15# Privacy notices
Welcome back to our series about GDPR requirements! Last week, Albin explained Records of Processing Activities, also referred to as RoPAs. This week, I’m going to guide you through the requirement of privacy notices – how to provide data subjects with information on processing and comply with the principle of transparency and data subjects’ rights.
The requirement to provide information to the data subjects is commonly called the requirement to give a privacy notice. Other definitions used are data protection notice, privacy statement or fair processing notice. Your aim with the notice is to provide individuals with an overview of the intended or ongoing processing activity.
The requirements on the content in the notices differ if data is collected from the individual or if you sourced the data from a third party. You should log any updates to the notices so that you know who has got what information and at what time, and communicate with the data subjects if the information in the notice is changed materially. If you, for example, correct spelling mistakes etc. in your notices it doesn’t require communication to data subjects in most cases.
So, now that you know the purpose of having a notice, we can move on to what it actually should contain. There is some information you must provide at all times:
- The name and contact details of your organisation or your representative
- The contact details of your data protection officer
- The purpose for each processing activity. If the purposes are unclear at the outset, e.g. if you apply AI to personal data, give people an indication of what you are going to do with their data. When your purpose become clearer, update your privacy information and actively communicate this to individuals.
- The legal bases for the processing, and if applicable, an explanation of the legitimate interest you pursue
- Any data processors and other entities you disclose personal data to. You can tell people the names of the organisations or the categories they fall under – choose the option that is the most meaningful.
- Include information on transfers or intended transfers outside the UK in regards to the UK regulation and outside the EU/EEA for the EU regulation.
- Disclose the period for which the data will be stored or the criteria to determine this period.
- Provide information on the existence of the data subject rights that relate to processing.
- Provide information on the individual’s right to withdraw their consent at any time if you base the processing on consent and the right to lodge a complaint with a supervisory authority.
- Whether it’s under a statutory, contractual, or pre-contractual obligation to provide the personal data. You may overlook this requirement if you sourced the data from a third party.
- Provide information on the existence of automated decision-making, including profiling, and the consequences of such processing.
- Whether further processing is foreseen for another purpose than the one that you used for the initial collection, you are obliged to provide the information regarding the new purpose as well as the former purpose. Inform people about any new uses of personal data before you start the processing.
If you sourced the personal data from other sources than the data subject, you should provide the following information:
- The types of personal data
- The sources of the data, and if applicable, if the data are from publicly accessible sources
In addition to this, you need to be very clear with individuals about any uses of personal data that are unexpected or intrusive. Examples of this could include combining information about them from several different sources.
Understandably, this is a lot of information to juggle when creating your notice. DPOrganizer’s professional services team can help you create, review or improve your privacy notice. Any notices and related documentation can easily be uploaded to DPOrganizer’s tool in multiple ways, and all documents are accessible in the document manager. Easy breezy!
I hope this post comes in handy when you create or review your privacy notices. You can find more information on privacy notices under the EU regulation in WP29 Guidelines and for the UK in the ICO Guidelines for organisations on transparency and the right to be informed. Next week, Albin (firstname.lastname@example.org) will dig deeper into Data Protection Impact Assessments – DPIAs. So long for now!