimers

Egis Group

URL: https://www.egis-group.com/privacy-policy

GDPR Compliance: Full compliance with EU 2016/679

 

Key Elements Observed:

1. Comprehensive GDPR

Framework:

  • Full compliance with General Data Protection Regulation
  • Clear data controller responsibilities
  • Explicit data protection principles
  • Dedicated Data Protection Officer (DPO)

2. Data Protection Principles:

  • Explicit, legitimate, and determined purposes only
  • Data minimization (only useful data collected)
  • Limited retention periods
  • Restricted data sharing to authorized parties
  • Clear and transparent communication

3. Technical and Organizational Measures:

  • Dedicated data protection policy and governance
  • Technical safeguards against unauthorized access
  • Data stored within European Union territory
  • Controlled transfers outside EU with adequate protection

4. Individual Rights (GDPR Article 15-22):

  • Right to access personal data
  • Right to rectification
  • Right to erasure
  • Right to limitation of processing
  • Right to data portability
  • Right to object to processing
  • Right to define post-mortem data guidelines

5. Contact and Compliance:

  • Dedicated DPO contact: [email protected]
  • Clear postal address for data protection inquiries
  • Identity verification requirements for rights requests

 Summary of Competitor Best Practices:

  1. Structured Approach: All major firms use organized, sectioned privacy policies
  2. GDPR Compliance: European firms show full GDPR implementation
  3. Specialized Notices: Separate privacy notices for different activities (recruitment, marketing, etc.)
  4. Professional Standards: Integration with corporate governance and ethics codes
  5. Clear Contact Information: Dedicated privacy contacts and DPO where required
  6. Regular Updates: Commitment to periodic review and update notifications
  7. Liability Limitations: Clear disclaimers and limitation of liability clauses
  8. Governing Law: Explicit jurisdiction and governing law provisions

 

 Jordanian Legal Requirements and Compliance Research

 

Jordan Personal Data Protection Law No. 24 of 2023

 

 Key Information:

  • Effective Date: March 17, 2024
  • Grace Period: One-year compliance period ending March 17, 2025
  • Publication: Official Gazette on September 17, 2023
  • Scope: Applies to all personal data within Jordan, regardless of collection date

Core Requirements:

 1. Consent Requirements

  • Standard: Explicit and documented consent (written or electronic)
  • Specificity: Must be specific in terms of duration and purpose
  • Advance Notice: Citizens must be informed of data collection date and reasons
  • Incapacitated Persons: Requires prior written/electronic consent from parents or legal guardians

2. Sensitive Personal Data Processing

*Prohibited unless:*

  1. Processing by competent public entity for official tasks
  2. Medical diagnosis or healthcare by licensed professionals
  3. Protection of life or vital interests
  4. Crime prevention/detection by competent authorities
  5. Required by legislation or court decision
  6. Central Bank of Jordan supervised entities’ activities
  7. Scientific or historical research (non-individual decision making)
  8. Statistical purposes or national security
  9. Publicly available data

3. Constitutional Framework

  • Article 18: Postal, telegraphic, telephonic communications are secret
  • Article 7: Personal freedom protection; infringement is punishable by law
  • Dual Application: Both private and public sectors covered

 4. Processing Restrictions

  • Purpose Limitation: Data processing only for intended purposes
  • Criminal Liability: Processing for other purposes is criminalized
  • Public Authority Exception: May process without consent for official duties with contracted parties compliance

5. Data Transfer Requirements

  • Outside Jordan: Requires adequate level of protection
  • Compliance: Must meet Jordanian law standards

 

Compliance Obligations for Websites:

  • Explicit Written/Electronic Consent
  • Purpose Specification and Duration Limits
  • Advance Notice of Collection
  • Sensitive Data Special Protections
  • Cross-Border Transfer Safeguards
  • Criminal Law Compliance

 

 Jordanian E-Commerce Legal Framework

Current Status:

  • No Specific E-Commerce Law: Jordan lacks dedicated e-commerce legislation
  • Electronic Transactions Law: Provides framework for electronic contracts and digital signatures
  • Consumer Protection: E-commerce subject to general consumer protection laws
  • Payment Systems: Electronic payment regulations under development

 Key Challenges:

  • Legal Gaps: Insufficient comprehensive e-commerce regulation
  • Consumer Protection: Limited specific protections for online transactions
  • Dispute Resolution: Unclear mechanisms for e-commerce disputes
  • Cross-Border Transactions: Regulatory uncertainty for international e-commerce

Recommendations for Compliance:

  1.  Follow general Jordanian contract law principles
  2.  Implement clear terms and conditions
  3. Provide transparent pricing and delivery information
  4. Establish clear dispute resolution mechanisms
  5. Comply with Electronic Transactions Law for digital signatures

 

GCC Regional Data Protection Trends

 Common Regional Themes:

