What information needs to be included in a privacy policy?

01 Jun 2022

When processing personal data, the controller must adhere at all times to the principle of transparency. In practice, this means that data subjects should be adequately informed about the different processing activities that might take place using their personal data. More often than not, this information is provided by means of a privacy policy. In this blog by Stan Elsendoorn, we shall take a closer look at the specific information that needs to be provided, as well as the core values that need to be taken into account when drawing up a privacy policy.

General requirements

Article 12 of the GDPR lists several requirements that should be kept in mind when writing a privacy policy. Each of these requirements shall be further explained below.

I. Concise, transparent, intelligible and in an easily accessible format

The information needs to be presented/communicated efficiently in order to avoid information fatigue, whilst also being intelligible, meaning that the information is comprehensible by the average member of the intended audience.

II. Written in clear and plain language

The information should be provided in as simple a manner as possible, avoiding complex sentences and language structures. Abstract or ambivalent terms which could leave room for different interpretations should be avoided. When targeting children, the controller should also ensure that the vocabulary, tone and style of the language used to communicate the information is appropriate to and resonates with children.[1]

III. Delivered in a timely manner

The information must be provided in a timely manner. The specific time frame depends on the manner in which the personal data are obtained: when the personal data are directly obtained or collected from the data subject, the information should be provided directly after obtaining the personal data. When the personal data are obtained from third parties or other sources, the general rule is that the information should be provided within a reasonable time period and no later than one month after obtaining the personal data. This one-month time limit can be curtailed in the following situations: (i) when the first communication with the data subject takes place prior to the one month time frame, or (ii) when the personal data are disclosed to another recipient. In those situations, the information should (at the very latest) be provided at the time of the disclosure and/or first communication with the data subject.[2]

IV. Provided free of charge

Finally, it is not allowed to restrict access to a privacy policy through the use of a paywall or any other technical/financial means.

Necessary information

In addition to the aforementioned requirements, the following information – depending on the manner in which the personal data were obtained – should also be included when drawing up a privacy policy

Necessary information when the personal data is directly provided by the data subject (article 13 GDPR)

I. The identity and contact details of the controller;
II.
(Where applicable) the contact details of the data protection officer;
III. The purpose and legal basis for the processing;
IV. (Where applicable) if the legal basis for the processing is a legitimate interest of the Controller, a description of said interests;
V. (Where applicable) the (categories of the) recipients of the personal data;
VI. (Where applicable) if the controller intends to transfer the personal data to a recipient in a third country for which the EU has not (yet) adopted an adequacy decision, the appropriate and/or suitable safeguards taken;
VII. The (criteria to determine the) period for which the personal data will be stored;
VIII. Information on the existence of data subject’s rights, including the right to request access, rectification or erasure of the personal data, the right to restrict or object to the processing of personal data as well ass the right to data portability;
IX. (Where applicable) if the legal basis for the processing activities is the consent of the data subject, the existence of the right to withdraw said consent at any given time;
X. The right to lodge a complaint with the supervisory authority;
XI. Whether the provision of personal data is part of a statutory or contractual requirement or obligation and the possible consequences of failing to provide the personal data;
XII. (Where applicable) Information on the existence of an automated decision-making system, including profiling, including meaningful information about the logic involved, the significance as well as the consequences that the system’s automated decision-making might entail for (the rights of) the data subject.

Obtained from third parties or other sources (article 14 GDPR)

When the personal data are obtained from third parties or different sources, the privacy notice must contain the same information as mentioned above, with the exception of:

XI. Whether the provision of personal data is part of a statutory or contractual requirement or obligation and the possible consequences of failing to provide the personal data

 Which must be replaced by:

XI. The source from which the personal data originate.

Conclusion

There are a lot of things to keep in mind when drawing up a privacy policy. One should not only take into account the aforementioned prerequisites, but also the way in which this information is conveyed to the data subject.

In need of a privacy policy or other GDPR-documentation? BG.Legal offers a GDPR-starterkit that is specifically tailored to entrepreneurs. For more information, please check the following link.

[1] WP29, Guidelines on transparency under Regulation 2016/679 (WP260 rev.01), 11th of April 2018, rec. 12 to 16.

[2] Article 13.1 jo. 14.3 (a) to (c)

WP29, Guidelines on transparency under Regulation 2016/679 (WP260 rev.01), 11th of April 2018, rec. 26 to 28.

Stan Elsendoorn,

    Copyright on advertisement text
    Read more
    Hollanda’da şirket kurmak
    Read more
    What are the trademark registration requirements?
    Read more
    Marka tescil şartlar nelerdir?
    Read more
    Neden bir kelimeyi veya logoyu marka olarak tescil ettirmelisiniz?
    Read more
    Why should you register a word or logo as a trademark?
    Read more
    AI in Pharma
    Read more
    AI Act and Pharma / Health
    Read more
    Indemnification and IP infringement: a matter regarding shoes
    Read more
    Burden of proving genuine use
    Read more
    Data
    Read more
    There are already rules for AI applications
    Read more
    AI: Supervision and Toolbox
    Read more
    The same trade name does not constitute an infringement. How can that be?
    Read more
    Infringement of descriptive trade name possible after all
    Read more
    Design right on furniture: infringement or not?
    Read more
    Distribution agreement
    Read more
    Licence agreement
    Read more
    Fashion & Design
    Read more
    Competitor's use of a brand in advertising
    Read more
    Advertising
    Read more
    Software
    Read more
    IT-right
    Read more
    Slavish imitation
    Read more
    Trade secrets
    Read more
    Trade names
    Read more
    Domain names
    Read more
    Copyright
    Read more
    Trademark and design
    Read more
    Consent under the GDPR: things to keep in mind
    Read more
    Intellectual property
    Read more
    When are you allowed to decompile software?
    Read more
    Choices when choosing cloud services
    Read more
    We already have rules for AI systems
    Read more
    Exploring the legal boundaries of Synthetic Data
    Read more
    Risk check for AI applications
    Read more
    Legal Department-as-a-service
    Read more
    New European rules for Artificial Intelligence
    Read more
    Nieuwsbrief BG Tech: de toekomstige uitdagingen in de IP & Technologie & gratis Webinar
    Read more
    Data breaches under the GDPR
    Read more
    European Perspectives on AI Medical Devices
    Read more
    Privacyrecht
    Read more
    BG.tech
    Read more
    Vacatures
    Read more