Updated 8 November 2018. This blog was originally published before the GDPR took effect in May 2018.
An integral part of EU GDPR (General Data Protection Regulation) compliance is producing appropriate documentation.
When should you provide a GDPR privacy notice?
Article 13 of the GDPR states that:
- When you collect personal data directly from data subjects, you must provide a privacy notice at the time of collection.
- When you get personal data from another source, you must provide a privacy notice without undue delay, and within a month. This must be done the first time you communicate with the data subject, or when their personal data is first shared with another recipient, such as a data processor.
These obligations do not apply if the data subject already has the information, if providing this information is impossible or would involve a disproportionate effort, if you are obliged to obtain or disclose the data by law, or if the personal data must remain confidential, subject to an obligation of professional secrecy.
- Who is collecting the data?
- What data is being collected?
- What is the legal basis for processing the data?
- Will the data be shared with any third parties?
- How will the information be used?
- How long will the data be stored for?
- What rights does the data subject have?
- How can the data subject raise a complaint?
A data protection policy, on the other hand, is an internal document that goes into detail about the organisation’s data protection objectives and responsibilities, and how to handle violations.
Read our blog How to write a GDPR data protection policy for more information.
GDPR privacy notice
Articles 12, 13 and 14 of the GDPR outline the requirements for giving privacy information to data subjects.
The GDPR says that the information you provide must be:
- Concise, transparent, intelligible and easily accessible;
- Written in clear and plain language, particularly if addressed to a child; and
- Free of charge.
Sample GDPR privacy notice template
Below is an example of a customisable privacy notice template available from IT Governance.
Example of IT Governance’s GDPR privacy notice template.
Not sure where to start? We can help
We’ve made it easy for you to create a GDPR-compliant privacy notice in minutes with our bestselling EU General Data Protection Regulation (GDPR) Privacy Notice Template >>
If you need a complete set of GDPR templates to help with your compliance project, you might be interested in our market-leading EU GDPR Documentation Toolkit.
Designed and developed by expert GDPR practitioners, it has been used by thousands of organisations worldwide. It includes:
- A complete set of easy-to-use and customisable documentation templates, which will save you time and money and ensure GDPR compliance;
- Helpful dashboards and project tools to ensure complete GDPR coverage;
- Direction and guidance from expert GDPR practitioners; and
- Two licences for the GDPR Staff Awareness E-learning Course.