Privacy statements modelled on the ‘fine print’ principle are definitely a thing of the past. A privacy statement which meets the demands put forth by the GDPR is more than simply a document dumped on a website. It is a fundamental declaration of intent containing the right information, which needs to be delivered to the persons involved at the right time and in the right place in order for any processing of personal data to be lawful.
What does it have to convey?
In its privacy statement, an organisation (the controller) must describe in an intelligible and easily accessible form, transparently, concisely, and in clear and plain language:
- which personal data are being collected;
- how these personal data are being used, stored and published;
- how the data subjects can exercise their rights.
But there is more…
Having a privacy statement in place, communicating the right information, is not the end of the story. It is also essential for this information to be available at the right time and in the right place. And for the organisation to be able to demonstrate that its operations live up to the standards set by its own statements.
Where and when do privacy statements need to be published?
The purpose of a privacy statement is in allowing the data subjects to decide whether or not they agree with the way a controller intends to process their personal data. For the processing to be lawful, they must have been given the opportunity to do so before or at the time of the actual start of processing.
In practical terms, what this means is that the controller must, at every physical point of potential collection of personal data, provide a privacy statement which, in its content, is relevant to the data subjects. This is not only true for online collection of data. It also applies to collecting personal data by telephone, through text messages or through personal contact.
How can organisations prove they have followed the rules?
To prevent charges of unlawful processing by data subjects after the fact of actual processing, it is also important to maintain a register of privacy statements, showing all relevant details on timing and placement. Apart from this, it is advisable to:
- in case of a statement delivered orally or in writing, have copies of the correspondence or recordings of the telephone conversations;
- have procedures for reacting, in line with the contents of the privacy statement, to requests from customers wanting to exercise their rights;
- have procedures which explain how to react and in which format;
- have a ‘notification protocol’ in clear and intelligible wording, to be used in case of a data breach.