mkdir foo chgrp somegroup foo chmod g+ws o-rwx foo setfacl -dm u:www-data:rx,u::rwx,g::rwx,o::- foo
All files in directory foo will be created with 660 (directories with 770) permission in the group somegroup. Also, the user www-data will get read (directories also execute) rights.