With the new data protection regulation applicable from May 2018, privacy policy (i.e. information notice explaining to any concerned individuals how their personal information is processed)  will need to be refreshed as new requirements as to the content as well as the format will be applicable. (in Bold the new requirements compared to the current directive 95/46/EC).
The content of the information may differ slightly whether or not the personal data have been obtained directly from the individuals

1.As to the format, the European Commission should propose standardised icon to be used in your privacy policy. They will help individuals (customer, users etc.) to easily understand the privacy policy. This is yet to be published by the European Commission and should be coming before May 2018.

2. As to the content,

The future privacy policy will be more detailed. However, it should remain customer/user friendly and therefore the use of layers is encouraged (e.g: a simplified privacy policy linked to a more detailed one depending on the complexity of the data processing described). The information to be provided differ slightly depending on whether or not the data is obtained from the individuals.

2.1. Information to be provided regardless of the type of collection of data (i.e. direct or indirect)

Below is a list of the information that should be stated in any privacy policy compliant with the GDPR and in bold what is new compared to the current legislation (still applicable until May 2018). The updated privacy policy should contain the following information:

-Identity and contact details of the data controller and where applicable of the data protection officer.

-Purposes of the data processing (i.e. What does the controller need personal data for?) including the existence of profiling and any automated decision making (including the logic involved) and the consequences of such data processing for the data subject.

-Legal basis of the data processing and where applicable a description of the legitimate interest pursued

-Recipients or categories of recipients of the personal data processed (given the definition of “recipient”, it should cover both recipient data controllers and processors).

-Where applicable, details of the transfer outside of the EU, the legal basis of such  transfers (i.e. guarantees implemented: BCR, EU model clauses etc.) and the means to obtain a copy of the document

-Data retention period or criteria to determine it

-The rights of data subjects (e.g. right to access, the right to lodge a complaint with the authority etc.) : this is not new but the individuals are given new rights under the GDPR such as right to portability and erasure and more detailed information should be provided (e.g. see right to data portability).  It also includes the right to withdraw consent at any time where applicable.

2.1. Information to be provided only where data is obtained from the data subject:

-Indication as to whether or not data are mandatory as well as the consequences of not providing the information.

-Indication as to whether the provision of personal data is a statutory or contractual requirement or a requirement to enter into a contract. 

The last two bullet points  might be linked to the one relating to legal basis of the processing as it is more or less the same information. In most cases, the information may be more relevant on a form to be filled out by the individual than in a privacy notice and more particularly if the collection of personal data is only  necessary for a processing based on individual consent.  The data controller also have to remind the users/individuals their right to withdraw their consent at any time.

2.3. Information to be provided where data is not obtained from the data subject:

-If the data is not collected directly from the individual, the data controller should also indicate the categories of data collected as well as the source of the data and whether this source is publicly available.


Where a processing is based on individual’s consent or on data controller’s legitimate interest specific safeguard will be required.

  • As for the consent, the rules are laid down in the GDPR  (see here for more details)
  • As for the legitimate interest, a balance must be struck between the data controller’s legitimate interest and the legitimate interest, rights and freedom of the individuals . That could mean a possibility to opt out has to be implemented but this is a decision to be made on a case by case basis.

Where data is not obtained from the data subject the modalities of information may vary and be subject to exemption under certain circumstances. Indeed the information must provided:

  • within a reasonable period after obtaining personal data (at the latest within one month;
  • if the personal data is used to communicate with the data subject, the information must be provided before the first communication
  • if a disclosure to another recipient is envisaged, at the latest when the personal data are first disclosed

These rules apply unless the information was previously provided to the data subject; it would prove impossible or involve disproportionate effort to provide such information;  it would impair the achievement of the processing; a member states law provides for obtaining or disclosure of the information and; where professional secrecy or statutory obligation of secrecy applies to the data.

Sharing options

Privacy Policy and GDPR: What To Update
Tagged on: