GDPR Privacy Policy Guide

General introduction

This Guide provides a general introduction to how controllers (website and app owners) can meet GDPR Articles 13 and 14 requirements with regard to:

  1. which information (content) must be provided to data subjects (end users), and
  2. how information (quality, understandability and accessibility) must be provided to data subjects (end users).

We name the document in which this required information is provided a “Privacy Policy”.

What to do?

Signatu helps you with your Privacy Policy.

Here are our “what to do steps”:

  1. Specify your data processing in Signatu Data Processing Specification to:
    • include one processing purpose only for one single processing operation.
    • include and logically link required information in a single processing operation.
    • record, version control and time track processing operations.
    • make an immutable record of unique identities for each processing purpose so you can keep track on whether each processing purpose is widened or blurred so you in turn can know whether a consent needs to be obtained.
  2. Answer questions in Privacy Policy to automatically generate a Privacy Policy.
  3. Integrate your Data Processing Specification in your Privacy Policy.
  4. Use Trackerdetect to detect third parties on your site and include relevant third party information into your Privacy Policy.
  5. Style your Privacy Policy to make it fit your design and be accessible.
  6. Embed your Privacy Policy in your site/app and provide your Privacy Policy to end users on your site/app by e.g. a Privacy Policy button.
  7. Update your Privacy Policy with a new version, and keep older and immuable versions on record.
  8. Record and store Privacy Policy Events with Signatu Consent API to demonstrate that you provide your Privacy Policy to specific end users.
  9. Use Trackerdetect to take a daily screenshot of your site to document where and how you provide your Privacy Policy to end users.

Privacy Policy Content: Is Article 13 or 14 information provided?

Which information must be provided in the Privacy Policy for the Privacy Policy to be specific?

GDPR Articles 13 and 14 specify which information (content) must be provided to data subjects by controllers.

These provisions specifically give effect to the principle in GDPR Article 5.1(a) that says:

“personal data shall be processed … in a transparent manner in relation to the data subject (“transparency”)”.

The information that is required in a Privacy Policy differs to some extent:

  1. If the controller obtains personal data from the data subject (then GDPR Article 13 applies).
  2. If the controller does not obtain the personal data from the data subject (then GDPR Article 14 applies).

This is indicated below by referencing either GDPR Article 13 or Article 14 or both Articles.

Which specific information must be provided in the Privacy Policy?

According to the GDPR and Guides from Data Protection Authorities, the following questions must be answered and provided in the Privacy Policy:

  1. which personal data is processed? GDPR Articles 13.1(c) and 14.1(c).
  2. to which category of personal data (regular data or special data) do the processed personal data belong? GDPR Article 14.1(d)
  3. by which activity is personal data processed? GDPR Articles 13.1(c) and 14.1(c)
  4. whether data is transferred to third countries data (if any), including the name of the country, the relevant GDPR article permitting the transfer (e.g. adequacy decision under Article 45, binding corporate rules under Article 47, standard data protection clauses under Article 46.2, derogations and safeguards under Article 49, etc.) and where/how to obtain a copy of the safeguard of personal data? GDPR Articles 13.1(f) and 14.1(f)
  5. whether there is a statutory or contractual requirement to provide the information, or whether it is necessary to enter into a contract, or whether there is an obligation to provide the information, and what are the possible consequences of failure to provide information? GDPR Article 13.2(e)
  6. what is the source from which the personal data originate, and whether the personal data came from a publicly or privately accessible source inside/outside the EU including, (if possible) the specific data source (if applicable)? GDPR Article 14.2(f)
  7. by which purpose is personal data processed, including controller’s consent requests? GDPR Articles 13.1(c) and 14.1(c)
  8. whether and how personal data are used for decisions based solely on automated processing (also profiling), including meaningful information about the logic used and the significance and envisaged consequences of such processing for the data subject? GDPR Articles 13.2(f) and 14.2(g)
  9. by which legitimate interest (if controller relies on GDPR Article 6.1(f) as legal basis) is personal data processed by controller, and by which legitimate interest is personal data by a third party? GDPR Articles 13.1(d) and 14.2(b). Best practise is to provide information (in or by a link from the Privacy Policy) that processing is in controller’s interests that override the data subject’s interests.
  10. in which period is specific personal data stored or processed for a specific purpose, or what are the criteria to determine that period (including the duration of the operation of cookies)? GDPR Articles 13.2(a) and 14.2(a).
  11. what is the legal basis for the processing purpose?
  12. whether there is information about the existence of the right to withdraw consent?
  13. what is the identity of the controller, including contact details (name, address, phone number, email etc) of controller? GDPR Articles 13.1(a) and 14.1(a).
  14. what is the identity of controller’s representative (if applicable)? GDPR Articles 13.1(a) and 14.1(a).
  15. what are the contact details (name, address, phone number, email etc) of controller’s data protection officer (if any)? GDPR Articles 13.1(b) and 14.1(b).
  16. what is the identity of the recipients of the personal data (if any), including contact details (name, address, phone number, email etc) of 1) separate controllers, 2) joint controllers, 3) processors, 2) third party recipients? Alternatively, controllers can provide information on the categories of recipients by indicating the type of recipient i.e. by reference to the activities it carries out, the industry, sector, sub-sector, location of the recipients. the categories of recipients. If the controller provides information on the categories of recipients (and not by name etc), the controller must be able to demonstrate why it is fair for it to take this approach. GDPR Articles 13.1(e) and 14.1(e).
  17. what are the rights of the data subject, including the right to withdraw consent at any time (if consent is relied on as legal basis), the right to lodge a complaint with a supervisory authority and how can the data subject take steps to exercise the rights? GDPR Articles 13.2(b) and 14.2(c).

