Privacy policies are an integral part of GDPR Compliance. For organizations to begin with their compliance journey must first draft a GDPR Compliant privacy policy. This creates in helping a road map towards achieving compliance. Organizations falling in the scope of GDPR should revisit their privacy policies and check whether the existing policies are aligned with the requirements of GDPR. The GDPR is a globally recognized privacy law established to protect the privacy and rights of citizens of the EU.
The legislation requires organizations dealing with the personal data of EU citizens to implement measures and establish policies and procedures that uphold the privacy rights of the citizens. As per GDPR the Privacy policy of an organization should be detailed, transparent, and comprise all disclosures. That said, the policy should also be drafted readable and should easily accessible to employees, customers, and other stakeholders. Covering more about the GDPR privacy policy in detail we have shared a checklist that can help your organization draft the policy in alignment with the GDPR requirements. Refer to the checklist below to understand what the GDPR policy should comprise.
GDPR Privacy Policy Checklist
A privacy policy or a privacy notice as it is often referred to is a document that provides disclosures or information on data management concerning the use of individuals’ personal data. It is a detailed document that informs people on how their data is gathered, used, shared, stored and, managed.
GDPR imposes requirements on the disclosures and transparency to be maintained in the company’s privacy policy. Article 12 -14 of GDPR outlines specific requirements that should be a part of an organization’s privacy policy. These requirements are summarized below and should be considered when developing the company privacy policy.
GDPR Privacy Notice Requirements
As per GDPR requirements, organizations must provide people with a privacy notice that is
- Concise, transparent, and in an easily accessible format
- The content written should be clear and plain language easy to read and understand, particularly for any information specific to children.
- The text should be in the active tense. The sentences and paragraphs should be well structured, using bullets to highlight specific points of note. Avoid unnecessarily legalistic and technical terminology.
- Privacy notices should avoid using qualifiers such as “may,” “might,” “some,” “often,” etc. as they are vague.
- Privacy Notice should be provided promptly
- Privacy Notice should be freely available at no cost.
- Privacy Notice should be provided in writing and where appropriate should be provided electronically.
- Organizations having websites should publish their privacy notice under the title “Privacy Policy”. This should be accessible via a direct link from every webpage.
- If the website collects any personal data online then the privacy notice should be provided on the same page where the data is collected.
- The privacy notices must also be available in an audio format or orally upon request to ensure comprehension and to aid the visually impaired.
GDPR requirements also clearly outline the kind of information that an organization must share in their privacy notice. However, this could vary based on how and from where the data was sourced. So, depending on whether an organization collects its data directly from an individual or receives it from a third party the requirement will vary. If an organization is collecting information from an individual directly, it must include the following information in its privacy notice.
Information about processing of personal data
- Purpose of processing the personal data
- Legal basis for processing be it by consent, for the performance of a contract, or necessary for the purposes of legitimate interests of the data controller
- Legitimate interests of the controller or a third party if any
- Whether automated decision-making, including profiling, will take place. This further includes details of the significance and the potential consequences of such processing.
Details about the collection and use of personal data
- Categories of personal data collected
- Recipients or categories of recipients that receive personal data
- Any transfers of personal data to countries outside of the EEA. This should include, mentioning of the applicable safeguards in place)
- Data retention policy with details as to how long the data will be stored and criteria used to determine that period.
- Any automated processing of personal data including profiling and how decisions will be made, the significance and consequences of automated processing.
- Whether the provision of personal data is part of a statutory or contractual requirement and possible consequences if an individual refuses to provide personal data.
Information on individual rights
- Right to access personal data
- Right to rectification of personal data held incorrectly or incomplete
- Right of erasure of personal data or right to be forgotten
- Right to restrict/suspend the processing of personal data
- Right to complain to a supervisory authority
- Right to data portability if the processing is based on consent and automated means
- Right to withdraw consent at any time if the processing is based on consent
- Right to object processing if the processing is based on legitimate interests
- Right to object processing of personal data for direct marketing purposes
Contact Information
- Name and contact details of the data controller or any of their representative
- Name and contact details of the Data Protection Officer (DPO).
If an organization obtains your data from a third party or via another organization then it is important to note that the privacy notice must include all the above information, except for whether the provision of personal data is part of a statutory or contractual requirement or obligation and the possible consequences of failing to provide the personal data. The privacy policy must also include or rather mention the categories of personal data obtained from the third party.
Further, as per Article 14(3) of GDPR, if the data controller obtains personal data from a third party, then they must communicate the above information to the data subject not later than one month after they have obtained the data, at the time you first communicate with the data subject, or before sharing the data with another organization.
Conclusion
Organizations looking to draft a privacy policy must consider the above-mentioned points to ensure their policies are in alignment with the GDPR Regulation. Failing to comply with the mentioned requirements could result in a breach of the regulation and hefty penalties. If in doubt consult a compliance expert who can help you with drafting the privacy policy. We at VISTA InfoSec work with our clients to support them in their compliance journey. Our compliance experts can handhold you and provide you with end-to-end support in the implementation of measures and also advice you in the drafting of such privacy policies.