GDPR Statement: What Is It? (+Checklist)

By
Alex Franch
February 1, 2023

Overview

Under the GDPR organisations must provide individuals with certain information via a data privacy statement or privacy notice. But what is a data privacy notice, and what should it contain? We explain everything you need to know in this blog – along with a GDPR statement example.

One of the most important concepts in the EU General Data Protection Regulation is transparency. Individuals own their personal data. As a company that's involved in processing that personal data, you must disclose everything that you do with it. This is why having a Privacy Policy is so important. A Privacy Policy is mandatory under many privacy laws. And under the GDPR, it's one of the most important documents your company has. It's the only way to demonstrate to your customers, and to the authorities, that you take data protection seriously.

A GDPR Privacy Policy is sometimes called a GDPR Privacy Statement or a GDPR Privacy Notice.

Why is a GDPR Privacy Policy Important?

Personal data is big business. Companies like Google and Facebook have revenues larger than some countries. They made their fortunes by processing people's personal data.

The GDPR sets the rules about how personal data should be processed in the EU. It also provides rights to individuals regarding their personal data. Without privacy laws like the GDPR, people would lose control over the information that businesses and governments have collected about them.

A Privacy Policy is your company's opportunity to show your customers that you can be trusted with their personal data. It's also a chance to really get to grips with how much personal data your company controls, and whether your data protection practices are legally compliant.

Important Sections of a GDPR Privacy Policy

1) Introduction

You should start your Privacy Policy with a brief explanation of who your company is, and what your Privacy Policy is.

Include the date from which the Privacy Policy takes effect (the "effective date").

2) Contact details

The first thing to include in your privacy notice is the name, address, email address and telephone number of your organisation.

If you’ve appointed a DPO(Data Protection Officer) or EU Representative, you should also include their contact details.

3) Types of Personal Data You Process

The GDPR's definition of "personal data" is very broad. The chances are that your company processes a lot of it.

Because everything from IP addresses to cookie data constitutes personal data, your website might process personal data from people who will never even contact your company. In your Privacy Policy, you must be absolutely clear about every type of personal data you deal with, and why you need to do this.

Many companies break this part of their Privacy Policy down into sub-sections, such as "data you provide to us," "data collected by our website," etc.

4) Lawful basis for processing personal data

Under the GDPR, organisations can only process personal data if there is a lawful basis for doing so. Your privacy policy should specify which one you’re relying on for each processing purpose.

If you are relying on legitimate interests, you must describe them. Likewise, if you’re relying on consent, you should state that it can be withdrawn at any time.

Remember that there are specific rules when it comes to processing special categories of personal data.

5) How You Process Personal Data

Under the principles of "purpose limitation" and "data minimisation," you must always have a good reason for processing any of the personal data in your possession. You must set your purposes for processing personal data in your Privacy Policy.

6) How long you’ll be keeping their data

The GDPR states that you can only retain personal data for as long as the legal basis for processing is applicable.

In most cases, that will be easy to determine. For example, data processed to fulfil contracts should be stored for as long as the organisation performs the task to which the contract applies.

Likewise, organisations should hold on to any data processed on the grounds of a legal obligation, public task or vital interest for as long as those activities are relevant.

Things are trickier with consent and legitimate interests, as there is no clear point at which they’re no longer valid.

As such, we recommend reviewing your data retention practices at least every two years.

7) International Transfers of Personal Data

If you transfer personal data from the EU to a non-EU country (for example, if your web server is located in the US, or you use a data processor based in Australia), you need to explain this in your Privacy Policy.

There are only certain reasons that you can transfer personal data out of the EU. These include:

The non-EU country to which you're transferring personal data has been deemed to have "adequate" data protection by the European Commission;

"Adequate" countries include Canada and New Zealand. The United States is included, but only if the US company is part of the Privacy Shield framework.

You have a contract with the recipient that contains standard data protection clauses;

You're transferring personal data within a multinational company (or a group of companies working together) subject to binding corporate rules;

As a last resort, and with certain other conditions in place, you have the person's consent to transfer their data.

This section of your Privacy Policy must explain which of these mechanisms you use for international transfers.

8) Data Rights

The GDPR grants individuals eight rights over their personal data. Subject to certain conditions, you're required to facilitate these rights when requested to do so.

These rights are:

The right to be informed

The right of access

The right to rectification

The right to erasure (known as "the right to be forgotten")

The right to restrict processing

The right to data portability

The to object

Rights in relation to automated decision-making

[Register a complaint]

Not all the rights are likely to apply to your company, but you need to be familiar with them regardless.

Your Privacy Policy needs to provide information about these individual rights, and also provide a method by which people can exercise them. This might be a web form, or simply an email address.

9)Changes to Your Privacy Policy

You should let people know that you might need to make changes to your Privacy Policy, and tell them how you'll inform them about this.

Disclaimer

This article does not constitute legal advice in any form and only seeks to break down some of the main points set out by publicly available sources such as the ICO.

Share this post
Alex Franch
Co-Founder & CEO
Get Compliant in <1 Hour

Are you Fully GDPR Compliant?

Ensure your policies are always up to date with Privasee, an AI powered GDPR compliance solution that does it all.