What are the key ingredients of a Privacy Notice?
The key clauses to include in a privacy notice.
Nowadays, it is impossible to run a business without ‘processing’ personal data.
Processing personal data includes storing, sharing, deleting, or using the data. Personal data refers to information about a person that can identify them. Different organisations process personal data for different reasons, but it is important that all data processors and controllers comply with the legislative framework that governs data protection in the UK.
The EU General Data Protection Regulation (EU GDPR) and the UK General Data Protection Regulation (UK GDPR) regimes impose certain obligations on personal data processors and those who control the processing, also known as data controllers.
As an important part of these obligations, the controller of personal data processing is required to provide certain information in clear and plain language to those whose personal data is processed (data subjects). This is to ensure that data subjects are aware of why their data is collected, how it is used and to whom it is shared.
Privacy Notice: The Right to be Informed
Articles 13 and 14 of the GDPR afford data subjects the right to be given information where personal data is:
- collected from the data subject (Article 13): This can either be where data subjects voluntarily provide their personal data to a controller or where the data is collected by observation. Examples of the latter are using data capturing devices or software such as CCTV or wifi tracking to collect personal information.
- not obtained from the data subject (Article 14): This can happen where the data is collected from third-party controllers, publicly available sources, data brokers, or other data subjects.
Information to Include When Drafting a Privacy Notice
Regardless of the methods used for data collection, a privacy notice should contain the following information at a minimum:
- The identity and contact details of the controller: there should be some information about who they are and how they can be contacted. If the controller has a representative, the details of the representative should also be available to the data subject.
- The contact details of the data protection officer: A data protection officer (DPO) is appointment by organisations to supervise and coordinate the organisation's GDPR compliance strategy. The DPO is generally an expert on the principles of the GDPR and is an important point of contact for data subjects.
- The purpose and legal basis for the processing: there are a lot of different reasons for data collecting such as processing orders, staff administration or marketing. Data controllers/processors should specify particular reasons for which the data is used.
In addition to the purpose, Article 6(1) of the GDPR lists situations in which data processing is lawful. Data controllers are required to rely on one or more of these bases in their privacy notice.
- The storage period: it is mandatory to specify how long the data will be retained. If there is no particular time frame, data controllers/processors must outline a list of criteria they use to decide for how long they will keep the data.
- The data subject’s rights: people have rights in relation to the use of their data. This includes access, rectification, erasure, restriction, objection to processing of personal data and data portability. The privacy notice should accurately reflect what the rights are and how the data subjects can take steps to enforce their rights.
- Right to lodge a complaint: information about the right of individuals to lodge a complaint with the Information Commissioner under the UK GDPR should be explained in the privacy notice.
Under Article 77 of the EU GDPR, a data subject has a right to lodge a complaint with a supervisory authority in the Member State of their habitual residence, place of work or of an alleged infringement of the EU GDPR.
- The right to withdraw consent: when data is processed with the explicit or implicit consent of the data subject, they are entitled to withdraw their consent at any time. The steps to be taken in order to withdraw the consent must be explained in the notice.
- The persons with whom this data will be shared: information regarding the organisations that process the data on their behalf or any other organisations involved must be specified in the notice. Under special circumstances, naming the category of recipients might be accepted, otherwise the general rule is that the name of individuals must be specified.
If the data will be transferred to a third country or international organisations, this should be specified in the notice.
- The details of whether individuals are under a statutory or contractual obligation to provide the personal data: data subjects need to know if they are required by law or contract to provide their data and what are the consequences if they fail to do so.
- Details of automated decision-making where there is an automated decision-making software using the personal data, data subjects must be informed that they are engaged in such activity. Details on how the algorithm works and to what end shall be provided.
- The legitimate interest for processing: where the lawful basis being relied upon for data processing is ‘legitimate interest’ in accordance with Article 6(1)(f), the details of the interests must be explained.
- The contact details of the Data Protection Officer (DPO): under UK GDPR, certain organisations are required to appoint a DPO to assist them with GDPR compliance.
In summary, it is important for businesses to map out the information flow through their organisations and how that information is processed prior to deciding what to include in their privacy notice.