You’ve seen them pop up all over the internet – here’s a quick reminder of why Privacy Notices are so important.
The GDPR requires organisations to make sure everyone they process data about is fully informed about the processing activities and their rights.
The acid test is this: no-one should feel surprised about data processing activities.
What should be included? A privacy notice must contain these elements:
- Name and contact details of the organisation that processes the data
- What the data is used for (i.e. the purposes)
- The legal base(s) that are relied on for the processing
- What the organisation’s legitimate interests are (if applicable)
- Whether the data is transferred to any other organisations, and if so who and why
- Whether the data is transferred outside Europe, and if so what security measures are in place
- Whether the data is being used by a computer algorithm for automated decision making or profiling
- Some general information about data subjects’ rights
Privacy Notices should be written in clear and concise language; they should also be as short as possible and avoid unnecessary jargon or abbreviations that the ‘man on the Clapham bus‘ would not understand.
However, it is also important not to ignore or conceal anything about the data processing activities; any processing that isn’t outlined in a Privacy Notice is unlawful.