A guide to GDPR Privacy Policy disclosure requirements

The General Data Protection Regulation (“GDPR”) gives residents in the European Union (“EU”) control over their personal data. Under the GDPR, a controller must make certain disclosures to EU residents about its data processing activities. In this guide, we will explain:

• What disclosures are required under the GDPR: General Data Protection Regulation?
• How to comply with the GDPR Privacy Policy disclosure requirements

What disclosures are required under the GDPR: General Data Protection Regulation?

The GDPR protects the personal data of a “data subject” who is an identified or identifiable natural person in the EU. A data subject “can be identified, either directly or indirectly, in particular by reference to an identifier.” Examples of identifiers include:

• Name
• Email address
• Phone number
• IP address
• An identification number
• Location data
• An online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

The GDPR requires a data controller to explain to data subjects how it processes their personal data. Additionally, the controller must inform data subjects how they can exercise their rights under the GDPR.

Article 12 gives a data subject “the right to transparent information” for certain data that a controller collects. The controller must “take appropriate measures to provide any information referred to in Articles 13 and 14 and any communication under Articles 15 to 22 and 34 relating to processing to the data subject.” The articles are:

• Article 13 – Information to be provided where personal data are collected from the data subject
• Article 14 – Information to be provided where personal data have not been obtained from the data subject
• Article 15 – The right of access by the data subject
• Article 16 – The right to rectification
• Article 17 – The right to erasure (‘right to be forgotten’)
• Article 18 – The right to restriction of processing
• Article 19 – Notification obligation regarding rectification or erasure of personal data or restriction of processing
• Article 20 – The right to data portability ­
• Article 21 – The right to object
• Article 22 – Automated individual decision-making, including profiling
• Article 34 – Communication of a personal data breach to the data subject

The Article 29 Data Protection Working Party (“WP29”) published detailed guidelines on transparency under the GDPR. The WP29 guidelines explain that “transparency is an overarching obligation” to three central areas:

• The provision of information to data subjects related to fair processing
• How data controllers communicate with data subjects in relation to their rights under the GDPR
• How data controllers facilitate the exercise by data subjects of their rights

As a core value of transparency, data subjects should have advance notice of the scope and consequences of having their personal data collected and shared by a controller. Transparency empowers data subjects to exercise control over their personal data and hold controllers accountable.

Recital 58 of the GDPR explains that its “principle of transparency” requires information addressed to the public to be in a format that is easy to understand with visualizations when appropriate. Recital 58 suggests that the information could be provided in an electronic form on a website.

The best way for a controller to comply with the GDPR disclosure rules is to place a Privacy Policy on its website that explains how it processes personal data. Although the GDPR requires certain disclosures that should be in the policy, the law does not use the terms “privacy policy” or “privacy notice” in its text. These two terms are interchangeable, so either term can be used on a controller’s website.

How to comply with the GDPR Privacy Policy disclosure requirements.

The GDPR’s disclosure requirements are explained in Articles, 12, 13, and 14. Article 12 sets the rules for communications to data subjects. Article 13 lists the disclosure requirements for personal data that a controller collects. Article 14 applies to controllers that obtain personal data by indirect methods.

Under Article 12, a controller must provide information to data subjects that includes certain requirements. A communication to a data subject must provide information:

• In a concise, transparent, intelligible, and easily accessible form that uses clear and plain language, in particular for any information addressed specifically to a child
• In writing, or by other means, including, where appropriate, by electronic means
• Orally, when requested by the data subject, provided that the identity of the data subject is proven by other means 

To promote transparency, Article 12 requires controllers to provide any required information free of charge. This includes information provided under Articles 13 and 14 and any communication and any actions taken under Articles 15 to 22 and 34. 

Article 13 lists the disclosure requirements for a controller when it directly collects personal data from a data subject. When a controller collects personal data, it must provide the data subject with all of the following information:

1. A list of the personal data the controller collects
2. Controller information – The identity and the contact details of the controller and, where applicable, of the controller’s representative.
3. Controller representatives – The contact details of the data protection officer, where applicable.
4. Reasons for collecting personal data – The purposes of the processing for which the personal data are intended as well as the legal basis for the processing.
5. Legal basis for processing – Where the processing is based on Article 6(1)(f), the legitimate interests pursued by the controller or by a third party.
6. Recipients of the personal data – The recipients or categories of recipients of the personal data, if any.
7. Transfer of personal data – Where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available.

A controller must disclose when “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.” Where the controller intends to further process personal data for another purpose other than the original purpose, the controller must provide the data subject with the information about the new purpose prior to processing the data.

In addition, the controller must provide the data subject with further information that is necessary to ensure fair and transparent processing. This additional information may include:

1. Retention period for personal data – The period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period.
2. Right to submit requests – The existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability.
3. Right to withdraw consent – Where the processing is based on Article 6(1)(a) or Article 9(2)(a), the existence of the right to withdraw consent at any time. Exercising the right does not affect the lawfulness of processing based on consent before its withdrawal.
4. Right to complain about a controller’s response – The right to lodge a complaint with a supervisory authority.
5. Requirements for collecting personal data – Whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data.
6. Use of automated systems – The existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

As a best practice, a controller should publish its Privacy Policy on its website, and a link to the Privacy Policy should be accessible from every webpage. Also, if a website collects any personal data online, such as through a contact form, a link to the Privacy Policy should be provided near the data entry fields on the webpage.

If GDPR applies to you, your website must be compliant under the GDPR. The fines for violating the privacy rights of an EU resident can be up to 4 percent of a controller’s global revenue or 20 million euros, whichever is higher. Termageddon’s Privacy Policy generator helps you comply with the disclosure requirements of the GDPR and avoid fines.