How to write a Privacy Policy

19 July 2023

Transparency is one of the fundamental principles of the GDPR.1 All organisations need to ensure that the data subjects have access to information about how they process personal data. The information must be presented in a concise and easily accessible form, using plain and intelligible language. Controllers have a wide obligation to provide information to data subjects. The European Data Protection Board (EDPB) recommends controllers to provide a so-called privacy policy on their websites, where they describe how personal data are processed.2In this blog post, we will explain what elements a privacy policy should contain, and what to think about when writing your own.

Published July 19th 2023 

Why do we need a privacy policy?

The GDPR require controllers to inform data subjects when they process personal data, which is a quite an extensive obligation. This information shall be provided in writing, or other means where appropriate.3 If the personal data are collected directly from the data subject, the information shall be provided at the time when the personal data are obtained.4If the personal data have not been obtained directly from the data subject, then information must be provided at latest within one month.5

Which information the data subject is entitled to is regulated in Article 12-14. The GDPR explains that information, including how data subjects may exercise their rights, must be communicated in clear and plain language. Article 13 describes which information that needs to be provided when the personal data is collected from the data subject. Article 14 regulates a corresponding requirement, when the personal data have not been obtained directly from the data subject, for example from another controller or public data base. The principle of transparency is broad, which we will go through in more detail and explain what information needs to be given to data subjects.

The GDPR does not prescribe a certain format to be used when making information available to data subjects. However, controllers are obligated to take appropriate measures to ensure that they fulfill the obligation to inform.6The purpose of a privacy policy is to present an overview or compilation of the required information. Simply put, a privacy policy gives a detailed description of how your organisation process personal data. Note that the term “Privacy Policy” doesn’t occur in the GDPR – it’s just an established and common way to describe the information. Other commonly used terms are “Data Protection Notice”, “Privacy Statement” and “Privacy Notice”. For convenience, we have chosen to use the term “Privacy Policy” throughout this blog post.

 

 

 

 

 

 

How should a privacy policy be structured?

You are quite free in terms of how to structure your privacy policy. However, the GDPR requires information to be provided in a concise, transparent, intelligible and easily accessible form. Furthermore, clear and plain language must be used, in particular when the information is addressed to a child.

In terms of layout, the policy needs to be concise and straight to the point. Data subjects need to be able to easily access the information in its entirety. The privacy policy should be separated from general terms and conditions. It should also be well-structured, to avoid information fatigue. The EDPB recommends using a “layered approach”, to make it easier for data subjects to navigate within the text. This means that the policy is divided into different so-called layers. The first layer provides an overview of the most important information: the purposes of the processing, the identity of the data controller and a description of the data subject’s rights. Furthermore, the first layer should give the data subject a clear overview of the following content, including where more detailed information can be found.7Subsequent layers should provide more complete information. For example, layers can be structured based on the different categories of data subjects and divided into section with clear headlines.

The requirement of intelligibility means that it should be understood by an average member of the intended audience.8 For example, working professionals can be assumed to have a higher level of understanding than children. The information needs to be as precise as possible and not leave room for misunderstandings. Data subjects should be able to understand the purpose of the data processing, as well as its potential consequences. They should not end up surprised by the effects of the processing. Additionally, in accordance with the principle of fairness under Article 5(1) GDPR, data subjects should be made aware of any risks, rules, security measures and rights due to the processing of personal data.9

What needs to be included in a privacy policy?

As previously mentioned, the right to information is stated in Article 13 and 14 GDPR. The articles provides a list of what information to include.

The following information needs to be included:

  • The identity and contact details of the controller,
  • The contact details of the data protection officer, if one has been appointed,
  • The purposes of the data processing as well as the lawful basis for the processing,
  • If the processing is based on a legitimate interest, this interest needs to be described,
  • The recipients of the personal data, if any,
  • Whether the personal data will be transferred to a third country, and in that case, information about an adequate level of protection or reference to the appropriate or suitable safeguards,
  • The period for which the personal data will be processed,
  • The data subject’s rights,
  • The right to withdraw consent at any time, f the processing is based on consent,
  • The right to lodge a complaint with a Supervisory Authority,
  • Whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract,
  • Whether the data subject is obliged to provide the personal data and the possible consequences of failure to provide such data, and
  • The existence of automated decision-making, including profiling.

If the personal data isn’t obtained from the data subject, the information also must include the concerned categories of personal data. To summarize, the privacy policy should include practically all relevant information from the data subjects’ point of view.

In what way, and at what time, should the privacy policy be provided?

As information must be provided in an “easily accessible form”10, data subjects should not have to seek out the information. It should be obvious where and how the information can be accessed. In addition to the privacy policy being published on your website, it also needs to be provided to the data subject. As previously mentioned, the data subject shall be informed at the time when personal data are obtained. Therefore, the privacy policy should be accessible on the same page as the personal data is collected through, either attached or by link. For example, a pop-up message with the privacy policy attached could be displayed when the data subject fills in an online form.11 If the personal data isn’t obtained from the data subject, the data subject shall be informed within a reasonable time period, at latest within one month.12 If the personal data shall be used for communication with the data subject, information must be provided at the latest at the time of the first communication to that data subject.13

GDPR Hero

Summary

A privacy policy is used to ensure that a controller fulfills the obligation to provide information to data subjects. The policy describes how a controller processes personal data. The GDPR specifies which information a policy should include. Furthermore, the information is required to be easily accessible to the data subject and communicated in a clear and plain language. By accessing the privacy policy, data subjects should be able to understand the purpose and possible consequences of the processing, as well as the risks and rights according to the processing. The GDPR stipulates a time frame within which information must be provided. If the personal data is collected from the data subject, information must be provided at the time when the data is obtained. If it’s obtained from someone other than the data subject, information must be provided at the time of the first communication to the data subject, or at latest within a month.

 

Do you need help with your privacy policy?

If you have any further questions about privacy policies, or anything else regarding the GDPR, feel free to contact us!

Lova Viktorsson 

info@gdprhero.se

046-2731717

The content presented in this blog contains general information and is not to be considered as legal advice.

Fotnoter

  1. Article 5(1)(a) GDPR.
  2. Article 29 Working Party Guidelines on transparency under Regulation 2016/79, WP260 rev.01. 
  3. Article 12(1) GDPR.
  4. Article 13(1) GDPR.
  5. Article 14(3)(a) GDPR.
  6. Article 12(1) GDPR
  7. Article 29 Working Party Guidelines on transparency under Regulation 2016/79, WP260 rev.01, p. 36. 
  8. Article 29 Working Party Guidelines on transparency under Regulation 2016/79, WP260 rev.01, p. 9.
  9. Article 29 Working Party Guidelines on transparency under Regulation 2016/79, WP260 rev.01, p. 10.
  10. Article 12(1) GDPR.
  11. Article 29 Working Party Guidelines on transparency under Regulation 2016/79, WP260 rev.01, p. 11.
  12. Article 14(3)(a) GDPR.
  13. Article 14(4)(b) GDPR.
The content presented in this blog contains general information and is not to be considered as legal advice. Please reach out to us if you have any questions.

Related articles

Data processing agreements

Data processing agreements

Data processing agreements (DPA) are an essential part for organisations which transfers or collects personal data...