Overview
Your privacy information for individuals is essentially your declaration of your intended activities with persons personal data, however mundane those activities may be.
In most cases, this will be in the form of a;
- Privacy policy (for customers/prospects)
- Terms of employment contract (for employees)
- Consent statement (for marketing activities or any other outside the direct scope of your services)
The principle here is just to be clear about what you are doing with a person's data, for what purpose(s) and under what legal basis (we will come to that later).
You should not necessarily restrict the delivery of private information to a single notice or page on your website. The term ‘privacy policy’ is often used as a shorthand term, but rather than seeing the right to be informed as being about delivering a single notice, it is better to think of it as providing privacy information in a range of ways. You can provide this information through a variety of media:
- Orally - face to face or when you speak to someone on the telephone (it’s a good idea to document this).
- In writing - printed media; printed adverts; forms, such as financial applications or job application forms.
- Through signage - for example, an information poster in a public area.
- Electronically - in text messages; on websites; in emails; in mobile apps
To answer the question you will need to check that the privacy information you provide individuals and detail the purposes (reasons) why you process information of individuals.
Example
Let's take a look at what should be in our privacy information using the example purposes for processing below.
Purposes of processing |
Purposes categories |
Categories of individuals |
Categories of personal data |
payroll |
Staff administration |
Employees |
Contact details |
regulatory purposes |
Financial details... |
||
to co-ordinate the workforce |
Emergency contacts... |
Contact details... |
|
to send emails and other communications; |
Customer orders |
Customers |
Contact details |
for billing, account management and other administrative matters; |
Financial details |
||
regulatory purposes |
IP address... |
||
to provide, update, maintain and protect our Services, Websites and business; |
Suppliers... |
Contact details |
|
to send emails and other communications; |
Financial details |
||
for billing, account management and other administrative matters; |
Location... |
||
information about our latest offers |
Marketing |
Customers |
Contact details |
exclusive discounts |
Lifestyle information |
||
industry insights |
Clients... |
Contact details... |
Privacy information for employees:
In this example the purpose for processing personal information are:
- Co-ordinate workforce
- Payroll
- Regulatory purposes
Privacy information for customers:
In this example the purpose for processing personal information are:
- To send emails and other communications
- For billing, account management and other administrative matters;
- Regulatory purposes
- To provide, update, maintain and protect our Services, Websites and business;
- to send emails and other communications;
Privacy information for marketing consent:
In this example the purpose for processing personal information are:
- Information about our latest offers
- Exclusive discounts
- Industry insights
What the regulator says:
GDPR - Information to be provided where personal data are collected from the data subject - Article 13 (1c) - Controllers
"Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with the purposes of the processing for which the personal data are intended as well as the legal basis for the processing"
GDPR - Information to be provided where personal data is not collected from the data subject - Article 14 (1c) - Controllers
"Where personal data have not been obtained from the data subject, the controller shall provide the data subject with the purposes of the processing for which the personal data are intended as well as the legal basis for the processing"
References
- GDPR - Information to be provided where personal data are collected from the data subject - Article 13 (1c) - Controllers
- GDPR - Information to be provided where personal data are not collected from the data subject - Article 14 (1c) - Controllers
Comments
0 comments
Article is closed for comments.