GDPR Regulation is an international Data Privacy law that upholds the rights of citizens of the EU. It gives citizens more control over how their data is used in the organization. If your company handles the personal information of people in the EU, then they are expected to comply with GDPR. Like any other regulation, GDPR too requires an organization to abide by the rules and requirements outlined in the law.
The organization is expected to not just implement measures outlined in the law, but also have in place certain legal documents and statements that are an essential part of the regulatory requirement. One such document is the GDPR Privacy Notice. This is an important document that is expected to be published by the organization on its website or provided to individuals whose data is processed by the organization.
Explaining the importance and relevance of this document, we have in the article covered details that you as an organization need to know on GDPR Privacy Notice and its requirement under the regulation
What is a Privacy Notice?
Privacy Notice is an essential document that is required under GDPR Compliance requirements. It is basically a document that explains how the organization processes personal data. The document ensures transparency in data processing and also helps individuals assert more control over the data that is used by the organization.
Let us understand the difference between the two documents before we proceed any further on understanding the regulatory requirement of the GDPR Privacy Notice.
|Content||Privacy Notice includes –|
• Type of information or data collected.
• Details in terms of reasons or purpose of collecting data, including the legal basis for that collection.
• Details on how the data collected will be used and stored and for how long will it be retained.
• Details on how to opt-out of data collection and how to request the controller to delete stored personal information.
• Details related to consent and rights of the individual.
• Details regarding the purpose and lawful basis of collecting the personal data.
• Details of Information Disclosure rules and guidelines
• Rules and guidelines for securely handling personal data.
• Details regarding the security practices established to maintain confidentiality, integrity, and privacy of the data.
|Publishing||A Privacy Notice is a document published online, on the company website, and made available to the general public.||Privacy Policies are documents used internally within the organization for employees, third-party vendors, and stakeholders involved in handling the processing and storing of personal data.|
When Should You Provide GDPR Privacy Notice?
GDPR requires organizations processing personal data to provide or publish an explicit privacy notice to meet the lawful processing requirement of personal data under the GDPR. Here the lawful basis of processing data is not just about gaining consent from the individual but also keeping them informed about the way the data will be stored, used, and measures taken to protect the confidentiality and integrity of the data. GDPR Articles 12, 13 & 14 sets out clear guidance and instruction on how to provide information and communicate to individuals about the personal data collected and used.
The Privacy notice must be provided when personal data is collected from citizens of the EU, or when they are initially contacted with regards to the collection of their personal data. This should be at the time when the data is obtained indirectly, or within one month of obtaining the data, whichever comes first. It is also important to provide the Privacy Notice prior to using the data for purposes other than the one originally stated when that data was collected.
What all information is included in a Privacy Notice?
The Privacy Notice must contain the following information when published or provided to individuals –
When the personal data is collected directly from individuals–
- Contact details of the organization, and Data Protection Officer of the organization.
- Purpose of collecting and processing personal data. This should also include the legal basis for doing so.
- Details such as the legitimate interests of the organization
- Information relating to whether the personal data will be transferred to another country and security measures implemented for protecting the privacy of the data.
- Details regarding the type of personal data collected and processed.
- The retention period of using and/or processing personal data
- Details regarding the data subject’s rights and ways of exercising the rights
- Details on whether the provision of personal data is part of a statutory or contractual requirement or obligation and the consequences of failing to provide the personal data.
- Inform about the automated decision-making system, including profiling, and details about the system, how it works, its impact, and the consequences.
When personal data is collected from a third-party-
If an organization gets the personal data indirectly from a third party then the privacy notice must include all the information, as mentioned above, and also-
- The categories of personal data collected.
- Information on the source and whether the source of data is publicly accessible.
It is important to note that the information collected should be shared with the individual no later than one month after the data was obtained, or at the time when the data subject was first communicated, or before sharing the data with another organization.
What is the GDPR Privacy Notice Best Practice?
GDPR requires organizations to provide people with a Privacy Notice that is-
- Clear, concise, transparent, and in an easily accessible form
- Written in plain and clear language, especially when it includes information specific to the child.
- The Privacy Notice should be provided free of charge.
- The Privacy notices should have qualifiers like “may,” “might,” “some,” and “often,” they may seem misleading or vague purposefully.
- The writing should be in active tense and sentences and paragraphs should be well structured, with bullet points to highlight specific points of note.
The European Commission has provided GDPR guidelines outlining phrases that should be avoided since they are not sufficiently clear as to the purposes of the processing.
Data protection is not just the responsibility of Data Controllers but also Data Processors and all those involved in handling personal data. They also have the responsibility of keeping individuals informed about the use of their data. Since individuals have the right to know how their information is used, a Privacy Notice is a very crucial document. Since this document lets them know how their personal data will be used, it will reassure them that the organization is taking measures to ensure the privacy of their data and that it is not miss used in any way. This also helps build a sense of trust among customers and reflects the efforts taken by the organization for data protection.