What information needs to be included in a privacy policy?
When processing personal data, the controller must adhere at all times to the principle of transparency. In practice, this means that data subjects should be adequately informed about the different processing activities that might take place using their personal data. More often than not, this information is provided by means of a privacy policy. In this blog by Stan Elsendoorn, we shall take a closer look at the specific information that needs to be provided, as well as the core values that need to be taken into account when drawing up a privacy policy.
General requirements
Article 12 of the GDPR lists several requirements that should be kept in mind when writing a privacy policy. Each of these requirements shall be further explained below.
I. Concise, transparent, intelligible and in an easily accessible format
The information needs to be presented/communicated efficiently in order to avoid information fatigue, whilst also being intelligible, meaning that the information is comprehensible by the average member of the intended audience.
II. Written in clear and plain language
The information should be provided in as simple a manner as possible, avoiding complex sentences and language structures. Abstract or ambivalent terms which could leave room for different interpretations should be avoided. When targeting children, the controller should also ensure that the vocabulary, tone and style of the language used to communicate the information is appropriate to and resonates with children.[1]
III. Delivered in a timely manner
The information must be provided in a timely manner. The specific time frame depends on the manner in which the personal data are obtained: when the personal data are directly obtained or collected from the data subject, the information should be provided directly after obtaining the personal data. When the personal data are obtained from third parties or other sources, the general rule is that the information should be provided within a reasonable time period and no later than one month after obtaining the personal data. This one-month time limit can be curtailed in the following situations: (i) when the first communication with the data subject takes place prior to the one month time frame, or (ii) when the personal data are disclosed to another recipient. In those situations, the information should (at the very latest) be provided at the time of the disclosure and/or first communication with the data subject.[2]
IV. Provided free of charge
Finally, it is not allowed to restrict access to a privacy policy through the use of a paywall or any other technical/financial means.
Necessary information
In addition to the aforementioned requirements, the following information – depending on the manner in which the personal data were obtained – should also be included when drawing up a privacy policy
Necessary information when the personal data is directly provided by the data subject (article 13 GDPR)
I. The identity and contact details of the controller;
II. (Where applicable) the contact details of the data protection officer;
III. The purpose and legal basis for the processing;
IV. (Where applicable) if the legal basis for the processing is a legitimate interest of the Controller, a description of said interests;
V. (Where applicable) the (categories of the) recipients of the personal data;
VI. (Where applicable) if the controller intends to transfer the personal data to a recipient in a third country for which the EU has not (yet) adopted an adequacy decision, the appropriate and/or suitable safeguards taken;
VII. The (criteria to determine the) period for which the personal data will be stored;
VIII. Information on the existence of data subject’s rights, including the right to request access, rectification or erasure of the personal data, the right to restrict or object to the processing of personal data as well ass the right to data portability;
IX. (Where applicable) if the legal basis for the processing activities is the consent of the data subject, the existence of the right to withdraw said consent at any given time;
X. The right to lodge a complaint with the supervisory authority;
XI. Whether the provision of personal data is part of a statutory or contractual requirement or obligation and the possible consequences of failing to provide the personal data;
XII. (Where applicable) Information on the existence of an automated decision-making system, including profiling, including meaningful information about the logic involved, the significance as well as the consequences that the system’s automated decision-making might entail for (the rights of) the data subject.
Obtained from third parties or other sources (article 14 GDPR)
When the personal data are obtained from third parties or different sources, the privacy notice must contain the same information as mentioned above, with the exception of:
XI. Whether the provision of personal data is part of a statutory or contractual requirement or obligation and the possible consequences of failing to provide the personal data
Which must be replaced by:
XI. The source from which the personal data originate.
Conclusion
There are a lot of things to keep in mind when drawing up a privacy policy. One should not only take into account the aforementioned prerequisites, but also the way in which this information is conveyed to the data subject.
In need of a privacy policy or other GDPR-documentation? BG.Legal offers a GDPR-starterkit that is specifically tailored to entrepreneurs. For more information, please check the following link.
[1] WP29, Guidelines on transparency under Regulation 2016/679 (WP260 rev.01), 11th of April 2018, rec. 12 to 16.
[2] Article 13.1 jo. 14.3 (a) to (c)
WP29, Guidelines on transparency under Regulation 2016/679 (WP260 rev.01), 11th of April 2018, rec. 26 to 28.
