Features of a GDPR-compliant Privacy Policy

News /

Once of the key principles of the General Data Protection Regulation (GDPR) is that individuals must be provided with clear, understandable and accessible information about how and why their personal data will be used. The simplest way to achieve this is to put in place a Privacy Policy or, if you already have one, to ensure that it is updated appropriately before the GDPR enters into force on 25 May 2018.

Individuals must be able to access your Privacy Policy at the time their data is collected to enable them to be fully informed. Best practice is to clearly display a link to the Privacy Policy on your website and to refer to it during any online booking or sales process. If you have not obtained the individual’s data directly from them, for example if it was provided via a third-party, you must refer the individual to your Privacy Policy when you first communicate with them or, at the latest, within one month of having obtained their data.

A GDPR-compliant Privacy Policy should contain the following information:

>  Identity and contact details of the data controller (i.e. the organisation responsible for collecting the data and determining how it is used) and its Data Protection Officer;

>  What categories of data you collect and use, including any special categories of sensitive data (e.g. data which may identify an individual’s religion, race or health issues);

>  Why the data is needed and how it will be used;

>  What is the lawful basis for using the data (and if you are relying on your “legitimate interests” for using the data, an explanation of what these interests are);

>  How long the data will be retained;

>  Where the data was collected (i.e. the source of it) including whether it came from third-parties or publicly-accessible sources;

>  Details of any third-parties to which the data will be transferred and why, including details of any transfers of data outside of the European Economic Area and any safeguards in place;

>  What rights individuals have to access, amend, restrict or delete their data, as well as an explanation of the right to withdraw their consent at any time;

>  Whether the data is required as part of a statutory or contractual requirement or obligation and consequences of failing to provide it (e.g. if the data is essential to perform a contract with the individual, failure to provide it will prohibit you from doing so);

>  Whether the data will be subject to any automated decision making, including profiling, and information about how decisions are made, the significance and the consequences; and

>  Details of the supervisory authority (such as the Information Commissioner’s Office in the UK) and an explanation of the right to lodge a complaint.

If you process personal data relating to children, you may need to tailor the relevant aspects of your Privacy Policy to ensure that they can easily understand it.

In general it is important to remember that your Privacy Policy must be concise, transparent, intelligible and easily accessible, written in clear and plain language, and provided free of charge. 

This means that, as far as possible, you should avoid using overly complex terminology to ensure that your Privacy Policy complies with your obligations under the GDPR.

Related services: