The right of information – What information should be in a “website” privacy notice?

Posted byGDPRsimple Leave a comment on The right of information – What information should be in a “website” privacy notice?

As was discussed in an earlier blog, a “website” privacy notice is an amalgam of “individual” and “third-party” privacy notices, and it is posted by an organization on its website so interested individuals can ascertain what an organization’s privacy practices are and  so visitors to the website can determine what personal data are collected when individuals visit the website.   The notice sets forth the purposes for which the organization processes personal data.  If the purposes for the processing expand or change, then a revised privacy notice needs to be posted on the website.

In addition to the purposes of the processing, the “website” privacy notice should contain:

  • The name and contact details of your organization
  • The lawful basis for the processing, and if consent is the lawful basis, the right to withdraw consent
  • If legitimate interest is the lawful basis for the processing, the legitimate interests for the processing
  • The categories of the personal data obtained
  • If the personal data are shared with others, and the identity of the recipients or the categories of recipients of the personal data
  • If personal data are transferred to third countries or international organizations, the identity of those countries or organizations and what safeguards are used when personal data are transferred outside the EU
  • The retention periods for the personal data
  • The rights available to individuals, i.e. the rights of access and to rectification, erasure, restriction, portability, object and lodge a lodge a complaint with a supervisory authority
  • The source of the personal data
  • If individuals are under a statutory or contractual obligation to provide the personal data and the consequences for failure to do so
  • If automated decision-making, including profiling, is involved in the processing, what type it is and what the effect of such processing could be

This blog is the fifth in a series of blogs that describes and explains the eight individual rights set forth in the GDPR.  If you don’t want to wait until the next blog to learn more about the GDPR and the individual rights in the GDPR, take a look at GDPRsimple, http://www.keepgdprsimple.com, an automated web and mobile tool, that can help SMEs implement the GDPR and demonstrate their implementation.

Next blog:  What is the right of access?

Leave a comment

Your email address will not be published. Required fields are marked *