As was discussed in the last blog, an “individual” privacy notice is one that is provided by the controller to the individual at the time the personal data relating to the individual are obtained. The notice sets forth the purposes of the processing. If there is further processing of the personal data that is different from the purpose for which the personal data originally were obtained, then a new “individual” privacy notice, with information on that further processing, needs to be provided to the individual prior to that further processing.
Other information that should be in an “individual” privacy notice are:
- The name and contact details of your organization
- The lawful basis for the processing, and if consent is the lawful basis, the right to withdraw consent
- The legitimate interests for the processing
- If the personal data are shared with others, the identity of the recipients or the categories of recipients of the personal data
- If personal data are transferred to third countries or international organizations, the identity of those countries or organizations and what safeguards are used when personal data are transferred outside the EU
- The retention periods for the personal data
- The rights available to individuals, i.e. the rights of access and to rectification, erasure, restriction, portability, objection and lodge a lodge a complaint with a supervisory authority
- If individuals are under a statutory or contractual obligation to provide the personal data and the consequences for failure to do so
- If automated decision-making, including profiling, is involved in the processing, what type it is and what the effect of such processing could be
GDPRsimple contains a template that helps an SME generate an “individual” privacy notice. That template contains the standard information that needs to be in an “individual” privacy notice and has several blanks which are completed by selecting from drop down boxes or Yes/No answers. By using this template appropriate for the source of the personal data and the way the privacy notice is provided to the individual, the SME is able to generate a privacy notice that accurately reflects the source of the personal data and its specific business practices.
This blog is the third in a series of blogs that describes and explains the eight individual rights set forth in the GDPR. If you don’t want to wait until the next blog to learn more about the GDPR and the individual rights in the GDPR, take a look at GDPRsimple, http://www.keepgdprsimple.com, an automated web and mobile tool, that can help SMEs implement the GDPR and demonstrate their implementation.
Next blog: The right of information – What information should be in an “third-party” privacy notice?