Privacy Policy Content: Must information be linked?

Must the information in the Privacy Policy be linked?

The GDPR indicates that at least some parts of the information in the Privacy Policy must be linked.

GDPR Article 13.1(c) says:

“the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;”

The wording of GDPR Article 13.1(c) indicates that the legal basis D1 for a specific purpose C1 must be linked to a specific processing activity B1 carried out on specific personal data A1.

Also, GDPR Article 13.2(a) says:

“the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;”

The wording of GDPR Article 13.2(a) indicates that the specific personal data A1 must be linked to a specific processing activity B1 with a specific processing duration or the specific personal data A1 must be linked to a specific processing purpose C1 with a specific purpose duration.

This is supported by the principle in GDPR Article 5.1(b) that says:

“personal data shall be collected for specified … purposes”.

In its literal sense, “collected for specified purposes” means:

the controller has a duty to link the specific information in the Privacy Policy to enable the data subject to use that information to assess which specific personal data A1 is processed by a specific processing method and activity B1 (with a specific processing duration) for a specific processing purpose C1 (with a specific purpose duration) on a specific legal basis D1 by a specific controller E1. Controller’s duty to link the specific information enables the data subject to clearly comprehend, without any guesswork, that A1 is processed by activity B1 and not B2 for the specific purpose C1 and not C2 etc.

However, linking information is not sufficient to reduce or remove ambiguity and interpretation from the information. This is dealt with below.

Privacy Policy Content: Must a specific processing operation be separate?

Must the Privacy Policy provide separate processing purposes?

Yes, at least for consent requests.

The controller has a duty to provide one processing purpose only in a single consent request to enable the data subject freely give or refuse consent to separate data processing operation (GDPR Article 6.1(a), GDPR Recital 43).

It follows that the GDPR prohibits controllers to bundle several processing purposes in a single consent request.

Consent requests must time synchronically be provided in controller’s Consent Dialogue, Privacy Settings Dashboard (for consent withdrawal) and Privacy Policy.

Please see our GDPR Consent Guide.

Privacy Policy Content: Must a single specific purpose be limited?

Can a specific processing purpose be widened? without requiring a new Privacy Policy with a new specified processing purpose?

Yes, a specific processing purpose can be widened, but there are limitations.

Please see our GDPR Consent Guide.

If a specific processing purpose is widened, then that specific processing purpose must be declared in a new Privacy Policy version that is provided to data subjects (see below).

Privacy Policy Content: Is information understandable?

What are the information quality requirements for the Privacy Policy?

GDPR Article 12.1 says:

“The controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 … to the data subject in a(n) … intelligible … .”

This is supported by GDPR Recitals 39 and 58.

GDPR Recital 39 says:

“… The principle of transparency requires that any information and communication relating to the processing of those personal data be … easy to understand … .”

GDPR Recital 58 says:

“The principle of transparency requires that any information addressed to the public or to the data subject be … easy to understand … .”

