Your essential guide to crafting a compliant privacy notice (GDPR)

The General Data Protection Regulation (GDPR) has revolutionized data privacy for EU citizens and businesses selling to them. Crafting an effective privacy notice is an essential part of GDPR for any organization handling personal data. 

This comprehensive guide will empower you with the knowledge and tools to create a clear, concise, and compliant privacy notice that adheres to privacy notice GDPR requirements, safeguards data subject rights, and fosters trust with your users.

Key takeaways

• Understand GDPR and its impact on privacy notices, which must adhere to principles of lawfulness, fairness, and transparency
• A compliant notice should include information about the data controller, purposes of processing personal data with legal basis for such processing, as well as details regarding international transfers
• Regularly review and update the notice while informing users of any changes to ensure compliance with GDPR requirements

Understanding GDPR and its impact on privacy notices

The GDPR is an EU regulation governing data protection and privacy for individuals within the European Union, affecting how organizations collect and use personal data. It sets seven key GDPR principles, which are:

1. Lawfulness, fairness, and transparency
2. Purpose limitation
3. Data minimization
4. Accuracy
5. Storage limitation
6. Integrity and confidentiality
7. Accountability

Privacy notices, mandated by the GDPR, are public documents that explain an organization’s data processing activities, designed to be accessible and easy to understand.

Avoiding fines of up to 4% of global revenue or €20 million and maintaining trust with data subjects are two key reasons to ensure a privacy notice complies with regulations. Transparent and fair processing of personal information assists customers in making decisions regarding the data an organization collects and uses.

What is a privacy notice?

A GDPR privacy notice is a way of formally informing data subjects about how an organization deals with personal information in terms of data protection legislation. It outlines the steps that the company takes to comply with legal requirements.

The purpose of a privacy notice under GDPR is to provide a public document that explains an organization’s data processing activities and is designed to be accessible and easy to understand.

For easy access, a privacy notice should be prominently displayed on a website, typically in the footer and any location where personal data is collected.

When a privacy notice is required (and not) under the GDPR

A privacy notice is an essential document when any legitimate processing of personal data takes place under the GDPR. This is particularly true when this processing is not based on the consent of the data subject. 

For instance, a telecommunications company may process personal data based on a legal obligation to retain call data for a certain period, or a delivery service may process personal data based on a contract with the data subject to deliver a package to their home address.

An explicit privacy notice is not always necessary. This is the case when it is either impossible or would require a disproportionate effort to deliver one, or the data subject already possesses the necessary notification information. 

For instance, if a customer provides their address for the purpose of having a product delivered, an explicit privacy notice is not necessary. In this case, the processing of personal data is necessary for the performance of a contract—the delivery of a purchased item—to which the data subject is party.

The importance of a compliant privacy notice

Maintaining a compliant privacy notice is critical in avoiding penalties, building trust, and ensuring clarity with data subjects. Failure to have a compliant privacy notice may result in fines, a lack of trust, and a lack of transparency with data subjects, as it is a statutory or contractual requirement.

To avoid such consequences, it is crucial to adhere to GDPR requirements when crafting your organization’s privacy notice.

Essential components of a GDPR-compliant privacy notice 

Crafting a GDPR-compliant privacy notice requires the inclusion of the following information:

• Data controller: Clearly state who is responsible for collecting and processing personal data.
• Purposes of data processing: Explain why personal data is being collected and how it will be used.
• Legal basis for processing personal data: Specify the lawful basis for processing personal data, such as consent or legitimate interests.

---

---

Sharing clear and transparent information about these components aids in making data subjects aware of the collection, usage, and processing of their personal data.

Information about the data controller

The data controller information should include the following:

• The organization’s name
• Contact details
• Any pertinent data protection officer information 

The role of a data controller in terms of GDPR compliance is to make decisions regarding the processing of personal data, having the ultimate authority and responsibility for ensuring that the data processing activities adhere to the GDPR.

This involves determining the purpose and method of the processing, deciding which data is necessary, and guaranteeing that the process data is conducted lawfully and securely under the guidance of the supervisory authority.

