GDPR Privacy Notice

Published on : 07 Sep 2022

GDPR Privacy Policy Checklist

GDPR Regulation is an international Data Privacy law that upholds the rights of citizens of the EU. It gives citizens more control over how their data is used in the organization. If your company handles the personal information of people in the EU, then they are expected to comply with GDPR. Like any other regulation, GDPR too requires an organization to abide by the rules and requirements outlined in the law.

The organization is expected to not just implement measures outlined in the law, but also have in place certain legal documents and statements that are an essential part of the regulatory requirement. One such document is the GDPR Privacy Notice. This is an important document that is expected to be published by the organization on its website or provided to individuals whose data is processed by the organization.

Explaining the importance and relevance of this document, we have in the article covered details that you as an organization need to know on GDPR Privacy Notice and its requirement under the regulation

What is a Privacy Notice?

Privacy Notice is an essential document that is required under GDPR Compliance requirements. It is basically a document that explains how the organization processes personal data. The document ensures transparency in data processing and also helps individuals assert more control over the data that is used by the organization.

GDPR requires an organization to provide such documents detailing the purpose of collecting data, and the way the data will be stored, used, and processed by the organization. That said, it is also important to note and understand that GDPR Privacy Notice is very different from a Privacy Policy. People often get confused between the two documents and consider them to be the same at times.

Let us understand the difference between the two documents before we proceed any further on understanding the regulatory requirement of the GDPR Privacy Notice.

How is a Privacy Notice Different from a Privacy Policy?

Privacy Policy and Privacy Notice are terms used not just in the GDPR Regulation but also in other data security and privacy laws.  Although they may sound quite similar and also often used interchangeably, but they are actually different and are used for different purposes. So, let us understand how the two documents are different and for what purpose each of these documents is required.

TitlesPrivacy NoticePrivacy Policy
DefinitionA privacy Notice is a document provided or rather displayed online to inform customers, visitors, and users about the way their information is processed or used by the organization. Privacy Policy on the other hand is a document available to employees, stakeholders, and third-party vendors of the organization. It is an internal document that works as a guide to employees and vendors in terms of handling sensitive personal data securely and ensuring the privacy, confidentiality, and integrity of the data.
PurposeThe purpose of having a Privacy Notice is to let people know how the organizations use their data and establish transparency in the data processing activity. The purpose of a Privacy Policy is to guide employees on how to protect and securely handle personal data.
ContentPrivacy Notice includes –
• Type of information or data collected.
• Details in terms of reasons or purpose of collecting data, including the legal basis for that collection.
• Details on how the data collected will be used and stored and for how long will it be retained.
• Details on how to opt-out of data collection and how to request the controller to delete stored personal information.
Privacy Policy includes-
• Details related to consent and rights of the individual.
• Details regarding the purpose and lawful basis of collecting the personal data.
• Details of Information Disclosure rules and guidelines
• Rules and guidelines for securely handling personal data.
• Details regarding the security practices established to maintain confidentiality, integrity, and privacy of the data.
PublishingA Privacy Notice is a document published online, on the company website, and made available to the general public.Privacy Policies are documents used internally within the organization for employees, third-party vendors, and stakeholders involved in handling the processing and storing of personal data.

When Should You Provide GDPR Privacy Notice?

GDPR requires organizations processing personal data to provide or publish an explicit privacy notice to meet the lawful processing requirement of personal data under the GDPR. Here the lawful basis of processing data is not just about gaining consent from the individual but also keeping them informed about the way the data will be stored, used, and measures taken to protect the confidentiality and integrity of the data. GDPR Articles 12, 13 & 14 sets out clear guidance and instruction on how to provide information and communicate to individuals about the personal data collected and used.

The Privacy notice must be provided when personal data is collected from citizens of the EU, or when they are initially contacted with regards to the collection of their personal data. This should be at the time when the data is obtained indirectly, or within one month of obtaining the data, whichever comes first. It is also important to provide the Privacy Notice prior to using the data for purposes other than the one originally stated when that data was collected.

gdpr free consulting one time

What all information is included in a Privacy Notice?

The Privacy Notice must contain the following information when published or provided to individuals –

When the personal data is collected directly from individuals

  • Contact details of the organization, and Data Protection Officer of the organization.
  • Purpose of collecting and processing personal data. This should also include the legal basis for doing so.
  • Details such as the legitimate interests of the organization
  • Information relating to whether the personal data will be transferred to another country and security measures implemented for protecting the privacy of the data.
  • Details regarding the type of personal data collected and processed.
  • The retention period of using and/or processing personal data
  • Details regarding the data subject’s rights and ways of exercising the rights
  • Details on whether the provision of personal data is part of a statutory or contractual requirement or obligation and the consequences of failing to provide the personal data.
  • Inform about the automated decision-making system, including profiling, and details about the system, how it works, its impact, and the consequences.

When personal data is collected from a third-party-

If an organization gets the personal data indirectly from a third party then the privacy notice must include all the information, as mentioned above, and also-

  • The categories of personal data collected.
  • Information on the source and whether the source of data is publicly accessible.

It is important to note that the information collected should be shared with the individual no later than one month after the data was obtained, or at the time when the data subject was first communicated, or before sharing the data with another organization.

What is the GDPR Privacy Notice Best Practice?

GDPR requires organizations to provide people with a Privacy Notice that is-

  • Clear, concise, transparent, and in an easily accessible form
  • Written in plain and clear language, especially when it includes information specific to the child.
  • The Privacy Notice should be provided free of charge.
  • The Privacy notices should have qualifiers like “may,” “might,” “some,” and “often,” they may seem misleading or vague purposefully.
  • The writing should be in active tense and sentences and paragraphs should be well structured, with bullet points to highlight specific points of note.

The European Commission has provided GDPR guidelines outlining phrases that should be avoided since they are not sufficiently clear as to the purposes of the processing.

Final Thought

Data protection is not just the responsibility of Data Controllers but also Data Processors and all those involved in handling personal data. They also have the responsibility of keeping individuals informed about the use of their data. Since individuals have the right to know how their information is used, a Privacy Notice is a very crucial document. Since this document lets them know how their personal data will be used, it will reassure them that the organization is taking measures to ensure the privacy of their data and that it is not miss used in any way. This also helps build a sense of trust among customers and reflects the efforts taken by the organization for data protection.

Also Read:

Narendra Sahoo
Narendra Sahoo

Narendra Sahoo (PCI QPA, PCI QSA, PCI SSF ASSESSOR, CISSP, CISA, CRISC, 27001 LA) is the Founder and Director of VISTA InfoSec, a global Information Security Consulting firm, based in the US, Singapore & India. Mr. Sahoo holds more than 25 years of experience in the IT Industry, with expertise in Information Risk Consulting, Assessment, & Compliance services. VISTA InfoSec specializes in Information Security audit, consulting and certification services which include GDPR, HIPAA, CCPA, NESA, MAS-TRM, PCI DSS Compliance & Audit, PCI PIN, SOC2 Compliance & Audit, PDPA, PDPB to name a few. The company has for years (since 2004) worked with organizations across the globe to address the Regulatory and Information Security challenges in their industry. VISTA InfoSec has been instrumental in helping top multinational companies achieve compliance and secure their IT infrastructure.