Documenting your purposes for processing in your privacy information for individuals

Overview

Your privacy information for individuals is essentially your declaration of your intended activities with persons personal data, however mundane those activities may be. 

In most cases, this will be in the form of a;

  • Privacy policy (for customers/prospects)
  • Terms of employment contract (for employees)
  • Consent statement (for marketing activities or any other outside the direct scope of your services)

The principle here is just to be clear about what you are doing with a person's data, for what purpose(s) and under what legal basis (we will come to that later).

You should not necessarily restrict the delivery of private information to a single notice or page on your website. The term ‘privacy policy’ is often used as a shorthand term, but rather than seeing the right to be informed as being about delivering a single notice, it is better to think of it as providing privacy information in a range of ways. You can provide this information through a variety of media:

  • Orally - face to face or when you speak to someone on the telephone (it’s a good idea to document this).
  • In writing - printed media; printed adverts; forms, such as financial applications or job application forms.
  • Through signage - for example, an information poster in a public area.
  • Electronically - in text messages; on websites; in emails; in mobile apps

To answer the question you will need to check that the privacy information you provide individuals and detail the purposes (reasons) why you process information of individuals.

Example

Let's take a look at what should be in our privacy information using the example purposes for processing below.

Purposes of processing

Purposes categories

Categories of individuals

Categories of personal data

payroll

Staff administration

Employees

Contact details

regulatory purposes

Financial details...

to co-ordinate the workforce

Emergency contacts...

Contact details...

to send emails and other communications;

Customer orders

Customers

Contact details

for billing, account management and other administrative matters;

Financial details

regulatory purposes

IP address...

to provide, update, maintain and protect our Services, Websites and business;

Suppliers...

Contact details

to send emails and other communications;
 

Financial details

for billing, account management and other administrative matters;
 

Location...

information about our latest offers

Marketing

Customers

Contact details

exclusive discounts

Lifestyle information

industry insights

Clients...

Contact details...

Privacy information for employees:

In this example the purpose for processing personal information are:

  • Co-ordinate workforce
  • Payroll
  • Regulatory purposes

Privacy information for customers:

In this example the purpose for processing personal information are:

  • To send emails and other communications
  • For billing, account management and other administrative matters;
  • Regulatory purposes
  • To provide, update, maintain and protect our Services, Websites and business;
  • to send emails and other communications;

Privacy information for marketing consent:

In this example the purpose for processing personal information are:

  • Information about our latest offers
  • Exclusive discounts
  • Industry insights

What the regulator says:

GDPR - Information to be provided where personal data are collected from the data subject - Article 13 (1c) - Controllers 

"Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with the purposes of the processing for which the personal data are intended as well as the legal basis for the processing"

GDPR - Information to be provided where personal data is not collected from the data subject - Article 14 (1c) - Controllers

"Where personal data have not been obtained from the data subject, the controller shall provide the data subject with the purposes of the processing for which the personal data are intended as well as the legal basis for the processing"

References