The new privacy notice
Because practically every enterprise in some way or other saves customer data practically every enterprise needs a privacy notice as well. Saving customer data is for that matter also a form of processing of personal data. The entry of the General Data Protection Regulation (GDPR) per 25 May next means that the existing privacy notices must be changed.
In an earlier blog we gave you 10 tips to get your organisation ready for the GDPR. In this blog I will elaborate on tip 7: Is the privacy notice of your organization up to par? The GDPR sets more requirements in this respect than there were previously.
Why a privacy notice?
In the Netherlands at this moment the Dutch Personal Data Protection Act applies. The Personal Data Protection Act imposes on the controller (the one who processes personal data) the obligation to inform the data subject (the one to whom the personal data are related) that his personal data are processed. Moreover it applies that the controller must be transparent about the manner in which personal data are being processed. This information and transparency duty can be met by drafting and publishing a privacy notice. Also B2B personal data, for example the data of a contact person (name, telephone number, e-mail address), fall under the rules of the Personal Data Protection Act. This means that every enterprise needs a privacy notice.
Contents privacy notice
The GDPR stipulates that a privacy notice from 25 May 2018 onwards must offer information on at least ten points:
- identity of the enterprise;
- contact data;
- purpose for which the personal data are collected;
- who are the recipients of the personal data;
- retention time or the criteria for determining that time;
- setting out the rights of the data subject (i.e. access to inspect his own personal data, rectification, erasing of data, data portability);
- informing about withdrawal of permission (if data are being processed on the basis of permission);
- the right to lodge a complaint with a Data Protection Authority;
- informing about the basis of the provision of personal data (legal obligation or contractual obligation or condition for the execution of the agreement) and mentioning the consequences in the event of non-transmittance;
- informing whether there is an automatic decision-making or profiling, the importance thereof and the consequences.
Dependent on the type of enterprise, the sort of information that is collected and the purpose for which that information is subsequently used, additional information obligations may exist.
Formal requirements GDPR for a privacy notice
The GDPR not only stipulates which matters must be covered in a privacy notice (the contents), but it also contains stipulations on the form. The ‘new’ privacy notice must meet the following requirements:
- comprehensible and easily accessible
- clear and plain language
Brief, easily accessible and comprehensible
The information that is provided must be accessible for the target group. This means that the information (i) must be brief (i.e. no long and woolly stories: be concrete), (ii) must be accessible (be easy to find and to consult, for example by means of a hyperlink beneath the web page and not hidden in general conditions) and (iii) clear (plain language and no jargon). The use of visual aids or icons can contribute to this.
Clear and plain language
Because of the requirement that the data subjects are informed in a clear and plain language it is of importance to keep the target group in mind. Generally it applies that the use of a language exceeding language level B2 of the European Reference Framework Languages (http://www.erk.nl/docent/niveaubeschrijvingen) is considered inappropriate. If an activity is focused on children (for example allowance for internet services) an age-appropriate language must be used.
Do you need help with your privacy notice?
With the GDPR coming nearer it is of importance that you also check your present privacy notice. Does it meet the points and requirements above? Do you have no privacy notice at all, make sure that you draft one. PlasBossinade can assist you with drawing up or checking your privacy notice