As was discussed in an earlier blog, a “third-party” privacy notice is one where the personal data have not been obtained from the individual. As in an “individual” privacy notice, the purpose of the processing must be included in the “third-party” notice, and if there is further processing of the personal data that is different from the purpose for which the personal data originally were obtained, then a new “third-party” privacy notice, with information on that further processing, needs to be provided to the individual.
Like the “individual” privacy notice, the “third-party” privacy notice also must contain:
- The name and contact details of your organization
- The lawful basis for the processing (link), and if consent is the lawful basis, the right to withdraw consent
- The legitimate interests for the processing (link)
- If the personal data are shared with others, and the identity of the recipients or the categories of recipients of the personal data
- If personal data are transferred to third countries or international organizations, the identity of those countries or organizations and what safeguards are used when personal data are transferred outside the EU
- The retention periods for the personal data
- The rights available to individuals, i.e. the rights of access and to rectification, erasure, restriction, portability, object and lodge a lodge a complaint with a supervisory authority
- If automated decision-making, including profiling, is involved in the processing, what type it is and what the effect of such processing could be
Unlike the “individual” privacy notice, the “third-party” privacy notice also must contain:
- The categories of the personal data obtained
- The source of the personal data
GDPRsimple contains a template that helps an SME generate a “third-party” privacy notice. That template contains the standard information that needs to be in a “third-party” privacy notice and has several blanks which are completed by selecting from drop down boxes or Yes/No answers. By using this template appropriate for the source of the personal data and the way the privacy notice is provided to the individual, the SME is able to generate a privacy notice that accurately reflects the source of the personal data and its specific business practices.
This blog is the fourth in a series of blogs that describes and explains the eight individual rights set forth in the GDPR. If you don’t want to wait until the next blog to learn more about the GDPR and the individual rights in the GDPR, take a look at GDPRsimple, http://www.keepgdprsimple.com, an automated web and mobile tool, that can help SMEs implement the GDPR and demonstrate their implementation.
Next blog: The right of information – What information should be in an “website” privacy notice?