What is a privacy notice?

A privacy notice is a public document from an organization that explains how that organization processes personal data and how it applies data protection principles. Articles 1213, and 14 of the GDPR provide detailed instructions on how to create a privacy notice, placing an emphasis on making them easy to understand and accessible. If you are collecting data directly from someone, you have to provide them with your privacy notice at the moment you do so.

Note that the terms “privacy notice” and “privacy policy” do not actually appear in the text of the GDPR and are essentially interchangeable. The guidelines explained in this article apply to any public documents in which your organization describes its data processing activities to customers and the public.

According to the GDPR, organizations must provide people with a privacy notice that is:

  • In a concise, transparent, intelligible, and easily accessible form
  • Written in clear and plain language, particularly for any information addressed specifically to a child
  • Delivered in a timely manner
  • Provided free of charge

The GDPR also stipulates what information an organization must share in a privacy notice. There is a slight variation in requirements depending on whether an organization collects its data directly from an individual or receives it as a third party.

If an organization is collecting information from an individual directly, it must include the following information in its privacy notice:

  • The identity and contact details of the organization, its representative, and its Data Protection Officer
  • The purpose for the organization to process an individual’s personal data and its legal basis
  • The legitimate interests of the organization (or third party, where applicable)
  • Any recipient or categories of recipients of an individual’s data
  • The details regarding any transfer of personal data to a third country and the safeguards taken
  • The retention period or criteria used to determine the retention period of the data
  • The existence of each data subject’s rights
  • The right to withdraw consent at any time (where relevant)
  • The right to lodge a complaint with a supervisory authority
  • Whether the provision of personal data is part of a statutory or contractual requirement or obligation and the possible consequences of failing to provide the personal data
  • The existence of an automated decision-making system, including profiling, and information about how this system has been set up, the significance, and the consequences

If an organization obtains your data indirectly (via another organization) its privacy notice must provide all the same information, except for:

  • Whether the provision of personal data is part of a statutory or contractual requirement or obligation and the possible consequences of failing to provide the personal data

And instead must add:

  • The categories of personal data obtained

Per Article 14(3), if you obtain personal data from a third party, you must communicate the above information to the data subject either: no later than one month after you have obtained the data, at the time you first communicate with the data subject, or before sharing the data with another organization.

Generally, a privacy notice will be provided in writing and, where appropriate, supplied electronically. Every organization that maintains a website should publish their privacy notice there, under the title “Privacy Policy,” and it should be accessible via a direct link from every webpage. If a website collects any personal data online, the privacy notice or a link to it should be provided on the same page where the data collection occurs. The GDPR also states that privacy notices must be available orally upon request to ensure comprehension and to aid the visually impaired.

GDPR privacy notice best practices

Privacy notices should avoid using qualifiers such as “may,” “might,” “some,” “often,” etc. as they are purposefully vague. The writing should be in the active tense and sentences and paragraphs should be well structured, using bullets to highlight specific points of note. Avoid unnecessarily legalistic and technical terminology.

According to the European Commission’s GDPR guidelines, the phrases below are not sufficiently clear as to the purposes of processing. (We took these examples directly from the document.)

  • “We may use your personal data to develop new services” (as it is unclear what the “services” are or how the data will help develop them)
  • “We may use your personal data for research purposes” (as it is unclear what kind of “research” this refers to)
  • “We may use your personal data to offer personalised services” (as it is unclear what the “personalization” entails)
  • On the other hand, these kinds of phrases are much better:
    “We will retain your shopping history and use details of the products you have previously purchased to make suggestions to you for other products which we believe you will also be interested in” (it is clear that what types of data will be processed, that the data subject will be subject to targeted advertisements for products and that their data will be used to enable this)
  • “We will retain and evaluate information on your recent visits to our website and how you move around different sections of our website for analytics purposes to understand how people use our website so that we can make it more intuitive” (it is clear what type of data will be processed and the type of analysis which the controller is going to undertake)
  • “We will keep a record of the articles on our website that you have clicked on and use that information to target advertising on this website to you that is relevant to your interests, which we have identified based on articles you have read” (it is clear what the personalization entails and how the interests attributed to the data subject have been identified)