In its literal sense, intelligible/understandable information (referred to in Articles 13 and 14) means:

the controller has a duty to provide the specific and linked information in the Privacy Policy to the data subject to enable the data subject to use that information to assess the effects of controller’s data processing operations without ambiguity and interpretation from the information.

Must the information in the Privacy Policy be understandable in the mind of the author or the reader?

Please see our GDPR Consent Guide.

Which language properties makes the Privacy Policy easy to understand?

Please see our GDPR Consent Guide.

Watch this space for guidance !

Privacy Policy Content: Is form of information easily accessible?

Which form makes the Privacy Policy accessible?

GDPR Article 12.1 says:

“The controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 … to the data subject in a(n) easily accessible form …”

This is supported by GDPR Recitals 39 and 58.

GDPR Recital 39 says:

“… The principle of transparency requires that any information and communication relating to the processing of those personal data be easily accessible … .”

GDPR Recital 58 says:

“The principle of transparency requires that any information addressed to the public or to the data subject be … easily accessible … .”

WP29 (endorsed by EDPB) says that written information in Privacy Policies must be accessible for vision-impaired end users (if any), see Guidelines on Transparency under Regulation 2016/679 (wp260rev.01).

What makes information in a Privacy Policy accessible?

End user accessibility needs are needs that relate to:

  1. Visual acuity (clarity)
  2. Light and glare sensitivity
  3. Contrast sensitivity
  4. Field of vision
  5. Color vision

Please see our GDPR Consent Guide.

Privacy Policy Content: Is format of information easily accessible?

Which format makes the Privacy Policy accessible?

The GDPR does not prescribe the format or modality by which the Privacy Policy information should be provided to the data subject, but makes it clear that controller has a duty to take “appropriate measures” in relation to the provision of the required information for transparency purposes. In a digital context, the controller must assess in which formats the Privacy Policy should be provided, including HTML, JSON, XML, PDF etc.

Privacy Policy Content: Can text be supplemented by icons etc?

Can the information in writing be supplemented by icons etc?

Yes.

GDPR Article 121 says:

“… The information shall be provided in writing, or by other means, including, where appropriate, by electronic means. …”

GDPR Article 12.7 says:

“The information to be provided to data subjects pursuant to Articles 13 and 14 may be provided in combination with standardised icons in order to give in an easily visible, intelligible and clearly legible manner a meaningful overview of the intended processing. Where the icons are presented electronically they shall be machine-readable.”

GDPR Recital 60 says:

“… That information may be provided in combination with standardised icons in order to give in an easily visible, intelligible and clearly legible manner, a meaningful overview of the intended processing. Where the icons are presented electronically, they should be machine-readable.”

Privacy Policy Content: Must information changes be tracked by versions?

Must a change to the Privacy Policy be tracked and versioned?

Yes.

Privacy Policy Content: Must users be notified of information changes?

Must data subject be notified of changes to the Privacy Policy?

Yes, see below.

Privacy Policy Dialogue: Provided free of charge?

Is the Privacy Policy provided free of charge?

GDPR Article 12.5 says:

“Information provided under Articles 13 and 14 … shall be provided free of charge.”

Privacy Policy Dialogue: Is dialogue easily accessible?

Which degree of availability makes the Privacy Policy dialogue easily accessible?

In addition to the duty to make the content of a Privacy Policy easily accessible, controllers have a duty to make the Privacy Policy dialogue easily accessible.

Similar to consent requests, a Privacy Policy must be clearly distinguishable from other information, which means that a Privacy Policy must without doubt and effort be recognized or identified as a Privacy Policy with features that distinguish the Privacy Policy from other matters.

What distinguishes a Privacy Policy from other matters consist of where a Privacy Policy is provided and how a Privacy Policy differs with other information in the same context by design, areas, divisions, boundaries or edges that separates a Privacy Policy with the information near it.

Privacy Policy Dialogue: Is action to view Privacy Policy understandable?

The controller has a duty to enable the data subject to understand through which action the data subject grants or refuses permission to the controller to process the data subject’s personal data.

Similar to the requirements for the consent request itself, the controller has a duty to enable the data subject to have full knowledge of which actions that the data subject uses to grant or refuse consent (“informed” etc).

Hence, these actions must be presented in clear and plain language and in an easily accessible form (GDPR Article 7.2).

