The EU General Data Protection Regulation (GDPR) is a first step toward giving EU citizens and residents more control over how their data are used by organizations. If your company handles the personal information of people in the EU, then you must comply with the GDPR Policy Template UK , no matter where you are in the world. The fines for violating people’s new privacy rights can be up to 4 percent of your global revenue or €20 million, whichever is higher.
A GDPR privacy notice is an important way to help your customers make informed decisions about the data you collect and use. We’ve brought together some information from the law itself and from the EU’s Representative guidance documents to help you understand the components of a good privacy notice. And at the bottom, we’ve included a privacy notice template that you can adapt to your own organization.
A privacy notice is a public document from an organization that explains how that organization processes personal data and how it applies data protection principles. Articles 12, 13, and 14 of the GDPR Training provide detailed instructions on how to create a privacy notice, placing an emphasis on making them easy to understand and accessible. If you are collecting data directly from someone, you have to provide them with your privacy notice at the moment you do so.
According to the GDPR, organizations must provide people with a privacy notice that is:
In a concise, transparent, intelligible, and easily accessible form
Written in clear and plain language, particularly for any information addressed specifically to a child
Delivered in a timely manner
Provided free of charge
The GDPR Data Protection Policy Template also stipulates what information an organization must share in a privacy notice. There is a slight variation in requirements depending on whether an organization collects its data directly from an individual or receives it as a third party.
If an organization is collecting information from an individual directly, it must include the following information in its privacy notice:
The identity and contact details of the organization, its representative, and its Data Protection Officer
The purpose for the organization to process an individual’s personal data and its legal basis
The legitimate interests of the organization (or third party, where applicable)
Any recipient or categories of recipients of an individual’s data
The details regarding any transfer of personal data to a third country and the safeguards taken
The retention period or criteria used to determine the retention period of the data
The existence of each data subject’s access request rights
The right to withdraw consent at any time (where relevant)
Here we have provided a sample privacy notice template for a website that collects personal data directly from individuals. It contains all the necessary information in a clean, easy-to-digest format. You should modify the contents depending on whether this is a privacy policy for your website or a privacy notice about some other data processing activity.