GDPR Compliant Privacy Notice Example

Posted on by Samantha Harrison

GDPR Information to be Provided

Square Secure Server ClipartGDPR Art. 13 & 14 specify what information needs to be provided to individuals when their personal data is being processed. The former Article refers to data collected directly from the subject and should be provided in a Privacy Notice.

The Regulation is very specific in the information provision requirements, making the format and content of a privacy notice straightforward. However, using a Privacy Notice Template means you will have consistency and structure to your notices. More importantly, a template ensures that any future privacy notices contain all the required information.

Privacy Notice Requirements

When an organisation is collecting personal data relating to a data subject, they are required to provide the below information at the time the data is collected: –

  • The identity and the contact details of the controller (and if applicable, those of the controller’s representative).
  • The contact details of the data protection officer (if applicable).
  • The purposes of the processing for which the personal data are intended as well as the legal basis for the processing.
  • Where the processing is necessary for the purposes of the legitimate interests, the interests pursued by the controller or by a third party.
  • The recipients or categories of recipients of the personal data.
  • Intent to transfer personal data to a third country or international organisation and the existence or absence of an adequacy regulation by the Secretary of State. Where applicable, reference to the appropriate or suitable safeguards and how a copy of them can be obtained.
  • The period for which the personal data will be stored and/or the criteria used to determine that period.
  • The right to request access to and rectification or erasure of personal data or restriction of processing concerning the data subject.
  • The right to object to processing.
  • The right to data portability.
  • Where the processing is based on consent, the right to withdraw that consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
  • The right to lodge a complaint with the Commissioner.
  • Whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract.
  • Whether the data subject is obliged to provide the personal data and the possible consequences of failure to provide such data.
  • The existence of any automated decision-making (including profiling) and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

 

Privacy Notice Example
Privacy Notice Example

Example Headings for Privacy Policy or Notice

When drafting your Privacy Policy Template, you want to ensure that it is user friendly. That means using clear and consistent language and a simple format. Separating each of the Article requirements under different headings is a great way to differentiate the information.

Privacy Policy Example Headings

From the information disclosure Articles in the GDPR, you can get a good understanding of what headings and descriptive content makes up a privacy notice. Headings can include areas such as: –

  • Who We Are – a summary of your organisation, trading and registered office details, company number (if applicable) and who your DPO/Lead is (your identity & contact details plus those of any rep)
  • Information We Collect – what personal information do you obtain/process; reasons for processing and in what ways do you obtain personal data (i.e. via orders, contact forms, employees etc)
  • How We Use Your Personal Data – the legal basis for processing, what you intend to do with the data and when you will/won’t process it (i.e. will never disclose, share or sell your data without your consent, unless required to do so by law). It makes for a clear notice if you bullet point the ways you use data and the basis you are relying on:

Example: The purposes and reasons for processing your personal data are detailed below: – We collect your personal data in the performance of a contract, to provide a service to you and to ensure that orders are completed and can be sent out to your preferred address We collect and store your personal data as part of our legal obligation for business accounting and tax purposes

  • Data Subject’s Rights – detail the rights an individual has such as accessing personal information, having inaccurate data corrected, data portability, objecting to, or restricting processing etc
  • Sharing and Disclosing Your Personal Information – who do you share personal data with and why? What safeguarding measures do you/they have in place? It is good practice to add a link to the recipients privacy policy/notice

Example: ABC Accounting Ltd 123 The Street, Town, AA1 1AA 01234 567890 We use ABC Accounting Ltd to do our book-keeping and tax returns and they act in the capacity of a processor on our behalf. The only information we provide them with is your name, address and order details to meet business and legal requirements. For more information about ABC Accounting Ltd, please read their Privacy Notice at www.abcaccount.com/privacy-policy

  • Transfers Outside the EU – if you send/store any personal data outside the EU; name the recipients, state the reason it is sent/stored, what safeguarding measures do you rely on? (i.e. Adequacy Decision, Binding Corporate Rules, Measures & Controls etc)
  • Safeguarding Measures – what technical and organisational measures have you put into place to secure processing and personal data and reduce the risk posed to individuals? (i.e. SSL, TLS, encryptions, pseudonymisation, restriction, IT, authentication etc)
  • Consequences of Not Providing Your Data (if applicable) – required if relying on statutory or contractual requirement legal basis
  • Legitimate Interests (if applicable) – if you are relying on legitimate interests for processing, state what those interests are
  • How Long We Keep Your Data – retention periods or the criteria used to determine those periods
  • Marketing – if you send/intend to send marketing to individuals, this needs to be stated and the legal basis (consent or legitimate interests) along with appropriate and compliant opt-in mechanisms & right to opt-out
  • Lodging A Complaint – add contact details of the Supervisory Authority and state an individuals’ right to lodge a complaint with them
  • Automated Decision Making (if applicable) – note the existence of automated decision-making, including the logic involved & any consequences of such processing
  • Source (if applicable) – state the original source of the personal data and if that source was publicly accessible
  • Consent – if your collection of personal information relies on consent, ensure that you obtain that consent, it is an affirmative, clear action and notes the existence of the right to withdraw consent

Privacy Notice Template

Are you looking for a ready to use Privacy Notice Template that can be fully cutomised? Our pack includes notice templates for employees and individuals and and a privacy notice register.

Our Privacy Notice Template pack is £18 or comes as part of all of our GDPR Template Packs.

 

Samantha Harrison

Samantha Harrison is a Director at Know Your Compliance Limited, joining the company in 2018 and bringing a wealth of business management and policy development experience with her. She has run and managed her own businesses for more than 30 years and has been pivotal in developing one of the UK's leading portfolios of GDPR policy templates and checklists. Her knowledge and understanding of regulatory compliance and risk management has been invaluable in the company's growth and development.