Purposes of data processing

In your privacy notice, it is essential to explicitly specify the purposes for processing personal data, including any particular activities or services. This helps data subjects understand how their data will be used and for what reasons. Additionally, it is crucial to identify the legal basis for processing personal data, such as consent, legitimate interests, or legal obligations.

Legal basis for processing personal data

Identifying the legal basis for processing personal data is a crucial component of a GDPR-compliant privacy notice. Under GDPR, the legal bases for processing personal data encompass:

• Consent
• Contractual obligations
• Legal obligations
• Vital interests
• Public interest
• Legitimate interests

Under GDPR, consent is defined as a legal basis for processing personal data, obtained when an individual voluntarily provides their specific, informed, and unambiguous agreement to the processing of their personal data for a specific purpose. 

Consent must be given through a clear affirmative action, such as ticking a box or providing a written statement, and it should be straightforward for individuals to withdraw their consent at any time.

Ensuring clarity and accessibility in your privacy notice

Maintaining clarity and accessibility in your privacy notice is instrumental in assisting data subjects to comprehend their rights and the processing of their personal data. To achieve this, your privacy notice should be:

• Concise
• Transparent
• Intelligible
• Easily accessible
• Free of charge

By following these guidelines, you can create a privacy notice that is both informative and user-friendly.

Keep it concise to allow for easy comprehension

Maintain the conciseness of your privacy notice by excluding unnecessary information and focusing on the key points that are most significant to data subjects. 

A concise privacy notice not only makes it easier for users to understand and find the information they need but also helps to reduce information overload and confusion.

By prioritizing brevity, you can create a privacy notice that effectively communicates your organization’s data processing activities and commitment to data protection.

Use plain language to ensure transparency

Using clear and plain language is essential for ensuring transparency in your privacy notice. 

Avoid legal jargon or complex terminology that may be difficult for users to understand. Instead, opt for clear and simple language that accurately conveys the information you need to share with data subjects. 

This approach not only helps users better understand your privacy notice but also fosters trust and confidence in your organization’s commitment to data protection.

Structure the document effectively to improve intelligibility

An intelligible privacy notice is one that is structured effectively, allowing users to easily navigate and find the information they need. 

Use headings, subheadings, and bullet points to break up the text and create a logical flow of information. This not only makes your privacy notice more readable, but also helps users quickly locate the specific sections or details they are looking for, enhancing their overall experience.

Provide easy access to the information

Providing easy access to your privacy notice is crucial for GDPR compliance. Ensure that the privacy notice can be accessed easily on your website, through pop-ups or other means. 

This helps users find and engage with your privacy notice, ultimately leading to a better understanding of how their personal data is processed and their rights under GDPR.

Free of charge

Article 12 of the General Data Protection Regulation (GDPR) stipulates that information provided under Articles 13 and 14, as well as any communications and any actions taken under Articles 15 to 22 and 34, must be provided free of charge. This means that when a data subject exercises their rights under GDPR, such as the right to access or rectification, they should not be charged for it.

Addressing data subject rights in your privacy notice

Data subject rights are a key aspect of GDPR compliance and must be addressed in your privacy notice. By informing data subjects of their rights, such as data subject prior to exercising the following rights:

• The right to be informed
• The right of access
• The right of rectification
• The right to erasure
• The right to restrict processing
• The right to data portability
• The right to object
• Rights related to automated decision-making and profiling

you demonstrate your organization’s commitment to data protection and transparency.

Right to access, rectification, and erasure

In your privacy notice, you should inform data subjects of their rights:

• Right to access their personal data
• Right to have any inaccurate data about them corrected
• Right to request the erasure of their personal data, commonly referred to as the ‘right to be forgotten’

By including information about these rights in your privacy notice, you empower users to take control of their personal data and make informed decisions about its use.

Right to object and restrict processing

Under GDPR, data subjects have the right to object to the processing of their personal data for direct marketing purposes. They also have the right to restrict the processing of their personal data in specific situations, such as when they contest the accuracy of the data or when the processing is unlawful.

In your privacy notice, make space to explain the right to object to processing and the right to restrict processing under certain circumstances. 

