Make Sure Your Privacy Policy is GDPR Compliant
If you have an email account, you will most likely have received a deluge of emails from various organisations directing you to their new and improved privacy policy.
The driver behind all these emails is, of course, the General Data Protection Regulation (“GDPR”), which came into force on 25 May 2018. Under the GDPR, organisations owe enhanced obligations to individuals than under the Data Protection Act 1998.
Under article 13 and 14 of the GDPR, all organisations must provide individuals with certain information about how personal data will be processed by them, and it is common practice to include this information in a website-based privacy policy. Some of the information that must be included in such a privacy policy includes:
- The identity and the contact details of the controller – in other words the privacy policy must clearly identify the organisation that collects personal data from individuals.
- How and why personal data is collected – individuals must be told how their personal data is going to be used. The GDPR does not usually require individuals to give consent before personal data can be processed. The GDPR allows data to be processed, without consent, where it is necessary to perform a contract between the organisation and the individual. For example, if a customer buys a fridge from an online retailer, the retailer may collect the customer’s name, address and billing details (without the customer’s explicit consent) to fulfil its contractual obligation of supplying the fridge.
- Who personal data is being shared with – organisations must inform individuals if their personal data is going to be disclosed to third parties, and if so the purpose of any such disclosures.
- If personal data is to be transferred outside the European Economic Area (“EEA”) – an organisation that intends to transfer personal data outside the EEA must make individuals aware of such a transfer. The privacy policy should specify the mechanism under which the transfer is being made, and this will depend on which country outside the EEA is receiving the personal data. For example, data transfers to the US will be covered by the EU-US Privacy Shield regime.
- Data retention – the privacy policy should also set out how long personal data will be stored. If the organisation does not have a definitive storage period, then the privacy policy must include the criteria used to determine how long personal data will be stored.
- The rights of individuals – the privacy policy must make individuals aware of their rights under the GDPR, including the right to request access to personal data, request correction of data, and even request erasure of personal data (commonly known as the right to be forgotten).
These are just some of the points that needed to be looked at closely when preparing a GDPR compliant privacy policy.
Please note the contents of this blog are given for information only and must not be relied upon. Legal advice should always be sought in relation to specific circumstances.