The design of the consent dialogue must not be abusive design, deceptive design (e.g. cookie loads before consent is given or loads when consent is refused), or dangerous design (e.g take it or leave it cookie wall, last minute consent in the final stages of an order).

Best in class design supports the action through which the data subject grants or refuses permission to the controller to process the data subject’s personal data with texts that state what the action of e.g. clicking a checkbox, button or switch means.

Watch this space for guidance !

Privacy Policy Dialogue: Is action to view specific parts of the Privacy Policy provided?

Is the action to view specific parts of the Privacy Policy provided?

WP29 (endorsed by EDPB) says it should be possible to navigate directly to a named section of a Privacy Policy by way of clickable links, see Guidelines on Transparency under Regulation 2016/679 (wp260rev.01).

Hence, the name of the section should clearly indicate which information that is available in the section.

Privacy Policy Dialogue: Who provides information in case of joint controllership?

Who provides information in case controller (website operator) is joint controller with a third party (on a website)?

The controller has a duty to provide his/her Privacy Policy to the data subject.

In cases where a website operator is joint controller with a 3rd party on the website, the Advocate General in the Fashion ID case says the website operator is in a position to provide end users with information that is relevant for consent:

  1. the identity of the 3rd party who is a joint controller,
  2. the purpose of the respective stage of the processing over which the website operator and 3rd party have joint control,
  3. the fact that personal data will be transferred to a 3rd party.

The opinion of the Advocate General has equal relevance for Privacy Policies:

The website operator is in a position to provide data subjects with the essence (GDPR Article 26.2) of the arrangement between the joint controllers regarding their respective responsibilities to comply with the duties to provide the information under Articles 13 and 14 (GDPR Article 26.1). This information must make it completely clear to a data a subject as to which controller the data subject can approach to exercise one or more of their rights under the GDPR.

Privacy Policy Dialogue: When to provide information where data is collected directly from the data subject?

When must controller provide the data subject with the Privacy Policy?

GDPR Article 13 applies to the scenario where the controller collects the personal data directly from the data subject.

This includes personal data that:

  1. a data subject consciously provides to a data controller (e.g. when completing an online form); or
  2. a controller collects from a data subject by observation (e.g. using automated data capturing devices or data capturing software such as cameras, network equipment, wifi tracking, RFID or other types of sensors).

Article 13.1 says the information must be provided:

“at the time when personal data are obtained”.

Privacy Policy Dialogue: When to provide information where data have not been obtained from the data subject?

When must controller provide the data subject with the Privacy Policy?

Article 14 applies in the scenario where the controller does not obtain the personal data from the data subject.

This includes personal data which a controller has obtained from sources such as:

  1. third party controllers;
  2. publicly available sources;
  3. data brokers; or
  4. other data subjects.

WP29 (endorsed by EDPB) says the following, see Guidelines on Transparency under Regulation 2016/679 (wp260rev.01).

Under Article 14, the time frames within which the required information must be provided to the data subject are set out in GDPR Article 14.3 (a) to (c) as follows:

  1. The general requirement is that the information must be provided within a “reasonable period” after obtaining the personal data and no later than one month, “having regard to the specific circumstances in which the personal data are processed” (GDPR Article 14.3(a)).
  2. The general one-month time limit in GDPR Article 14.3(a) may be further curtailed under Article 14.3(b), which provides for a situation where the data are being used for communication with the data subject. In such a case, the information must be provided at the latest at the time of the first communication with the data subject. If the first communication occurs prior to the one month time limit after obtaining the personal data, then the information must be provided at the latest at the time of the first communication with the data subject notwithstanding that one month from the point of obtaining the data has not expired. If the first communication with a data subject occurs more than one month after obtaining the personal data then GDPR Article 14.3(a) continues to apply, so that the GDPR Article 14 information must be provided to the data subject at the latest within one month after it was obtained.
  3. The general one-month time limit in GDPR Article 14.3(a) can also be curtailed under GDPR Article 14.3(c) which provides for a situation where the data are being disclosed to another recipient (whether a third party or not). In such a case, the information must be provided at the latest at the time of the first disclosure. In this scenario, if the disclosure occurs prior to the one-month time limit, then the information must be provided at the latest at the time of that first disclosure, notwithstanding that one month from the point of obtaining the data has not expired. Similar to the position with GDPR Article 14.3(b), if any disclosure of the personal data occurs more than one month after obtaining the personal data, then Article 14.3(a) again continues to apply, so that the GDPR Article 14 information must be provided to the data subject at the latest within one month after it was obtained.

