Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

EU: Implementation series part 7 - Developing a privacy notice

A privacy notice is necessary for any organisation subject to the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), since it helps them comply with two of the regulation's main principles.

First, it encourages transparency by allowing people to see what data is being collected, why and how it is being processed, and for how long it will be stored. Second, it provides individuals with the information they need to make an informed decision about whether or not to exercise their data subject rights. Moreover, Individuals have eight rights under the GDPR that allow them to challenge or request changes to how their personal data is handled. Vasilis Charalambous, from George Z. Georgiou & Associates, discusses considerations relevant to developing privacy notices in this article.

Jorisvo / Essentials collection / istockphoto.com

The GDPR's transparency principle is user-centric rather than legalistic, and it is embodied in a number of articles by placing precise practical obligations on data controllers and processors. Requirements are outlined in Articles 12 - 14 of the GDPR and reinforced by the Article 29 Working Party's Guidelines on transparency under Regulation 2016/679 ('WP260').

Article 12 sets out the general rules which apply to:

  • the provision of information to data subjects (under Articles 13 - 14);
  • communications with data subjects concerning the exercise of their rights (under Articles 15 - 22); and
  • communications in relation to data breaches (Article 34).

Specifically, Article 12 requires that the information or communication in question must comply with the following rules:

  • it must be concise, transparent, intelligible, and easily accessible;
  • clear and plain language must be used;
  • the requirement for clear and plain language is of particular importance when providing information to children;
  • it must be in writing "or by other means, including where appropriate, by electronic means";
  • where requested by the data subject, it may be provided orally; and
  • it generally must be provided free of charge.

Privacy notice vs. privacy policy

Privacy notice and privacy policy are two different concepts, even though they both begin with the same word. A privacy notice is an outward facing, or external, notice to clients letting them know how an organisation is processing their data. The main purpose of privacy notices is to inform consumers about what, why, and how their personal data is being processed. Although many websites refer to their privacy notice as a privacy policy, this is not strictly correct.

On the other hand, an internal document used by businesses to provide criteria for the management of personal data is known as a privacy policy. A privacy policy specifies how employees should handle personal data, as well as restrictions, classification, who the policy relates to (any third party), protection requirements, duties, obligations, and so on. A privacy policy, in other words, tells employees how to handle data.

Types of privacy notices

There is currently no requirement that data processing information should be delivered in a single notice or page on a website. A privacy notice can come in a variety of formats. Data processing information can be communicated in writing, orally, through a sign, or electronically such as through a website, text message, email, or through mobile applications. In general, organisations should endeavour to communicate privacy information using the same channel they used to obtain personal data.

A variety of techniques can be incorporated when presenting a privacy notice, such as:

  • Layered approach: People are usually given a short notice including crucial information, such as the organisation's details and how they utilise personal data, as part of a multi-layered approach to conveying privacy information. It might have a single link to more thorough information or links that extend each area to disclose a second tier. These, in turn, may contain links to further information that clarifies specific situations, such as when personal information may be provided to the police. In an online setting, where it is simple to give a prominent main page link, using a layered approach works really well.
  • Dashboards: A dashboard is an online application that may provide users with a central location to manage their personal data. Individuals will be more informed and better able to engage with messages about what is happening with their data and how to control it if they have more knowledge and confidence in tools like dashboards. This should aid in the development of trust and confidence with a client.
  • Just-in-time notices: A just-in-time alert arrives when you receive a specific piece of information from another person or organisation. The notification contains a brief statement describing how the information the individual is going to supply will be used. Just-in-time alerts are especially effective when customers supply personal data at multiple points of a transaction or contact, such as when filling out a form on a company's website. People may not consider the long-term consequences of disclosing the knowledge. Just-in-time alerts assist in resolving this issue by giving pertinent and targeted privacy information in such circumstances.
  • Icons: Recital 60 of the GDPR makes provision for information to be provided to a an individual "in combination" with standardised icons, thus allowing for a multi-layered approach. However, the use of icons should not simply replace information necessary for the exercise of a data subject's rights nor should they be used as a substitute for compliance with the data controller's obligations under Articles 13 and 14. Paragraph 7 of Article 12 provides for the use of such icons stating that: "The information to be provided to data subjects pursuant to Articles 13 and 14 may be provided in combination with standardised icons in order to give in an easily visible, intelligible and clearly legible manner a meaningful overview of the intended processing. Where icons are presented electronically they shall be machine-readable."

