Nowadays, it is impossible to run a business or other organisations without ‘processing’ personal data.
Processing data is doing anything including storing, sharing, deleting, or using the data.
The EU General Data Protection Regulation (EU GDPR) and the UK General Data Protection Regulation (UK GDPR) regimes impose certain obligations on personal data processors and those who control the processing.
This article explains why it is required to give privacy notice and what information should be included.
Privacy Notice: The Right to be Informed
Articles 13 and 14 of the GDPR afford data subjects the right to be given information where personal data is:
- collected from the data subject (Article 13): This can either be where data subjects voluntarily provide their personal data to a controller or where the data is collected by observation. Examples of the latter are using data capturing devices or software such as CCTV or wifi tracking.
- not obtained from the data subject (Article 14): This can happen where the data is collected from third-party controllers, publicly available sources, data brokers, or other data subjects.
Create a contract for £9.95 or Subscribe Monthly
Information to Include When Drafting a Privacy Notice
Regardless of the methods used for data collection, a privacy notice should contain the following information:
- The identity and contact details of the controller: there should be some information about who they are and how they can be contacted.
- The purpose and legal basis for the processing: there are a lot of different reasons for data collecting such as processing orders, staff administration or marketing. Data controllers/processors should specify particular reasons for which the data is used.
In addition to the purpose, Article 6(1) of the GDPR lists situations in which data processing is lawful. Data controllers are required to rely on one or more of these bases in their privacy notice.
- The storage period: it is mandatory to specify how long the data will be retained. If there is no particular time frame, data controllers/processors must outline a list of criteria they use to decide for how long they will keep the data.
- The data subject’s rights: people have rights in relation to the use of their data. This includes access, rectification, erasure, restriction, objection to processing of personal data and data portability. The privacy notice should accurately reflect what the rights are and how the data subjects can take steps to enforce their rights.
- Right to lodge a complaint: information about the right of individuals to lodge a complaint with the Information Commissioner under the UK GDPR should be explained in the privacy notice.
Under Article 77 of the EU GDPR, a data subject has a right to lodge a complaint with a supervisory authority in the Member State of their habitual residence, place of work or of an alleged infringement of the EU GDPR.
- The right to withdraw consent: when data is processed with the explicit or implicit consent of the data subject, they are entitled to withdraw their consent at any time. The steps to be taken in order to withdraw the consent must be explained in the notice.
- The persons with whom this data will be shared: information regarding the organisations that process the data on their behalf or any other organisations involved must be specified in the notice. Under special circumstances, naming the category of recipients might be accepted, otherwise the general rule is that the name of individuals must be specified.
If the data will be transferred to a third country or international organisations, this should be specified in the notice.
- The details of whether individuals are under a statutory or contractual obligation to provide the personal data: data subjects need to know if they are required by law or contract to provide their data and what are the consequences if they fail to do so.
- Details of automated decision-making where there is an automated decision-making software using the personal data, data subjects must be informed that they are engaged in such activity. Details on how the algorithm works and to what end shall be provided.
- The legitimate interest for processing: where the lawful basis being relied upon for data processing is ‘legitimate interest’ in accordance with Article 6(1)(f), the details of the interests must be explained.
- The contact details of the Data Protection Officer (DPO): under UK GDPR, certain organisations are required to appoint DPO in order to assist them with GDPR compliance.
In summary, it is important for businesses to map out the information flow through their organisations and how that information is processed prior to deciding what to include in their privacy notice.