In the context of this information, beyond questions related to content and form, one of the key principles of the European Data Protection Regulation (referred to as the “GDPR“) that will govern the writing of your policy must be kept in mind: the principle of transparency. This principle requires a company to provide full information about the processing operations that will be carried out. People need to know why and how their personal data will be used.
Methodology for clear and transparent information
You can also group the information by theme.
1. The data controller
The first group concerns information related to the controller, i.e. the identity and full contact details of the person (natural or legal) processing the data, as well as, where applicable, the identity of their Data Protection Officer if they have appointed one.
2. Type of processing, legal basis and purposes of the processing operations
The second group of information concerns the types of processing, the legal bases for justifying them and the purposes, the “raison d’être”, of these processing operations.
It’s also necessary to add the specific details of each legal basis for processing.
- In practice, if your company justifies the processing of personal data on the legal basis of consent, it should be specified that consent may be withdrawn at any time.
3. The rights of the persons concerned
In this group of information, it is important to remember to explain whether automated decisions, i.e. decisions made without any human intervention (for example, only through an algorithm), are made within your company. If your company makes this type of decision, it will be necessary to provide information on the underlying logic, importance and envisaged consequences of this processing operation for the data subjects.
A reference should also be added to the possibility of lodging a complaint in relation to the processing operations carried out before the competent supervisory authority.
4. Data transfers
The fourth group concerns data transfers by your organisation both within the European Union and outside the European Union.
Regarding transfers within the European Union, it must be specified who the recipients of the data are, i.e. “the natural or legal person, public authority, service or any other body receiving communication of personal data” (Article 4, point 9 GDPR).
Concerning transfers of data to a third country or international organisation, natural persons should be informed of the existence of an adequacy decision or the use of appropriate safeguards, or derogations when applicable.
5. Categories of collected data
The fifth group of information concerns data. Namely:
- Which type of data is collected, for example, identification data (surname, first name, address) or financial data (bank account number).
- The length of time for which these personal data are kept.
- Your company must inform the data subjects about the obligations to provide personal data as part of a contract. In this case, it should be explained whether or not the provision of personal data is conditional on a service and what the consequences are in the event of a failure to provide such data.
- Your company must specify the legal or regulatory obligations related to the provision of personal data.
How to communicate this information?
Information should be provided, in principle, in writing or electronically when appropriate.
- The best way to proceed is to put yourself in the shoes of the people concerned by this policy: the people whose personal data your organisation collects and processes.
- A good way to work is to combine different levels of information, leaving the possibility for the people concerned to click on a specific theme in order to get information. It is also possible to pass messages through the use of icons or pictograms.
Is it completely done once finished?
During this review, your company will be able to take into account the various requests or comments that have been made on the clarity of the policy and, possibly, integrate developments in terms of data collection and processing.
Furthermore, if your company intends to carry out a processing operation for another purpose than that of the personal data were initially collected, the data subject must be informed in advance.
For example, if you first collected email addresses for the purpose of creating a personal account on your website (1st purpose) but then want to use the same email address to send newsletters (2nd purpose), you should inform the data subjects using clear information.
When do I have to provide the information when I collect personal data directly from individuals? This information must take place at the time of collection of this data by the controller.
Do I always have to inform the people concerned? No, you do not have to provide the information to the data subjects if they already have adequate information.
Want to know more about the GDPR?
Discover the 15 questions you’re still asking about the European Regulation.