Under the EU General Data Protection Regulation (GDPR), you must provide this document:
- to inform people how you collect, process and use their personal data
- typically at the point of data collection
- in plain and clear language, accessible format, and free of charge
The GDPR sets out the specific information you must supply to individuals and when.
How to write a GDPR privacy notice?
If you collect personal data from the individuals themselves, you must include the following in your privacy notice at the time you obtain the data:
- the data controller's identity and contact details
- details of your data protection officer (if you are required to have one)
- the purpose and legal basis for data processing
- where the legal basis for processing is legitimate interest, what that interest is
- where the legal basis is consent, the right to withdraw consent at any time
- the existence of individual's rights (known as data subject rights)
- with whom you will share personal data (named parties or categories of recipients)
- whether you plan to transfer data to third countries and what safeguards will exist
- how long you will keep the personal data for (or details of your retention criteria)
- the right to lodge a complaint with the Information Commissioner's Office
- if there is a statutory or contractual requirement for the data subject to provide personal data, and if so, the consequences of failing to provide data
- if you intend to carry out any automated decision making (eg profiling), how you will make these decisions, their significance and possible consequences
In addition to the above, if you collect data from a third party (ie from a source other than the data subject), you must also include in the privacy notice:
- categories of personal data concerned
- the source of data (and whether it came from publicly available sources
Your privacy notice will usually sit on your website. You should link to it when asking people to eg subscribe to your newsletter, register with your service or provide you any personal information in any other way.
Example format for a GDPR-compliant privacy notice
A template document is unlikely to describe your business' exact practices around privacy and data processing. However, you can use our sample privacy notice document below to structure your privacy information in a way that addresses the key GDPR requirements.
It is essential that you customise the document to fit the specific circumstances of your business and the type of data processing that you do.