Your organisation must create and circulate a privacy notice. It’s a document given to data subjects explaining how their personal data is being collected and used.
First, it promotes transparency, giving individuals the chance to see what data is being collected, why and how it’s being used, and how long it will be kept.
Second, it gives individuals the information they need to decide whether to exercise their data subject rights. These are eight privileges enshrined by the GDPR that enable individuals to challenge or request changes to the way their personal data is used.
Despite their similar names, privacy notices aren’t to be confused with privacy policies.
Privacy notices are publicly accessible documents produced for data subjects, whereas privacy policies are internal documents intended to explain to employees their responsibilities for ensuring GDPR compliance.
What should a privacy notice include?
Clearly state your organisation’s name, address, email address, physical address and telephone number.
If you’ve appointed a DPO (data protection officer) or EU representative, you should also include their contact details.
The types of personal data you process
Be as detailed as possible. Don’t simply say ‘financial information’ or ‘contact information’; state exactly what that consists of.
Lawful basis for processing personal data
The GDPR outlines six lawful bases for processing personal data. You might be using a different basis for various types of data. Specify which basis applies in each instance.
If you’re using legitimate interests, you must describe what those interests are. Similarly, if you are using consent, you must state that the individual can withdraw it at any time.
How you process personal data
Explain whether personal data will be shared with third parties. We also suggest that you specify how you will protect shared data, particularly when the third party is based outside the EU.
How long you’ll be keeping their data
You can only store personal data for as long as it’s needed to complete the lawful basis for processing.
In some cases, that’s pretty self-evident: data processed to fulfil contracts, legal obligations, public tasks and vital interests all have clear time frames.
You might be tempted to hang on to the data after it’s met its initial goal, saying to yourself that it could be useful for future reference. In some cases, you might have a valid point, but it’s always best to err on the side of caution.
Things are more complicated with consent and legitimate interests, as there’s no clear point at which they are no longer valid. We suggest either estimating a length of time that the data is necessary before you collect the data and/or reviewing the necessity of data processing every two years.
Data subject rights
The GDPR endows individuals with eight data subject rights:
- Right to be informed: organisations must tell individuals what data is being collected, how it’s being used, how long it will be kept and whether it will be shared with any third parties.
- Right of access: individuals have the right to request a copy of the information that an organisation holds on them.
- Right of rectification: individuals have the right to correct data that is inaccurate or incomplete.
- Right to be forgotten: in certain circumstances, individuals can ask for the data an organisation holds on them to be erased from their records.
- Right of portability: individuals can request that organisation transfer any data that it holds on them to another company.
- Right to restrict processing: individuals can request that an organisation limits the way it uses personal data.
- Right to object: individuals have the right to challenge certain types of processing, such as direct marketing.
- Right related to automated decision making including profiling: individuals are free to request a review of automated processing if they believe the rules aren’t being followed.
You should remind individuals that they are free to exercise their data subject rights at any time, and explain how they can do this.
Exceptions to the rule
Any organisation that’s subject to the GDPR must provide a privacy notice whenever they obtain a data subject’s personal information. The only times this isn’t necessary are when:
- The data subject already has the information provided in the privacy notice;
- It would be impossible or involve a disproportionate effort to provide such information;
- The organisation is legally obliged to obtain the information; or
- The personal data must remain confidential, subject to an obligation of professional secrecy.
Need help writing a privacy notice?
Anyone looking for advice on how to create a privacy notice should consider our customisable template.
Written and developed by data protection experts, this template takes the guesswork out of the documentation process, giving you the framework you need to create a GDPR-compliant privacy notice.
Our template privacy notice includes annotations to ensure you meet the GDPR’s requirements.
All you need to do is fill in the sections that are relevant to your organisation and make it available to your customers.