Is your GDPR Privacy Notice legal?
The Information Commissioner’s Office (ICO) recently issued an annex to an enforcement notice analysing why the ICO considered that the privacy notices used by the company which had been fined did not meet the requirements of UK GDPR.
The Annex contains details of the sections of the privacy notices criticised by the ICO which may be useful in assessing whether your privacy notice meets the legal requirements.
The ICO concluded that many of the general statements typically seen in privacy notices were not sufficiently detailed to satisfy the requirements of UK GDPR or the UK GDPR transparency principle.
Key conclusions of the ICO were:
- If you have appointed a data protection officer (or DPO), state this clearly in your privacy notice and include details as to how an individual can contact your DPO. The DPO does not need to be named so a generic email address can be used so long as it is clear that the DPO can be contacted by using that email address.
- Don’t simply list the lawful basis for using personal data in general terms without naming the relevant processing activity. The ICO considered that adopting this approach could prevent individuals from, for example, understanding when they could withdraw their consent or when they could object to the particular processing. A clear link should be provided from the category or categories of personal data being processed, the purposes of that processing, and the lawful basis relied upon to support that processing.
- Detail specifically those persons with whom you share personal data. A high-level description of recipients of personal data such as “analytics providers” or “business partners” is too broad. Either the names of the recipients or sufficient details on the categories of the recipients should be provided so that data subjects know exactly who holds their personal data. And avoid using terms such as “affiliates” unless you can explain clearly who or what is an affiliate.
- Indicate the specific countries to which you transfer personal data so that data subjects can make an informed choice about whether or not to give you their personal data for processing. The ICO also indicated that details about whether or not the relevant country had an adequacy decision should be included and, if it didn’t, what other appropriate safeguards were in place and details about how these safeguards could be found. Simply referring to model contracts and standard contractual clauses was not sufficient.
- Include a clear statement of the period for which personal data will be retained or information as to the criteria to be used for data retention so that a data subject can assess, on the basis of their own situation, what the retention period will be. Where relevant, specify different storage periods for different categories of personal data and/or different processing purposes. Avoid broad and general statements on data retention (for example, by reference to contractual obligations).