GDPR-related documents
Privacy Notice is a mandatory GDPR-related document
A Privacy Notice is a mandatory GDPR-related document that the company must draw up to inform the data subjects about the company’s processing of their personal data.
What a Privacy Notice Is
A Privacy Notice is a mandatory GDPR-related document and it iis the most common GDPR-related document that companies have. There, the company informs the data subjects about the processing of their personal data.
For example, the legal basis for the processing, the purpose of the processing, the rights of the data subjects, the contact details of the company and its possible data protection officer, as well as the national data protection authority, etc. The content of a privacy notice is regulated in Article 13 of the GDPR and Article 14 of the GDPR. It is important that the minimum requirements are met.
Companies must inform data subjects about the processing
Data subjects have the right to receive information about the processing of their personal data. This applies both before the start of the processing and during the processing if the data subject so requests. In addition, it is a requirement of the GDPR that companies must be transparent about all their processing of personal data. This is usually done by the company describing the processing operations in a privacy notice presented to the data subjects. The information on the processing shall be provided to the data subject, in accordance with Article 13, when the personal data are obtained or collected. A Privacy Notice is a mandatory GDPR-related document.
What is the difference between a Privacy Policy and Privacy Notice
Many people confuse a privacy policy with a privacy notice. Here is the main difference between a privacy policy and a privacy notice:
Privacy policy
A policy is an internal governance document that is often drawn up by the board of directors or management, and this also applies to a privacy policy. The policy is about how the company should work with data protection and is aimed at employees.
Privacy Notice
A privacy notice is an external document that informs data subjects about how the company processes personal data. The Privacy Notice is a mandatory GDPR-related document that should be posted on the company's website, as well as linked at the end of the emails the company sends.
Many companies forget to inform about the processing through contact forms on the website
It is common for companies to have contact forms on their website that visitors can use to ask questions or order services/products from the company. Often, the visitor needs to fill in their contact information in order for the company to be able to respond to the message. Thus, the company processes personal data when they have received the request via the contact form. A common mistake that many companies make is not to inform about the processing in connection with the contact form, before the collection of personal data takes place. This can be done, for example, by linking to the company’s privacy notice in the contact form, before the “send button” in the contact form.
If the data subjects are children
If a company processes personal data belonging to children, the rules are stricter than if they were of age. This means, among other things, that the language of a privacy notice should be understandable to children. In addition, it must be drafted in the national language and be relatively concise with simple sentences to read and understand.
A large company was fined since their Privacy Notice was in English
In the Netherlands, a large international company had to pay a fine for, among other things, drafting its privacy notice in English. The company has many children as users and therefore the privacy notice for the data subjects (the children) should have been in Dutch. The fine was 750 000 euro.
Examples of what content a Privacy Notice should have
Controller (Article 13(1)(a) and (b) GDPR)
The privacy notice shall contain the identity of the controller (corporate identity number and legal name), the contact details to the company and a contact person and, where applicable, the data protection officer.
Purposes of the processing (Article 13(1)(c) GDPR)
All processing of personal data must have a purpose. It must be clear and specific. For example “delivery of service”. Please note that the processing of personal data is not allowed because ‘it may be good for the future’.
Legal bases Purpose (Article 13(1)(c) GDPR)
The legal basis applicable to each processing operation shall be specified. For example, according to Article 6(1)(b) GDPR, “performance of a contract with data subject” is used when customers purchase a service from the company, and the company processes the customer’s personal data in order to deliver the service and fulfill the contract. Furthermore, according to Article 6(1)(a) GDPR, “consent” can be used as a legal basis for processing personal data for statistical purposes through cookies on the website, etc. Please note, in case of consent, the privacy notice according to Art. 13(2)(c) GDPR must contain information that the data subject can withdraw the consent at any time.
Indicate the legitimate interest (Article 13(1)(d) GDPR)
If a company uses the legal basis “legitimate interest” pursuant to Article 6(1)(f) GDPR, the legitimate interest must also be stated in the privacy notice. In such cases, a reference should also be made to the data subject's right to request the Legitimate Interest Assessment (LIA) carried out and documented.
Recipients of the personal data (Article 13(1)(e) GDPR)
It is important to inform whether the personal data will be shared with any third party, such as a supplier or government authority, or companies within the same group of companies. The privacy notice must contain information about the recipients or categories of recipients to whom the personal data will be disclosed.
Transfer of personal data (Article 13(1)(f) GDPR
If the company intends to transfer the personal data to a third country, or an international organization, it shall be stated in the privacy notice. It shall also indicate the existence or absence of an adequacy decision by the European Commission. Furthermore, reference must be made to appropriate safeguards and how a copy of them can be obtained.
Categories of personal data (Article 14(1)(d))
If the company has received the personal data from someone other than the data subject, the privacy notice must contain information about the categories of personal data processed. Some personal data is more important and sensitive than others. It is good to have an overall list of the categories that the company deals with. For example, names of customers, financial data such as credit card numbers, sensitive personal data such as sick leave from employees, etc.
Origin (Article 14(2)(f))
If the company does not receive the personal data from the data subject directly, it shall state how the company received them. For example, from public registers.
The rights (Article 13(2)(b) GDPR)
Companies must inform data subjects of their rights. For example, the right to object when the legal basis is legitimate interest, the right to have their personal data rectified, erased, etc.
Storage duration (Article 13(2)(a) GDPR)
Companies may not process personal data indefinitely. They shall be deleted or anonymised when they are no longer necessary for the purpose for which they were collected. The retention period shall be communicated to the data subjects.
Complaints to the supervisory authority (Article 13(2)(d) GDPR)
The contact details of the national data protection authority to which data subjects may submit complaints shall be set out in the privacy notice.
Learn more
Continuity plan
In order to prepare the company and employees for a possible crisis, so that they know how to act then, it is good to establish a business continuity plan. In other words, a plan for how the company should act in the event of a serious disruption or crisis. In addition, it is useful to establish a Disaster Recovery Policy, which is the technical part of a business continuity plan. By being prepared for a crisis and having instructions for employees, as well as testing and improving them regularly, it can facilitate the management of a crisis and minimize the consequences.