The UK General Data Protection Regulation (GDPR) states that data controllers must provide certain information to people whose information (personal data) they hold and use. A privacy notice is one way of providing this information.
A privacy notice should identify who the data controller is and provide contact details for its Data Protection Manager, or if applicable its Data Protection Officer. It should also explain the purpose for which personal data is collected, how the data is used and disclosed, how long it is kept, and the controller’s legal basis for processing.
In April, the Information Commissioners Office (ICO) fined social media company, TikTok Inc and TikTok Information Technologies UK Limited, north of £12 million for breaches of data protection law. They found that there was insufficient detail in the companies privacy notice to satisfy the requirements of Article 13(1) UK GDPR.
In this article, we have set out the key things that every business should consider including in their privacy notice to ensure that it is suitably specific to be UK GDPR-Compliant following the ICO’s publishing of an enforcement notice.
What is your legal basis for collecting personal data?
You must have a valid lawful basis in order to process personal data and there are six available to chose from. No single basis is more important than the others and which basis is most appropriate to use will depend on your purpose. The six legal basis’s which are available to you are:
- Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
- Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
- Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
- Vital interests: the processing is necessary to protect someone’s life.
- Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
- Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.
Who do you share personal data with?
A key part of any privacy notice is ensuring that it states who the personal data may be shared with. However, many privacy notices are too broad with this information, which the IPO highlighted as being a major issue. They stated that a privacy notice should include either names of the recipients or, at worst case, details on the categories of the recipients.
Using legal jargon such as “Affiliates” to explain who personal data may be shared with, without providing detailed information on who may be considered as an affiliate, may not satisfy the GDPR requirements. Rather, you should try to explain clearly who the recipients are and further information such as where they are located.
Do you transfer to personal data abroad?
If your business requires personal data to be transferred abroad, the ICO have stated the importance in naming the countries in your privacy notice. Their reasoning is to ensure that data subjects are able to make informed choices before agreeing to a privacy notice. If you’re a global business, this can certainly be an onerous but necessary task to avoid noncompliance.
How long do your store personal data?
Many privacy notices may state that they keep personal data for as long as necessary for the purposes of processing. Unfortunately, this may be unlikely to comply. The ICO highlighted in their enforcement notice that the privacy notice should provide a clear period of time they expect to store data or at least inform individuals of the criteria behind the expected duration.
Why are you storing personal data?
Another area that the ICO have encouraged clarity on under privacy notices is the link between why you may be storing personal data and your lawful reasoning behind it. The purpose behind it is to allow individuals to understand clearly why their personal data is being processed. For example, your privacy notice may state that the purpose of processing an individual’s data is for the processing of a payment. It is then important to link this purpose with the lawful reason, which in this case may be to carry out the performance of your contract with the individual. Stating the lawful basis behind data processing also lets the individual understand which areas are processed due to the consent which they provided. This will make it easier for individuals to withdraw consent and give the individuals more control over their personal data and how it is used.
What are the data subjects rights?
Under the Data Protection legislation, data subjects have rights with regards to their personal information. Your privacy policy should identify and set out the rights of the data subjects. The rights of data subjects include the right to be informed about the collection and the use of their personal data, the right to access their data and the right to withdraw consent at any time. You can find a full list of personal data rights here.
How can you be contacted?
If a data subject wishes to exercise their legal rights, it is important that your privacy policy has set out how you can be contacted. It is good practice to nominate a Data Protection Officer or a Privacy manager with their details in the privacy policy so they can be contacted to can deal with any issues or concerns the individual may have over how their personal data is being processed.
Please contact us if you would like more information about the issue raised in this article or any other aspect of Commercial law at 029 2034 5511 or commercial@berrysmith.com