Privacy Notices Solicitors

On 25 May 2018 the General Data Protection Regulation (GDPR) came into force. The GDPR ushered in a number of changes to data protection, including new requirements for organisations to deal with.

One of the new core requirements of the GDPR is to know and to document the personal data that an organisation uses, what it is used for, where it is stored, where it flows from and to, and how it is protected. If you are a data controller, this includes creating a privacy notice that informs data subjects of your corporate privacy policy.

What are privacy notices?

Under the GDPR, employers are required to provide employees and individuals with extensive information about the processing of their personal data. A privacy notice is key to satisfying this requirement and explains the categories of personal data an organisation collects and how the organisation uses, stores, discloses, and secures personal data. In addition, the notice should inform individuals of the applicable legal basis for processing their personal data.

Why do I need a privacy notice?

Our privacy notices solicitors always point to the Articles 13 and 14 of the GDPR, which state that:

  • When personal data is collected directly from data subjects, the controller must provide a privacy notice at the time of collection; and
  • When you receive personal data from another source, the controller must provide a privacy notice within a reasonable period, and in any event within one month.

These obligations do not apply if the data subject already has the information, if providing this information is impossible or would involve a disproportionate effort, if you are obliged to obtain or disclose the data by law, or if the personal data must remain confidential, subject to an obligation of professional secrecy.

If employers fail to present their privacy notices in an appropriate manner, or do not include required information, they will be in breach of the GDPR and may be open to potential enforcement action by supervisory authorities such as the ICO. The most relevant enforcement actions in the context of a non-compulsory privacy notice include compliance orders and financial penalties. Financial penalties can reach up to EUR 20,000,000 or 4% of global turnover, whichever is higher.

How do I create a privacy notice?

A GDPR-compliant privacy notice must include specific things in its content but does not need to be in any particular format. The notice can be rolled out electronically or can be given to employees and individuals in hard copy. Often, privacy notices are linked on a company’s website or in their email signature.

The privacy notice should be easily understandable to an individual with no background in privacy or in law. There should be no technical or legal language and the text of the notice should be broken up with sensible headers to identify the relevant sections.

Employers should prepare privacy notices for each stage of the recruitment process in order to accurately reflect how individuals’ personal data are processed throughout the employment lifecycle. The notice should refer, for example, to job applicants, as well as employees and contractors.

Privacy notices must be tailored on a case-by-case basis for each organisation. There is no one template that can be appropriate for all employers. Employers must ensure that each part of the notice accurately reflects actual or anticipated personal data collection and handling practices.

Contact our privacy notice solicitor Neil Williamson for further advice and assistance.