GDPR Privacy Notice Requirements
As per GDPR requirements, organizations must provide people with a privacy notice that is
- Concise, transparent, and in an easily accessible format
- The content written should be clear and plain language easy to read and understand, particularly for any information specific to children.
- The text should be in the active tense. The sentences and paragraphs should be well structured, using bullets to highlight specific points of note. Avoid unnecessarily legalistic and technical terminology.
- Privacy notices should avoid using qualifiers such as “may,” “might,” “some,” “often,” etc. as they are vague.
- Privacy Notice should be provided promptly
- Privacy Notice should be freely available at no cost.
- Privacy Notice should be provided in writing and where appropriate should be provided electronically.
- If the website collects any personal data online then the privacy notice should be provided on the same page where the data is collected.
- The privacy notices must also be available in an audio format or orally upon request to ensure comprehension and to aid the visually impaired.
GDPR requirements also clearly outline the kind of information that an organization must share in their privacy notice. However, this could vary based on how and from where the data was sourced. So, depending on whether an organization collects its data directly from an individual or receives it from a third party the requirement will vary. If an organization is collecting information from an individual directly, it must include the following information in its privacy notice.
Information about processing of personal data
- Purpose of processing the personal data
- Legal basis for processing be it by consent, for the performance of a contract, or necessary for the purposes of legitimate interests of the data controller
- Legitimate interests of the controller or a third party if any
- Whether automated decision-making, including profiling, will take place. This further includes details of the significance and the potential consequences of such processing.
Details about the collection and use of personal data
- Categories of personal data collected
- Recipients or categories of recipients that receive personal data
- Any transfers of personal data to countries outside of the EEA. This should include, mentioning of the applicable safeguards in place)
- Data retention policy with details as to how long the data will be stored and criteria used to determine that period.
- Any automated processing of personal data including profiling and how decisions will be made, the significance and consequences of automated processing.
- Whether the provision of personal data is part of a statutory or contractual requirement and possible consequences if an individual refuses to provide personal data.
Information on individual rights
- Right to access personal data
- Right to rectification of personal data held incorrectly or incomplete
- Right of erasure of personal data or right to be forgotten
- Right to restrict/suspend the processing of personal data
- Right to complain to a supervisory authority
- Right to data portability if the processing is based on consent and automated means
- Right to withdraw consent at any time if the processing is based on consent
- Right to object processing if the processing is based on legitimate interests
- Right to object processing of personal data for direct marketing purposes
- Name and contact details of the data controller or any of their representative
- Name and contact details of the Data Protection Officer (DPO).
Further, as per Article 14(3) of GDPR, if the data controller obtains personal data from a third party, then they must communicate the above information to the data subject not later than one month after they have obtained the data, at the time you first communicate with the data subject, or before sharing the data with another organization.