Privacy Notices and Statements

Underpinning the principle of Lawfulness, Fairness and Transparency is the concept that the personal data collected from an individual must be done so openly and visibly and the use of that data made clear to the data subject.  This is done by issuing a Privacy Notice on your website where it may be accessible to all.

A Privacy Notice should contain the following:

  • Identity and contact details of the data controller
  • The purpose and legal basis for processing the data
  • If “legitimate interests” are relied upon (see Legal Basis for Processing) what those legitimate interests are
  • If the legal basis is consent, the existence of a right to withdraw the consent
  • The recipients or categories of recipients of the data (ie. processors, third parties etc)
  • Retention periods of the data
  • Information setting out the data subjects’ rights including the right to lodge a complaint with the supervising authority
  • Whether there is a contractual or statutory obligation to process the data
  • Information about any automated decision making used &
  • Details of any cross-border transfers of the data and what safeguards are in place.

As you can see, a significant amount of information is required in the Privacy Notice for it to be compliant under the GDPR’s.  The language used must be concise, transparent, intelligible and in an easily accessible form.

Consideration of who the intended audience is will also be relevant here.  If your business is directed at children and teenagers then the language used in your notice must be plain, engaging and easily understood by them.  Notably, under the GDPR’s parental consent is required for children using online services and this is set at 16 but here in the UK it is set at 13 years and under.

If we can assist you or your business in any way, or if you have any questions in relation to the services that we offer, please contact us. We look forward to working with you.

Privacy Notices Checklist

  • Have you undertaken a data mapping exercise to understand the categories of data held by you?
  • Have you considered the best way to present your Privacy Notice in terms of language used and readable formatting?
  • Have you reviewed and updated your customer/employee notices to take account of new requirements?
  • Have you set out in your Privacy Notice details of third parties you share data with?
  • Have third parties been given necessary information about your business to put in their own Privacy Notices?
  • Have you received the necessary information from third parties to put in your Privacy Notice?
  • Is your organisation providing goods or services to children?