The EU General Data Protection Regulation (GDPR) includes rules on giving privacy information to data subjects in Articles 12, 13 and 14. These are more detailed and specific than in the DPA and place an emphasis on making privacy notices understandable and accessible. Data controllers are expected to take ‘appropriate measures’.
Data controllers may need to include more information in their privacy notices, but we believe that if you follow the good practice recommendations in this code you will be well placed to comply with the GDPR regime. There is still discretion for data controllers to consider where the information required by GDPR should be displayed in different layers of a notice.
The GDPR says that the information you provide to people about how you process their personal data must be:
- concise, transparent, intelligible and easily accessible;
- written in clear and plain language, particularly if addressed to a child; and
- free of charge.
These requirements are about ensuring that privacy information is clear and understandable for data subjects. They also make explicit what has always been set out as good practice. Following the advice in this code about the use of language, about adopting innovative technical means for delivering privacy information such as layered and just in time notices, and about user testing will help you to comply with the new provisions of the GDPR, as well as the current requirements of the DPA. The explicit emphasis on adapting privacy notices for children goes beyond what is currently required by the DPA. Data controllers processing children’s data will need to take account of the level of comprehension of the age groups involved and tailor their notices accordingly. The code seeks to address this in relation to making privacy notices accessible.
The GDPR includes a longer and more detailed list of information that must be provided in a privacy notice than the DPA does. There are also some differences in what you are required to provide, depending on whether you are collecting the information directly from data subjects or from a third party.
Following the advice in the code about planning privacy notices and mapping your information flows will give you much of the detail you need to meet these requirements.
The following table summarises the privacy information you have to provide. It is taken from our Overview of the GDPR document.
|Data obtained directly from data subject||Data not obtained directly from data subject|
|What information must be supplied?||Not required when the data subject has the information.||
Not required when the data subject has the information
Not required when derogations in article 14(5)(b) to (d) apply. For example it would pose a disproportionate effort for archiving in the public interest.
|Identity and contact details of the controller and where applicable, the controller’s representative) and the data protection officer|
|Purpose of the processing and the legal basis for the processing|
|The legitimate interests of the controller or third party, where applicable|
|Categories of personal data|
|Any recipient or categories of recipients of the personal data|
|Details of transfers to third country and safeguards|
|Retention period or criteria used to determine the retention period|
|The existence of each of data subject’s rights|
|The right to withdraw consent at any time, where relevant|
|The right to lodge a complaint with a supervisory authority|
|The source the personal data originates from and whether it came from publicly accessible sources|
|Whether the provision of personal data part of a statutory or contractual requirement or obligation and possible consequences of failing to provide the personal data|
|The existence of automated decision making, including profiling and information about how decisions are made, the significance and the consequences.|
|When should information be provided?||At the time the data are obtained.||Within a reasonable period of having obtained the data (within one month)|
|If the data are used to communicate with the individual, at
the latest, when the first communication takes place; or
|If disclosure to another recipient is envisaged, at the latest,
before the data are disclosed.
We will consider producing further guidance as appropriate on the specific categories of information listed here.