A guide to GDPR privacy policies
Latest update: Dec. 2, 2021
It is rare to find an organization that does not process personal data and therefore fall under the scope of the EU General Data Protection Regulation (commonly referred to as the GDPR). For organisations that process personal data, the GDPR demands transparency about its processing – informing and communicating about the processing of personal data. This is required to ensure that those processing personal data are accountable for it and that those whose personal data is being processed are aware and can feel comfortable with that processing.
When should a privacy notice be given?
The timing of when the privacy notice should be given depends on whether the personal data was obtained directly from the individual or indirectly from another source such as for example, purchased marketing lists.
Personal data obtained directly from the individual
Generally, the information in the privacy notice should be given at the time the personal data is collected.
Person data obtained indirectly
Where personal data is not received directly from the individual but from elsewhere, the information in the privacy notice should be given to the individual after receiving the personal data but before using it for further processing. This is required to be done within a reasonable time and no later than 1 month from receiving the personal data.
However, where an organisation wants to use the personal data to communicate with the individual, the information in the privacy notice must be given when the first communication occurs. Where the personal data will be further disclosed, the information in the privacy notice must be given before it is disclosed. These must take place within the 1-month period from receiving the personal data.
Personal data directly obtained but to be processed for a new purpose
Where a controller who processes personal data for a specific purpose now wants to use it for another purpose, the controller must inform the individual whose personal data is being processed and is wished to be processed for another purpose of the new reason or purpose before it is processed for that new purpose.
Content of a privacy notice
The content of a privacy notice depends on whether the personal data is collected (i) directly from the individual or (ii) indirectly.
When collecting information directly from an individual, the privacy notice must contain the below points. Please note that the below contains only the information which is required under the GDPR. There is no particular order that the information is required to be presented in, but all relevant information must be included.
- Identity and contact details of the controller
The controller is the individual or organisation who decides why and how personal data is being processed.
- Where applicable, the identity and contract details of the controller’s representative
The controller’s representative the person who processes personal data on behalf of the controller.
- Where applicable, the contact details of the controller’s data protection officer (DPO).
The person who processes personal data must in certain cases appoint a data protection officer. The data protection officer checks that the organisation adheres to GDPR by, for example, performing checks and information initiatives.
- The purpose of the processing of the personal data
- The lawful basis for the processing of the personal data
GDPR requires any organization processing personal data to have a valid legal basis for that processing activity. The law provides six legal bases for processing: consent, contract, weighing of interests, legal obligation, public interest or fundamental interest.
- When weighing of interests is being used, the controller may process personal data without consent if the controller’s interests outweigh those of the data subject and if the processing is necessary for the purpose in question.
- When using consent, the data subject has agreed to processing of personal data. Then an explanation of the right to withdraw consent must be given and that if consent is withdrawn, it will not affect the legality of the processing based on consent before the withdrawal. In many cases it is not appropriate to base the processing on the data subject’s consent, why you should always first consider the other lawful grounds.
- When using contract as a basis, the data subject has a contract or is to enter into a contract with the controller.
- The recipients of the personal data
- Any intention to transfer personal data outside the EEA or to an international organisation and safeguards that is in place.
- The period of time the personal data will be stored for or the criteria used to define the period of time
- Description of the data subject's rights, including the data subject's right to request access to, correction or deletion of personal data.
- A description of an individual’s right to complain and lodge a complaint with a data protection supervisory authority.
- If applicable, description of automated decision making and expected consequences thereof affecting the data subject.
For personal data that is obtained indirectly, the following information should be given in addition to the above:
- The source from where the personal data came
- The categories of personal data concerned in the processing
In writing or orally?
Where a controller is communicating for the first time with an individual whose data was received indirectly, as explained above, it should be included in the main body of the email.
Be sure to present the information under a heading or title that will clearly indicate what is it and to make it easy to find. Remember that font size, colour and more can affect the visibility of website content.
The information in a privacy notice is requested in the GDPR to be provided in ‘clear and plain language’ and a ‘concise’ manner.
As you can imagine, what is considered to be ‘clear and precise’ depends on the intended reader of the privacy notice. The information included and way it is presented will depend on the persons whose data is being processed. Language used to address adults should differ from language used to address children and, in some cases, separate privacy notices can be made for children and adults.
Ensure that the information in your privacy notice can be understood by those whose personal data you are collecting and using – you can even ask people who represent those whose personal data you are collecting and using to read your notice before publicly disclosing it to ensure it can be understood.
Despite requiring that privacy notices contain specific pieces of information, the GDPR also states that privacy notices should be concise, in other words, brief, short. This is somewhat difficult, especially for organisations that process large amounts of personal data. However, the intention is to make the information easy for the reader to grasp. Recommendations on how to achieve this include:
- Layered privacy notices – a notice containing layers of information, each layer covering more detailed information. These have been encouraged by data protection regulators to have no more than 3 layers.
- Just in time privacy notices – notices which are given or provided when relevant, such as before accepting an offer for a service or a product or when personal data which has been collected previously is going to be used for another purpose or reason than that it was collected for.
A privacy notice should be given free of charge. An organisation cannot charge an individual for access to the privacy notice.
Get in touch!
An evaluation of your errand is always free!
You can reach Cathrin on +46761174801
Published: Dec. 2, 2021