Under the General Data Protection Regulation (GDPR), organizations are required to create a privacy notice that explains to individuals how their personal information will be used.
But what is a privacy notice and what should it include? This blog explains everything you need to know, along with an example GDPR statement.
What is a Privacy Notice?
A privacy notice is one of several documents required by UK data protection law.
Many of these documents are strictly internal and privacy notices are provided to our customers and other interested parties. It is designed to explain how an organization processes personal data.
There are two reasons for this. First, it provides transparency about how personal data is used, ensuring a level of trust between organizations and individuals.
Second, it gives individuals more control over how their data is used. If you have a complaint, you can submit a DSAR (Data Subject Access Request) or ask the organization to suspend its processing activities.
How to write a privacy notice
Article 30 GDPR states that a compliant document should include the following details:
1) Contact
The first item to include in your privacy notice is your organization’s name, address, email address, and phone number.
If you have appointed a DPO (Data Protection Officer) or EU/UK representative, you must also include their contact details.
2) Types of personal data you process
The definition of personal data is much broader than you might think. Therefore, you need to make sure it contains everything you need and provides the appropriate details.
For example, instead of just saying “financial information,” say if it’s an account number, credit card number, etc.
You should also outline where you obtained the information if it was not provided directly by the data subject.
See our privacy notice template for what this looks like.
Be as specific as possible about the types of information you collect and how you obtain it.
3) Legal Basis for Processing Personal Data
Under the GDPR, organizations can only process personal data if they have a legal basis. Your privacy policy must specify which policy you rely on for each purpose of processing.
If you rely on legitimate interests, you should explain them. Similarly, where consent is relied upon, it should be made clear that it can be withdrawn at any time.
Please note that there are specific rules for processing special categories of personal data.
4) How we process personal data
You must explain whether you transfer personal data to third parties.
We recommend that you specify how shared data is protected, especially if the third party is based outside the EU.
You may need to state whether you share data with organizations based outside the EU.
5) How long we keep your data
The GDPR stipulates that personal data can be retained as long as the legal basis for processing applies.
In most cases it is easy to determine. For example, if we need to process personal data to meet contractual requirements, we must retain the information for as long as we perform tasks related to the contract.
Similarly, organizations should retain personal data processed to fulfill their legal obligations or official duties as long as those activities are relevant.
In the case of consent and legitimate interest, things are more complicated as there may not be a clear point at which these activities end.
Therefore, we recommend that you review your data retention practices at least every two years.
6) Data subject rights
The GDPR gives individuals eight data subject rights. You must state and explain this in your privacy notice.
- right to be informed: Organizations should inform individuals what data is being collected, how it is being used, how long it is retained, and whether it is shared with third parties.
- Access right: Individuals have the right to request a copy of information held by an organization.
- Right of rectification: allows individuals to correct inaccurate or incomplete data.
- right to be forgotten: In certain circumstances, an individual can ask an organization to erase personal data stored by the organization.
- right of carrying: In some circumstances, individuals may request that an organization transfer their personal data to another company.
- Right to restriction of processing: In some circumstances, individuals may request that an organization restrict the use of their personal data.
- right to object: Individuals have the right to object to certain types of processing, such as direct marketing.
- Rights regarding automated decision-making, including profiling: In most cases, individuals have the right to object to activities where decisions are automatically made on the basis of their personal data.
Create your own privacy notice using a template
Use our template to find everything you need to create a GDPR compliant privacy policy.
The template’s privacy notice includes annotations to ensure it meets GDPR requirements.
Created by data protection experts, this GDPR template helps you quickly create a privacy notice that meets regulatory requirements.
Is the Privacy Notice the same as the Privacy Policy?
Although many of the topics are the same, please do not confuse the Privacy Notice with the Privacy Policy.
In the context of GDPR, a privacy notice is a publicly accessible document created for data subjects.
In contrast, a GDPR privacy policy is an internal document that describes an organization’s obligations and practices to meet compliance requirements.
When should I provide a GDPR Privacy Notice?
A data controller must provide a privacy notice each time it obtains a data subject’s personal information.
This is only necessary if:
- The data subject already has the information provided in the privacy notice.
- Providing such information would be impossible or would involve an excessive effort.
- Organizations are legally obligated to obtain information.
- Personal data must be kept confidential in accordance with professional confidentiality obligations.
If your organization obtains personal information from a third party, you must provide a privacy notice within one month.
This should be done the first time an organization communicates with a data subject or the first time personal data is shared with another recipient.
The easiest way to provide a privacy notice is to post it on your website and link where appropriate.
If you don’t have a website, have a physical copy of the privacy policy.
Create a privacy notice
The privacy policy should be written in clear and understandable language that can be easily understood by data subjects.
This is especially important when processing personal data of children. This is because there are many concepts that need to be explained in more detail.
In general, privacy policies should be written in the active voice and avoid unnecessary legal and technical jargon.
Similarly, qualifiers such as ‘may’, ‘might’, ‘some’, and ‘often’ are intentionally vague and should be avoided. Saying that something “may” does not help the data subject to understand under what circumstances it will occur.
Finally, the policy should be free and easily accessible. Don’t hide it in a link at the bottom of the form that most people won’t see.
Instead, the policy should be provided in writing or linked to when requesting personal data.
Take the guesswork out of privacy notices
Looking for more GDPR compliance advice? You can find all the documentation you need in our GDPR Toolkit.
Created by attorneys and experts, this toolkit is the most comprehensive toolkit on the market that includes all the steps required to demonstrate GDPR policy and compliance, significantly reducing implementation costs.
Over 3,000 organizations around the world use our GDPR toolkit to simplify and accelerate their projects. If you need help achieving GDPR compliance, this toolkit is for you.
