The General Data Protection Regulation (GDPR) requires organisations, processing personal data as controllers, to provide the data subjects (i.e. individuals whose personal data is processed) with a privacy notice. This document must explain to the individuals how their personal information is processed.
Although it was already a requirement under the former legislation, the GDPR requires controllers to provide more detailed privacy notice whose content may differ slightly depending on whether or not the personal data have been collected directly from the individuals.
1. The format of the privacy policy
The European Commission was supposed to propose standardised icons aimed at facilitating the reading and overall understanding of the privacy policies. However, this is yet to be unveiled by the European Commission. Therefore, the format is free as long as it is clear and easy to read.
Although it is more detailed, the privacy policy should remain customer/user friendly. The authorities encourage the use of layers where necessary (e.g: a simplified privacy policy referring to a more detailed one).
2. The content of the privacy policy
2.1. Information to provide regardless of the source of the data (i.e. the individual or a third party source)
Below is a list of the information to provide in any GDPR compliant privacy policy and, in bold, the additional GDPR requirements not provided for in the former legislation.
-Identity and contact details of the data controller and where applicable of the data protection officer;
-Purposes of the data processing (i.e. What does the controller need personal data for?) including, if applicable, the existence of profiling and any automated decision making, the logic involved by such decisions and, the consequences of such data processing for the data subject.
-Legal basis of the data processing and where applicable, a description of the legitimate interest pursued; In this regard, a recent decision regarding Whatsapp taken by the Irish Authority requires :
- to set out the details of the law or the public interest pursued if the legal ground of the processing operations is a legal requirement or a public interest.
- to identify what processing operations were grounded upon each legal basis and what categories of personal data were concerned. (see here)
-Recipients or categories of recipients of the personal data processed (given the definition of “recipient”, it should include both controller and processor recipients).
-Where applicable, details of the transfer outside of the EU, the legal basis of such transfers (i.e. guarantees implemented: BCR, EU model clauses etc.) and the means to obtain a copy of the document;
-Data retention period or criteria to determine it;
-The rights of data subjects (e.g. right to access, the right to lodge a complaint with the authority etc.): this is not new but the individuals are given new rights under the GDPR such as the right to data portability (e.g. see right to data portability) or to withdraw consent at any time where applicable.
2.2. Information to provide only where the data are collected directly from the individual
The controller must indicate whether the provision of personal data is:
– mandatory and the consequences of failure to provide the data;
– a statutory or contractual requirement or a requirement necessary to enter into a contract.
These requirements may overlap the obligation to provide the legal basis of each purpose of the controllers’ processing activities. However, this is specific to the data collected. In practice, this information may be more relevant on a form to fill out than in a privacy notice.
2.3. Information to provide where data is not obtained directly from the data subject
-If the data (or part of them) are not collected directly from the individual, the controllers should indicate the categories of data collected, their origin and, whether this source is publicly available.
3. Miscellaneous
3.1. Relying on individuals’ consent or the controller’s legitimate interest entails to comply with additional requirements
- As for the consent, the rules are laid down in article 7 GDPR (see here for more details)
- As for the legitimate interest, the controllers must strike a balance between its legitimate interest and the legitimate interest, rights and freedom of the individuals. In practice, it may entail the implementation of opt-out options (see here for more information).
3.2. When to provide the information notice if the controllers obtain the personal data from a third-party source or wish to disclose them to a third party
Controllers must provide the information notice:
- within a reasonable period after obtaining personal data (at the latest within one month);
- before the first communication with the data subject if they use it for this purpose;
- at the latest when the controllers first disclose the personal data, if they envisage a disclosure to another recipient.
These rules apply unless (i) the information was previously provided to the data subject; (ii) it would prove impossible or involve disproportionate effort to provide such information; (iii) it would impair the achievement of the processing; (iv) a member states law provides for the collection or disclosure of the information and; (vi) where professional secrecy or statutory obligation of secrecy applies to the data.
CONTACT
If you have any question, do not hesitate to contact Arnaud Blanc, French & English qualified lawyer based in France.
