One of the most important obligations of an organisation that processes personal data according to the EU GDPR is to inform the data subjects about the personal data processing that takes place inside of the company. The data processor who (cl)aims to be fully compliant makes sure that he takes care of the GDPR Privacy Notice. In this article, learn about what data should you include in this important GDPR document and how to approach this task before you even start.
Sections to be included in a privacy notice
Articles 13 and 14 of the GDPR state exactly what information must be provided to a data subject, both when data is collected from a data subject and when data is collected from third parties. Thus, the following sections must be present in a privacy notice.
1) Who are we?
Here, customers and visitors need to understand who you are and what you do from a business point of view. Knowing who you are and where you are is very important to customers and visitors, as this information is helping them in their decision to entrust you with their personal data.
2) What personal data do we process?
In this section, you need to list all the personal data categories that are being processed in the organisation – for example, name, surname, email address, phone number, purchase history, online activity, etc. You need to be very careful when you list the personal data categories, as often, companies forget to list some data categories that do not seem to be personal data in the beginning.
Regulation 2018/1807 of the European Parliament and of the Council, adopted in November 2018 on a framework for the free flow of non-personal data in the European Union, states in article 2.2: “Where personal and non-personal data in a data set are inextricably linked, this Regulation shall not prejudice the application of Regulation (EU) 2016/679.” This means that a data set that is linked with personal data needs to respect all GDPR requirements.
In May 2019, the Commission of the EU Parliament issued a guidance on the Regulation on a framework for the free flow of non-personal data in the European Union, which states: “If the non-personal data part and the personal data parts are ‘inextricably linked’, the data protection rights and obligations stemming from the General Data Protection Regulation fully apply to the whole mixed dataset, also when personal data represent only a small part of the dataset.”
Let’s take the example of an insurance policy. Because the insurance policy has personal data, all the data in the insurance policy (including policy number, special conditions, etc.) is personal data, and you need to list all the personal data categories.
3) What do we do with your personal data?
Here, you list the scopes of personal data processing and the legal grounds. For example, you can notify data subjects this way: “With your consent, we want to send you a weekly newsletter, and for this we need your email address, and your name and surname, to personalise it.” Or, “In order to establish a contractual relationship between us, we need your name, surname, position in the company, email address, and phone number.” You can see that I didn’t put here the paragraphs from GDPR article 6. That is because you need to provide transparency, and data subjects need to understand what exactly happens with their personal data without having to drill down on specific legal paragraphs.
If you use data for email marketing purposes, you will want to know more about informing your audience about what you do with their data. Learn more about that in the article Email marketing in the era of GDPR – How to ensure compliance?
4) Where do we store your personal data and with whom do we share it?
In this section, you need to explain to the data subject where you are storing their personal data, and with whom you are sharing it and why. You can put it this way: “Your personal data is processed at our company headquarters in […], as well as by […], who acts as a Data Processor for us providing the service of newsletter management.” Or, “Personal data from online activity monitoring is also shared with our online partners […], who act as Joint Controllers.”
This way, you will easily answer questions about where the customer’s data is stored, and this is definitely one of the benefits of the GDPR implementation. For more benefits, read the article 4 key benefits for companies complying with GDPR.
If you send personal data outside the European Economic Area (EEA), you need to provide more details, like:
- Adequacy decisions (countries where personal data can be exported safely, according to article 45, like Andorra, Argentina, Israel, Isle of Man, etc.)
- Appropriate safeguards (standard contractual clauses, binding corporate rules, codes of conduct, certification mechanisms, legally binding and enforceable instruments – according to articles 46, 47, and 48)
- Derogations (explicit consent from the data subject; transfer necessary for performance of a contract; or for public interest grounds; or for establishment, exercise, or defence of legal claims; or to protect the vital interests of the data subject, etc. according to article 49).
Also, you need to explain why you are sharing data outside the EEA.
5) For how long do we process personal data?
Here, you need to give details regarding personal data processing timeframes and storage timeframes, together with reasons for longer storage (legal requirements, research, legitimate interest, etc.). For example, “Personal data from invoices and contracts will be archived for a period of 7 years as required by the Fiscal Code in our country,” or “Personal data from online draws will be kept for a period of 6 months to fulfil our legitimate interest to defend ourselves against possible complaints.”
6) What are your rights?
This is a very important section because, here, you need to explain to data subjects how they can exercise their rights with regard to personal data processing done by your company. I saw many privacy notices simply listing all the data subject rights, including the ones that are not applicable. For example, Recital 68 GDPR – which expands on the right to data portability – states: “That right should apply where the data subject provided the personal data on the basis of his or her consent or the processing is necessary for the performance of a contract. It should not apply where processing is based on a legal ground other than consent or contract.”
Read more about data subject rights in the article 8 data subject rights according to GDPR.
Don’t be tempted to copy information from other privacy notices; you might list some data subject rights that are not applicable for your organisation. The same goes for the right to object – it applies only if the processing is based on the legal grounds of public interest and legitimate interest. So, if your personal data processing is not based on public interest or legitimate interest, this right does not apply to the data subject.
You need to make sure you provide a simple way for data subjects to exercise their rights. For example, for the right to access (GDPR article 15 ), you can provide a Data Request button if you have a website with customer accounts. Or, you can provide an email address for these requests.
Also, you need to put here the contact address of the DPO, if you have one, in order to allow data subjects to ask for more details or to file complaints. And, of course, you need to provide contact details for your local Supervisory Authority and inform data subjects that they can bring their complaints directly to them.
Keep the customer-oriented language, the so-called “KISS”
Article 12 of the GDPR asks every organisation to take appropriate measures to provide information relating to processing to the data subject in a concise, transparent, intelligible, and easily accessible form, using clear and plain language. This means that the communication must not be in “legalese,” but rather using customer-oriented expressions. Keep it short and simple, or, as it’s sometimes abbreviated, “KISS.”
To summarise, it is very important to develop privacy notices using simple and clear language that is easy to understand by the data subjects. You can be creative – you can go beyond paper-based notices to web pages, infographics, animations, movies, etc. Make sure, however, that you list all the processing done in the organisation in order to demonstrate transparency.
To learn more about privacy notices, register for this free webinar: Privacy Notices Under the EU GDPR.