Right to data portability

Describe the right to data portability, allowing data subjects to:

• Obtain and reuse their personal data for their own purposes across different services
• Request their personal data in a commonly used, machine-readable format
• Transfer this data to another data controller or directly to themselves

Rights related to automated decision-making and profiling

Automated decision-making refers to decisions made about individuals based solely on the processing of their personal data. Profiling involves analyzing or predicting personal aspects concerning an individual, such as their preferences, interests, behavior, and more.

Data subjects have the right to:

• Be informed about the existence of any automated decision-making and profiling of their personal data, including information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
• Obtain human intervention, express their point of view, and contest decisions based on automated processing if the decision produces legal effects concerning them or similarly significantly affects them.
• Not be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them, unless this is necessary for entering into, or performance of, a contract between the data subject and a data controller, or it is based on the data subject’s explicit consent.

By clearly stating these rights in your privacy notice, you ensure that users are well-informed about how their data is handled in automated decision-making and profiling processes.

Addressing international data transfers in your privacy notice

Handling international data transfers in your privacy notice is essential to ensure GDPR compliance. To address this issue, your privacy notice should:

• Identify any third countries involved in data transfers
• Ensure appropriate safeguards are in place to protect personal data during international transfers
• Inform data subjects of their rights regarding international data transfers and processing.

Identifying third countries involved

List any third countries involved in data transfers and processing. A third country, in the context of GDPR, is defined as any country outside the European Union (EU) and the European Economic Area (EEA) where the General Data Protection Regulation (GDPR) does not apply.

By identifying third countries involved in data transfers, you provide transparency to data subjects and help them understand how their personal data is processed across international borders.

Ensuring appropriate safeguards

Ensure appropriate safeguards are in place to protect personal data during international transfers. Under GDPR, transfers of personal data to third countries are generally prohibited under Article 44, but there are conditions under which such transfers are permissible. Examples of GDPR-compliant safeguards for international data transfers include:

• Adequacy decisions
• Standard contractual clauses
• Binding corporate rules
• Consent
• Assessing potential risks

Implementing these safeguards helps secure and protect personal data during international transfers.

Informing data subjects of their rights

Inform data subjects of their rights regarding international data transfers and processing. Under GDPR, data subjects possess various rights when data is transferred internationally, including:

• The right to be informed
• The right of access
• The right of rectification
• The right to erasure
• The right to restrict processing
• The right to data portability
• The right to object
• Rights related to automated decision-making and profiling

By providing information about these rights in your privacy notice, you convey your commitment to data protection and transparency.

Regularly reviewing and updating your privacy notice

Consistent review and updates of your privacy notice are necessary for maintaining ongoing compliance with GDPR requirements. To proactively maintain a GDPR-compliant privacy notice, follow these steps:

• Set a review schedule to regularly assess and update your privacy notice.
• Monitor changes in data processing activities within your organization and ensure that your privacy notice reflects these changes.
• Communicate updates to data subjects, such as through email notifications or website announcements, to keep them informed about any changes to your data processing practices. By following these steps, you can ensure that your privacy notice accurately reflects your organization’s data processing practices and commitment to data protection.

Get expert guidance on data privacy and GDPR

Navigating the complexities of GDPR compliance and data privacy can be challenging for organizations. Seeking expert guidance can help businesses ensure they meet GDPR and protect their customers’ personal data.

Chat with our compliance experts: A free 15-Min AMA 

Let’s chat. Connect with a compliance expert to find out how GDPR applies to your business—no strings attached. Book a chat here.

Our 5-step approach makes GDPR much easier to navigate:

• STEP 1: Kick-off. After a deep dive into data privacy, our experts customize your GDPR compliance roadmap
• STEP 2: Onboarding. Get up and running with GDPR policy templates, automated vendor discovery, and clear action items
• STEP 3: Implementation. Efficiently implement and operationalize GDPR with guided workflows, automation, and support from our experts
• STEP 4: GDPR assessment and reporting. As a third party, Thoropass delivers a transparent assessment and report to share with customers and prospects
• STEP 5: And beyond… Leverage our extensive platform to add frameworks, renew attestation, and ensure continuous compliance

Learn more about what your GDPR compliance journey with Thoropass will look like here!

Disclaimer: This information should not be considered legal advice, and organizations should seek the advice of their attorney when developing/customizing their own privacy notices

More FAQs

---