Features of a GDPR-compliant Privacy Policy

News /

Once of the key principles of the General Data Protection Regulation (GDPR) is that individuals must be provided with clear, understandable and accessible information about how and why their personal data will be used. The simplest way to achieve this is to put in place a Privacy Policy or, if you already have one, to ensure that it is updated appropriately before the GDPR enters into force on 25 May 2018.

Individuals must be able to access your Privacy Policy at the time their data is collected to enable them to be fully informed. Best practice is to clearly display a link to the Privacy Policy on your website and to refer to it during any online booking or sales process. If you have not obtained the individual’s data directly from them, for example if it was provided via a third-party, you must refer the individual to your Privacy Policy when you first communicate with them or, at the latest, within one month of having obtained their data.

A GDPR-compliant Privacy Policy should contain the following information:

>  Identity and contact details of the data controller (i.e. the organisation responsible for collecting the data and determining how it is used) and its Data Protection Officer;

>  What categories of data you collect and use, including any special categories of sensitive data (e.g. data which may identify an individual’s religion, race or health issues);

>  Why the data is needed and how it will be used;

>  What is the lawful basis for using the data (and if you are relying on your “legitimate interests” for using the data, an explanation of what these interests are);

>  How long the data will be retained;

>  Where the data was collected (i.e. the source of it) including whether it came from third-parties or publicly-accessible sources;

>  Details of any third-parties to which the data will be transferred and why, including details of any transfers of data outside of the European Economic Area and any safeguards in place;

>  What rights individuals have to access, amend, restrict or delete their data, as well as an explanation of the right to withdraw their consent at any time;

>  Whether the data is required as part of a statutory or contractual requirement or obligation and consequences of failing to provide it (e.g. if the data is essential to perform a contract with the individual, failure to provide it will prohibit you from doing so);

>  Whether the data will be subject to any automated decision making, including profiling, and information about how decisions are made, the significance and the consequences; and

>  Details of the supervisory authority (such as the Information Commissioner’s Office in the UK) and an explanation of the right to lodge a complaint.

If you process personal data relating to children, you may need to tailor the relevant aspects of your Privacy Policy to ensure that they can easily understand it.

In general it is important to remember that your Privacy Policy must be concise, transparent, intelligible and easily accessible, written in clear and plain language, and provided free of charge. 

This means that, as far as possible, you should avoid using overly complex terminology to ensure that your Privacy Policy complies with your obligations under the GDPR.

Related services:

Quick links

The Legal 500 2021

“Very available and responsive to company developments in real time. Frank, clear advice – not just the ‘easy’ answer.”

The Legal 500 2022

“The solicitors who have handled our employment related issues are of the highest quality in terms of their specialist area of expertise, their professionalism and their approach to us as clients and as people. Special mention has to be made of Laura Livingstone. Laura became a key member of our team and felt more like a colleague than an external adviser – a colleague you could rely upon. Laura’s attention to detail, professionalism and responsiveness was second to none. Laura has come to know and understand us as individuals and this has enabled her to personalise her advice and even sometimes to preempt our future requirements. We have a very special and extremely valuable relationship with her and the firm.”

- The Legal 500

The Legal 500 2022

“Ince are an excellent “fit” with our specific needs. The firm has consistently provided a broad range of personnel-related advice and in our experience that advice has been consistently of the very highest professional standard: it has been timely, comprehensive, accurate and at a cost which is commensurate with the budget of an organisation of our size.”

- The Legal 500

The Legal 500 2022

“The firm has an unusually high degree of insight into the practices and policies required by the Gambling Commission as regards compliance with its own requirements and conditions – particularly Andrew Tait, derived from his previous in-house experience.”

- The Legal 500