Privacy Notice Requirements

The GDPR requires a privacy notice to be Concise, transparent and written in clear and plain language. You can download a copy of this here GDPR-04-Privacy Notice Requirements and a template here GDPR-04-Privacy Notice Template.

The GDPR says that the information you provide to people about how you process their personal data must be:

  • Concise, transparent, intelligible and easily accessible.
  • Written in clear and plain language, particularly if addressed to a child.
  • Free of charge.

What information must be provided:

Where you obtain personal data directly from the individual:

  • Identity and contact details of the controller and where applicable, the controller’s representative and the data protection officer (if applicable).
  • Purpose of the processing and the legal basis for the processing.
  • The legitimate interests of the controller or third party, where applicable.
  • Any recipient or categories of recipients of the personal data.
  • Details of transfers to third country and safeguards.
  • Retention period or criteria used to determine the retention period.
  • The existence of each of data subject’s rights.
  • The right to withdraw consent at any time, where relevant.
  • The right to lodge a complaint with a supervisory authority.
  • Whether the provision of personal data is part of a statutory or contractual requirement or obligation and possible consequences of failing to provide the personal data.
  • The existence of automated decision making, including profiling and information about how decisions are made, the significance and the consequences.

This information should be provided to the individual at the time that the data is obtained.

Where the personal data is not directly obtained from the individual:

  • Identity and contact details of the controller and where applicable, the controller’s representative and the data protection officer (if applicable).
  • Purpose of the processing and the legal basis for the processing.
  • The legitimate interests of the controller or third party, where applicable.
  • Categories of personal data.
  • Any recipient or categories of recipients of the personal data.
  • Details of transfers to third country and safeguards.
  • Retention period or criteria used to determine the retention period.
  • The existence of each of data subject’s rights.
  • The right to withdraw consent at any time, where relevant.
  • The right to lodge a complaint with a supervisory authority.
  • The source the personal data originates from and whether it came from publicly accessible sources.
  • The existence of automated decision making, including profiling and information about how decisions are made, the significance and the consequences.

In this case, this information should be provided to the individual:

  • Within a reasonable period of having obtained the data (within one month)
  • If the data is used to communicate with the individual, at the latest, when the first communication takes place; or
  • If disclosure to another recipient is envisaged, at the latest, before the data are disclosed.