Therefore, in any case, the maximum time limit within which GDPR Article 14 information must be provided to a data subject is one month.

Controllers have a duty to be able to justify why the information was provided at the time it was.

WP29’s position is that data controllers should provide the information to data subjects well in advance of the stipulated time limits.

Privacy Policy Dialogue: When to provide information where further processing for a new purpose is intended?

When must controller provide the data subject with the Privacy Policy where further processing for a new purpose is intended?

GDPR Article 13.3 says:

“where the controller intends to further process the personal data for a purpose other than that for which the personal data were collected, the controller shall provide the data subject prior to that further processing with information on that other purpose and with any relevant further information as referred to in paragraph 2.”

GDPR Article 14.4 says:

“where the controller intends to further process the personal data for a purpose other than that for which the personal data were obtained, the controller shall provide the data subject prior to that further processing with information on that other purpose and with any relevant further information as referred to in paragraph 2.”

These provisions specifically give effect to the principle in GDPR Article 5.1(b) that says:

“Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;

Where personal data are further processed for purposes that are compatible with the original purposes (GDPR Article 6.4 informs this issue), GDPR Articles 13.3 and 14.4 apply.

Information in relation to further processing must be provided “prior to that further processing”.

These articles promote the position in the GDPR that data subjects should reasonably expect that at the time and in the context of the collection of personal data processing for a particular purpose may take place.

In other words, a data subject should not be taken by surprise at the purpose of processing of their personal data.

The principle of transparency, accountability and fairness under the GDPR require that controllers provide data subjects with further information on the compatibility analysis carried out under Article 6.4 where a legal basis other than consent or national/ EU law is relied on for the new processing purpose.

What to do? Explain how the processing for the other purpose(s) is compatible with the original purpose. This will allow data subjects the opportunity to consider the compatibility of the further processing and the safeguards provided and to decide whether to exercise their rights e.g. the right to restriction of processing or the right to object to processing amongst others.

Inform how much time ahead of further processing?

WP29 (endorsed by EDPB) says in its Guidelines on Transparency under Regulation 2016/679 (wp260rev.01):

A reasonable period should occur between the notification and the processing commencing rather than an immediate start to the processing upon notification being received by the data subject.

This gives data subjects a meaningful opportunity to consider (and potentially exercise their rights in relation to) the further processing.

What is a reasonable period will depend on the particular circumstances.

The principle of fairness requires that the more intrusive (or less expected) the further processing, the longer the period should be.

The principle of accountability requires that controllers are able to demonstrate how the timeframe between notification of the changes and the change taking effect satisfies the principle of fairness to the data subject.

Privacy Policy Dialogue: When to provide information if information is changed?

When must controller provide the data subject with the Privacy Policy where changes are made to the Privacy Policy information that has previously been provided to a data subject and that does not concern further processing purposes?

The GDPR is silent on the timing requirements that apply for notifications if changes are made to the Privacy Policy information that has previously been provided to a data subject and that does not concern further processing purposes.

The principle of fairness and accountability require that controllers inform data subjects about what data subjects should reasonably expect including the potential impact of those changes upon the data subjects.

WP29 (endorsed by EDPB) says in its Guidelines on Transparency under Regulation 2016/679 (wp260rev.01):

If the change to the information is indicative of 1) a fundamental change to the nature of the processing, e.g. new recipients or transfers to a third country, 2) a change which may not be fundamental in terms of the processing operation but which may be relevant to and impact upon the data subject, then that information should be provided to the data subjects well in advance of the change actually taking effect, and the method used to bring the changes to the data subject’s attention should be explicit and effective.

This is to ensure the data subject 1) does not “miss” the change, and 2) is given a reasonable timeframe to consider the nature and impact of the change and to exercise their rights under the GDPR in relation to the change (e.g. to withdraw consent or to object to the processing).

The principle of accountability requires that controllers are able to demonstrate how the timeframe between notification of the changes and the change taking effect satisfies the principle of fairness to the data subject.

The controller should explain what will be the likely impact of the changes on data subjects.

The controller should remind data subjects of the Privacy Policy at appropriate intervals.

Contact us if you need help.