Privacy policies / information notices

The GDPR requires data controllers to provide certain information to individuals about its processing of their data. The GDPR specifies some information which must be provided, but depending on the circumstances additional information may need to be provided to ensure the processing is “fair and transparent”.

 

These are generally provided by a “Privacy Policy” or “Privacy Notice”.

 

Contents of the Notices

  • Details of the controller. This includes the controller’s identity and contact details (and, if applicable, those of its representative in the EU and data protection officer)
  • Purpose and basis. The purpose of the processing and its lawful basis (see “Lawful basis for data capture/processing”)
  • Legitimate interests. Where you process on this basis, you will need to set out what legitimate interest you are pursuing
  • Categories. The categories of personal data you are processing (where you don’t collect it directly from the individual)
  • Recipients. This can be specific organisations, or categories of recipients
  • International transfers. Details of the transfers and safeguards involved
  • Retention. The retention period for the data, or the criteria used to determine it
  • Rights. The existence of each of the data subject’s rights. This includes the right to withdraw consent at any time (where relevant) and to lodge a complaint with a supervisory authority
  • Sources. The source of the data, and whether it was publicly accessible (if it wasn’t obtained directly from the individual)
  • Required data. Whether the individual’s provision of the data is part of a statutory or contractual requirement or obligation, and if so, the consequences of not doing so (where the data is obtained directly from the individual)
  • Automated decision making. The existence of automated decision making, including profiling and information about how decisions are made, and the significance and consequences of those decisions

 

When the notice must be provided

If you obtain data directly from the individual, you will need to provide a notice at that point.

If not, you must provide it:

  • within one month; or
  • (if you will be using it to communicate with them) at the point of first communication; or
  • (if you will be disclosing it to another recipient) before that disclosure takes place.

 

If providing a notice would be impossible, or require disproportionate effort, you will not have to provide a notice. You will still need to ensure you protect individuals’ interests and make your information notice publicly available.

Where EU or UK law requires you to obtain or disclose information, or it must remain confidential (due to UK or EU regulated professional or statutory secrecy obligations) you will also not need to provide a notice.

 

Style of the Notice

The GDPR makes clear that notices must be:

  • concise, transparent, intelligible and easily accessible
  • written in clear and plain language, particularly if addressed to a child
  • free of charge.

 

In practice, given the volume of information which has to be communicated, this may mean using “layered” (a series of headings that individuals can click on to display further content) and “just in time” (pop out boxes which briefly explain how information is used at the point an individual inputs it) notices as well as “privacy dashboards” (an online function to provide individuals with granular and meaningful information and choices to help them exercise control of their data).

There have also been discussions around standardised icons by which data controllers can quickly explain certain uses of data.