How much detail/what information does a company have to provide within the privacy notice?

One of the GDPR's criteria is that privacy statements be in a clear, transparent, comprehensible, and easily accessible manner, with clear and straightforward language, especially for information aimed at children. If an organisation collects information directly from a person, its privacy notice must include the following information:

  • the identity and contact details of the organisation, its representative, and its data protection officer;
  • the purpose for the organisation to process an individual's personal data and its legal basis;
  • the legitimate interests of the organisation (or third party, where applicable);
  • any recipient or categories of recipients of an individual's data;
  • the details regarding any transfer of personal data to a third country and the safeguards taken;
  • the retention period or criteria used to determine the retention period of the data;
  • the existence of each data subject's rights;
  • the right to withdraw consent at any time (where relevant);
  • the right to lodge a complaint with a supervisory authority;
  • whether the provision of personal data is part of a statutory or contractual requirement or obligation and the possible consequences of failing to provide the personal data; and
  • the existence of an automated decision-making system, including profiling, and information about how this system has been set up, the significance, and the consequences.

Furthermore, Article 14 of the GDPR, provides the criteria which should be applied when personal data has not been obtained from the data subject.

How visible should the notice be and how to ensure it remains visible?

Most users don't read the privacy notices that websites present because they are too extensive and full of scientific or technical language. Every organisation that processes personal data is required by the GDPR to publish a privacy notice/statement that is clearly visible. Controllers must take appropriate measures to provide any information referred to in Articles 13 and 14 of the GDPR and any communication relating to processing of the data subject in a concise, transparent, intelligible, and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child, according to Article 12 of the GDPR. WP260, clarify this requirement even further by stating, "the 'easily accessible' element means that the data subject should not have to seek out the information; it should be immediately apparent to them where and how this information can be accessed, for example by providing it directly to them, by linking them to it, by clearly signposting it or as an answer to a natural language question…". WP260 recommends as a best practice that at the point of collection of the personal data, in an online context, a link to the privacy statement or notice is provided or that this information is made available on the same page on which the personal data was initially collected.

Should I amend my privacy notice even though my jurisdiction is non-GDPR?

The regulation focuses on EU citizen data and is not restricted by the location of the organisation processing or managing the data. This implies that if an organisation processes the data of an EU person, it might be situated anywhere in the world and still be subject to the regulation. As a result of its 'extra-territorial impact'. The regulation applies to organisations who process such data whether or not they are located in the EU.

Article 3 of the GDPR defines the law's territorial scope. The GDPR applies to organisations established in the EU, even if the data is kept or processed outside of the EU. Article 3(1) and (2) go even further, extending the law to non-EU organisations if two requirements are met: the organisation provides goods or services to EU citizens, or monitors their online behaviour. If an organisation does not follow the regulation, then it is subject to fines in the same way companies that are located in the EU are.

What to avoid

Privacy notices prepared by organisations should avoid using words such as 'may,' 'might,' 'some,' 'often,' etc. as they are purposefully imprecise. The writing should be in the active tense and sentences and paragraphs should be well structured, using bullets to highlight specific points of note. Unnecessarily legalistic and technical terminology should be avoided as well.

Fines

Article 83(5)(b) of the GDPR provides that if a controller fails to inform a data subject pursuant to Article 13 GDPR, the latter may be subject to an administrative fine up to €20 million or up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is the higher. Any organisation that is subject to the GDPR must provide a privacy notice whenever they obtain a data subject's personal information.

Vasilis Charalambous Lawyer
[email protected]
George Z. Georgiou & Associates LLC, Nicosia