1. **Cybersecurity Focus:** Increasing importance of AI and cybersecurity in data protection
2. **Severe Enforcement:** Administrative fines to criminal charges and imprisonment
3. **Technology Integration:** Laws addressing AI, facial recognition, and new technologies
4. **Cross-Border Controls:** Highly regulated data transfers requiring local authority approval

UAE Federal Decree Law No. 45 of 2021

**Scope and Extraterritorial Reach:**

– Processing of personal data of UAE residents
– Processing by UAE organizations (regardless of data subject location)
– Organizations outside UAE processing UAE residents’ data

**Key Requirements:**

– Explicit consent for data processing
– Data Protection Officer (DPO) requirements
– Cross-border transfer restrictions
– Severe penalties for violations

 

Saudi Arabia Personal Data Protection Law (PDPL)

Key Features:

  • Legitimate interest as legal basis (limited scope)
  • Narrow interpretation expected from SDAIA
  • Sensitive data processing restrictions
  • Cross-border transfer controls

 

Regional Compliance Implications:

  1. Multi-Jurisdictional Approach: Different laws across GCC states
  2. Extraterritorial Application: Laws apply to foreign companies serving GCC residents
  3. Strict Enforcement: Criminal penalties and severe administrative fines
  4. Technology Focus: Specific provisions for AI and emerging technologies

GDPR (General Data Protection Regulation) Requirements

 Scope and Application:
  • Global Reach: Applies to any company processing personal data of EU residents, regardless of company location
  • Penalties: Up to 4% of global revenue or €20 million, whichever is higher
  • Extraterritorial Effect: Must comply if handling EU residents’ data anywhere in the world

Privacy Notice Requirements (Articles 13-14):

Format Requirements:
  • Concise, transparent, intelligible, and easily accessible form
  • Clear and plain language (especially for children)
  • Timely delivery
  • Free of charge
 Mandatory Information for Direct Data Collection (Article 13):
  1. Identity and Contact Details:
    – Organization identity and contact details
    – Representative contact details
    – Data Protection Officer (DPO) contact details
  2. Processing Information:
    – Purpose of processing and legal basis
    – Legitimate interests (where applicable)
    – Recipients or categories of recipients
    – Third country transfer details and safeguards
  3. Data Subject Rights:
    – Retention period or criteria
    – Existence of data subject rights
    – Right to withdraw consent
    – Right to lodge complaints with supervisory authority
    – Automated decision-making information
  4. Legal Requirements:
    – Statutory/contractual requirement information
    – Consequences of not providing data
Additional Requirements for Indirect Data Collection (Article 14):
  • Categories of personal data obtained
  • Source of the personal data
  • Communication timeline: Within 1 month of obtaining data
Data Subject Rights (GDPR Chapter III):
  1. Right to Information (Articles 13-14)
  2. Right of Access (Article 15)
  3. Right to Rectification (Article 16)
  4. Right to Erasure (Article 17)
  5. Right to Restriction of Processing** (Article 18)
  6. Right to Data Portability** (Article 20)
  7. Right to Object** (Article 21)
  8. Rights Related to Automated Decision-Making** (Article 22)
Legal Bases for Processing (Article 6):
  1. Consent- Freely given, specific, informed, unambiguous
  2. Contract- Necessary for contract performance
  3. Legal Obligation- Compliance with legal requirements
  4. Vital Interests – Protection of life or vital interests
  5. Public Task – Performance of public interest tasks
  6. Legitimate Interests – Balancing test required

 U.S. Privacy Framework Considerations

State-Level Regulations:
  • California Consumer Privacy Act (CCPA/CPRA)
  • Virginia Consumer Data Protection Act (VCDPA)
  • Colorado Privacy Act (CPA)
  • Connecticut Data Privacy Act (CTDPA)

Common U.S. Requirements:

  • Privacy Policy Disclosure
  • Consumer Rights (Access, Delete, Opt-Out)
  • Data Minimization Principles
  • Security Safeguards
  • Third-Party Sharing Disclosures

International Best Practices Summary

 Universal Privacy Policy Elements:
  • Clear Identity and Contact Information
  • Comprehensive Data Collection Disclosure
  • Purpose and Legal Basis Explanation
  • Data Sharing and Transfer Information
  • Retention Period Specifications
  • Individual Rights Explanation
  • Security Measures Description
  • Contact Information for Privacy Inquiries
  • Policy Update Procedures
  • Cookie and Tracking Technology Disclosure
Compliance Strategy for Makan PMD:
  • Multi-Jurisdictional Approach: Address Jordanian, GCC, and international requirements
  • Highest Standard Compliance: Follow GDPR as baseline (most stringent)
  • Local Law Integration: Incorporate specific Jordanian requirements
  • Regional Considerations: Address GCC cross-border business needs
  • Professional Standards: Align with AEC industry best practices