Last updated on 22 January 2022 by Robert Bateman (Privacy and Data Protection Research Writer at TermsFeed)
One of the most important concepts in the EU General Data Protection Regulation (GDPR) is transparency. Individuals own their personal data. As a company that's involved in processing that personal data, you must disclose everything that you do with it.
GDPR (EU General Data Protection Regulation) is a privacy legislation that requires businesses to disclose their policies on user data collection and provides privacy rights to EU consumers.
Personal data is big business. Companies like Google and Facebook have revenues larger than some countries. They made their fortunes by processing people's personal data.
The GDPR sets the rules about how personal data should be processed in the EU. It also provides rights to individuals regarding their personal data. Without privacy laws like the GDPR, people would lose control over the information that businesses and governments have collected about them.
The GDPR is different. Its requirements are more rigorous than any of the above laws, and anything you produced to comply with these will likely not be sufficient under the GDPR.
An important thing to bear in mind is that this is a public-facing document, and is not written just for your customers. It should be aimed at anyone whose personal data you might process - including potential customers and visitors to your website.
One of our many testimonials:
Let's take a look at what you'll need to include.
You should include the legal name and business address of your company.
Here's how MembersFirst does this:
You'll notice above that MembersFirst refers to itself as a "data controller." For the purposes of the GDPR, your company is probably a "data controller," too - if it makes decisions about how and why personal data is processed.
Some companies give their definitions directly from Article 4 of the GDPR. This is the approach of AEG:
This isn't actually all that helpful for a reader. Arguably, defining a "data subject" as "an identifiable natural person [...] who can be identified, directly or indirectly, in particular by reference to an identifier" does little to clarify what the term actually means to a layperson.
Here's another example from Edgbaston Park Hotel. Its definitions are more accessible and easy to understand.
You can see the differences here between writing in legalese versus writing in a common voice that is far easier to understand.
Article 5 of the GDPR contains six principles by which all personal data must be processed.
Others take a more personalized approach, listing their company's specific principles and relating these to the GDPR's principles. Here's an example from the International Institute for Environment and Development:
The GDPR's definition of "personal data" is very broad. The chances are that your company processes a lot of it.
Here's an example from Clearcast:
You can then further break down this information into more detailed categories. Here's how Synthorx does this:
Be as detailed and specific as possible when disclosing the types of personal data you collect and process. Try to disclose this information in a way that's as easy for your users to understand as possible.
Under the principles of "purpose limitation" and "data minimization," you must always have a good reason for processing any of the personal data in your possession.
This can also be a clause that describes "how" and "why" the data is used, so long as users are informed about what exactly you're doing with the data you collect.
The GDPR only allows you to process personal data on one of six legal (or "lawful") bases. You aren't allowed to process personal data unless you've established a good, legal justification for doing so.
The legal bases for processing a person's personal data are:
Some companies relate their legal bases to the types of personal data they process and their reasons for processing personal data. Here's how Pint of Science does this:
Where you're relying on "legitimate interests," you need to specify what your legitimate interests are.
Where you're using "consent" as a legal basis, you must include reference to your users' right to withdraw consent. Here's how Sharp does this:
If your legal basis is "contract," you need to let people know what will happen if they fail to provide you with the personal data you need to carry out a contract. Here's how Budget does this:
Make sure you know what your legal basis is (or are) and disclose this.
This won't always be a particular period (i.e. one week, two months, etc.). It may be determined by the length of time for which you need the data (e.g. until the person closes their account).
If you keep different types of data for different periods of time, disclose this as specifically as possible.
Note that the GDPR doesn't require you to list the names of every company with whom you share data, only the broad types of company (e.g. payment processors, mail carriers, etc.).
However, make sure you check the Terms and Conditions of companies with whom you have a Data Processing Agreement. Some of them, like Google, require you to name them specifically.
Here's how Discover France fulfills Google's disclosure requirements:
The clause explicitly states that "Google Analytics data is shared with Google" which lets Discover France users know that a third party (Google) is receiving some of their personal data.
There are only certain reasons that you can transfer personal data out of the EU. These include:
The GDPR grants individuals eight rights over their personal data. Subject to certain conditions, you're required to facilitate these rights when requested to do so.
These rights are:
Not all the rights are likely to apply to your company, but you need to be familiar with them regardless.
Here's how the University of Oxford provides information about some of these rights:
And here's how people can contact the University in connection with these rights:
The University of Cambridge, on the other hand, facilitates the right of access via an online form:
Requests relating to the other rights can be fulfilled via email:
You must also inform your users of their right to make a complaint to a Data Protection Authority, such as the Information Commissioner's Office (ICO) in the UK, or the Data Protection Commission (DPC) in Ireland.
Here's how charity Make-A-Wish does this:
Here's an example from Power to Change:
Here are some ways you can make sure it gets noticed
Here's how The Times does this:
Here's an example from Waitrose:
Here is a list of frequently asked questions that you may find useful.
The GDPR applies to you if you:
More specific Privacy Templates are available over our blog.