Transparency and informing the public about how their data are being used are two basic goals of the GDPR. This article explains what is a privacy notice and offers a privacy notice template to help you comply with the law.
The EU General Data Protection Regulation (GDPR) is a first step toward giving EU citizens and residents more control over how their data are used by organizations. If your company handles the personal information of people in the EU, then you must comply with the GDPR, no matter where you are in the world. The fines for violating people’s new privacy rights can be up to 4 percent of your global revenue or €20 million, whichever is higher.
A GDPR privacy notice is an important way to help your customers make informed decisions about the data you collect and use. We’ve brought together some information from the law itself and from the EU’s guidance documents to help you understand the components of a good privacy notice. And at the bottom, we’ve included a privacy notice template that you can adapt to your own organization.
A privacy notice is a public document from an organization that explains how that organization processes personal data and how it applies data protection principles. Articles 12, 13, and 14 of the GDPR provide detailed instructions on how to create a privacy notice, placing an emphasis on making them easy to understand and accessible. If you are collecting data directly from someone, you have to provide them with your privacy notice at the moment you do so.
According to the GDPR, organizations must provide people with a privacy notice that is:
The GDPR also stipulates what information an organization must share in a privacy notice. There is a slight variation in requirements depending on whether an organization collects its data directly from an individual or receives it as a third party.
If an organization is collecting information from an individual directly, it must include the following information in its privacy notice:
If an organization obtains your data indirectly (via another organization) its privacy notice must provide all the same information, except for:
And instead must add:
Per Article 14(3), if you obtain personal data from a third party, you must communicate the above information to the data subject either: no later than one month after you have obtained the data, at the time you first communicate with the data subject, or before sharing the data with another organization.
Privacy notices should avoid using qualifiers such as “may,” “might,” “some,” “often,” etc. as they are purposefully vague. The writing should be in the active tense and sentences and paragraphs should be well structured, using bullets to highlight specific points of note. Avoid unnecessarily legalistic and technical terminology.
According to the European Commission’s GDPR guidelines, the phrases below are not sufficiently clear as to the purposes of processing. (We took these examples directly from the document.)