It is rare to find an organization that does not process personal data and therefore fall under the scope of the EU General Data Protection Regulation (commonly referred to as the GDPR). For organisations that process personal data, the GDPR demands transparency about its processing – informing and communicating about the processing of personal data. This is required to ensure that those processing personal data are accountable for it and that those whose personal data is being processed are aware and can feel comfortable with that processing.

This need for transparency is regularly achieved through a privacy notice, often also referred to as a privacy policy or privacy statement. These policies give specific information to those whose personal data is being or going to be processed and ensure that processing of personal data is done transparently.

The GDPR sets out the content which is required to be included in such a privacy policy as well as when this information should be provided. For the rest of this blog, we will share information on when and how a privacy policy should be given to someone whose data will be or is being processed as well as a check list of the mandatory information which should be included in the privacy policy.

When should a privacy notice be given?

The timing of when the privacy notice should be given depends on whether the personal data was obtained directly from the individual or indirectly from another source such as for example, purchased marketing lists.

Personal data obtained directly from the individual

Generally, the information in the privacy notice should be given at the time the personal data is collected.

Person data obtained indirectly

Where personal data is not received directly from the individual but from elsewhere, the information in the privacy notice should be given to the individual after receiving the personal data but before using it for further processing. This is required to be done within a reasonable time and no later than 1 month from receiving the personal data.

However, where an organisation wants to use the personal data to communicate with the individual, the information in the privacy notice must be given when the first communication occurs. Where the personal data will be further disclosed, the information in the privacy notice must be given before it is disclosed. These must take place within the 1-month period from receiving the personal data.

Personal data directly obtained but to be processed for a new purpose 

Where a controller who processes personal data for a specific purpose now wants to use it for another purpose, the controller must inform the individual whose personal data is being processed and is wished to be processed for another purpose of the new reason or purpose before it is processed for that new purpose.

Content of a privacy notice

The content of a privacy notice depends on whether the personal data is collected (i) directly from the individual or (ii) indirectly.

When collecting information directly from an individual, the privacy notice must contain the below points. Please note that the below contains only the information which is required under the GDPR. There is no particular order that the information is required to be presented in, but all relevant information must be included.

• Identity and contact details of the controller
  The controller is the individual or organisation who decides why and how personal data is being processed.
• Where applicable, the identity and contract details of the controller’s representative
  The controller’s representative the person who processes personal data on behalf of the controller.
• Where applicable, the contact details of the controller’s data protection officer (DPO).
  The person who processes personal data must in certain cases appoint a data protection officer. The data protection officer checks that the organisation adheres to GDPR by, for example, performing checks and information initiatives.
• The purpose of the processing of the personal data
• The lawful basis for the processing of the personal data
  GDPR requires any organization processing personal data to have a valid legal basis for that processing activity. The law provides six legal bases for processing: consent, contract, weighing of interests, legal obligation, public interest or fundamental interest.
• When weighing of interests is being used, the controller may process personal data without consent if the controller’s interests outweigh those of the data subject and if the processing is necessary for the purpose in question.
• When using consent, the data subject has agreed to processing of personal data. Then an explanation of the right to withdraw consent must be given and that if consent is withdrawn, it will not affect the legality of the processing based on consent before the withdrawal. In many cases it is not appropriate to base the processing on the data subject’s consent, why you should always first consider the other lawful grounds.
• When using contract as a basis, the data subject has a contract or is to enter into a contract with the controller.
• The recipients of the personal data
• Any intention to transfer personal data outside the EEA or to an international organisation and safeguards that is in place.
• The period of time the personal data will be stored for or the criteria used to define the period of time
• Description of the data subject's rights, including the data subject's right to request access to, correction or deletion of personal data.
• A description of an individual’s right to complain and lodge a complaint with a data protection supervisory authority.
• If applicable, description of automated decision making and expected consequences thereof affecting the data subject.

For personal data that is obtained indirectly, the following information should be given in addition to the above:

• The source from where the personal data came
• The categories of personal data concerned in the processing

How should information be given in a privacy policy?

According to the GDPR, information in a privacy policy is required to be given in a ‘comprehensible and easily accessible form’.

In writing or orally?

Information in a privacy policy can be given in writing or in an electronic format where applicable. It can also be given orally, but this is usually done where requested by someone whose personal data is or will be processed.

The privacy policy should be easily accessible, in other words it should be easy to find. For organisations who have a digital presence, it should be notably visible on websites, for example in the footer of every page of a website and included as a link in commercial email communications.

Where a controller is communicating for the first time with an individual whose data was received indirectly, as explained above, it should be included in the main body of the email.

Be sure to present the information under a heading or title that will clearly indicate what is it and to make it easy to find. Remember that font size, colour and more can affect the visibility of website content.

The information in a privacy notice is requested in the GDPR to be provided in ‘clear and plain language’ and a ‘concise’ manner.

As you can imagine, what is considered to be ‘clear and precise’ depends on the intended reader of the privacy notice. The information included and way it is presented will depend on the persons whose data is being processed. Language used to address adults should differ from language used to address children and, in some cases, separate privacy notices can be made for children and adults.

Ensure that the information in your privacy notice can be understood by those whose personal data you are collecting and using – you can even ask people who represent those whose personal data you are collecting and using to read your notice before publicly disclosing it to ensure it can be understood.

Despite requiring that privacy notices contain specific pieces of information, the GDPR also states that privacy notices should be concise, in other words, brief, short. This is somewhat difficult, especially for organisations that process large amounts of personal data. However, the intention is to make the information easy for the reader to grasp. Recommendations on how to achieve this include:

• Layered privacy notices – a notice containing layers of information, each layer covering more detailed information. These have been encouraged by data protection regulators to have no more than 3 layers.
• Just in time privacy notices – notices which are given or provided when relevant, such as before accepting an offer for a service or a product or when personal data which has been collected previously is going to be used for another purpose or reason than that it was collected for.

A privacy notice should be given free of charge. An organisation cannot charge an individual for access to the privacy notice.