What information should your privacy statement contain?
From 25 May 2018 you are obliged to state what you do with personal data.
We can not say it enough: the 25th of May 2018 is coming closer. And there are a few things that need to be fixed concerning the processing of data and performing marketing activities.What if you don’t? Then you risk a hefty fine. It is therefore not only in the interest of the person concerned that you are clear about what you do with the personal data.
An important part of GDPR is your privacy statement. This is actually no more than a document in which you describe what data you collect and what you do with it. A privacy statement must be recorded in writing and must be described in plain language.
The privacy statement contains at least some general information. If you collect sensitive information, a number of specific rules have to be added. Did you receive data via a third party? Then you must also state this explicitly.
Privacy Statement Checklist:
You must include your company name, including the address details and a contact address for privacy-related questions.
A purpose can be the execution of the agreement, but it can also be a marketing goal, such as sending a newsletter. You must describe all purposes.
Legal grounds are, for example, permission, execution of an agreement or a legal obligation. If the processing of personal data is a legal or contractual obligation or necessary condition, you must also state the consequences of not providing the personal data.
If you want to send out newsletters, they must have given explicit permission for this. Subscribers must have the ability to unsubscribe at any moment.
INSIGHT AND CORRECTION
The person concerned has the right to view and change data and you must inform him / her about this. You can immediately state how the person concerned can submit that request.
You must explain what technical and organizational measures you have taken to protect personal data against loss or against any form of unlawful processing. When placing orders, for example, you need to secure the internet connection with SSL. But also think of passwords on the database itself.
You have to indicate how long the data is being stored, or otherwise: which criteria determine how long it will be stored.
The person concerned has the right to submit a complaint to the Dutch Data Protection Authority.
Only when applicable to the way you process or store data:
Contact details of the Data Protection Officer.
You must state to whom the data will be passed on. For example, because the data is stored at service providers, but also when data is collected and passed on to a partner. Sometimes it is sufficient to mention only the category (such as ‘payment services’), but often you will have to mention the specific party.
If the data is provided to a ‘third country’, for example because the servers are located in another country, you must also state this. You must also state whether the country has been declared adequate (at least these are all countries in the EU) or have appropriate data security in place. It is important that the data security rules are equal in another country.
If data has been obtained with permission, you must state that permission may also be withdrawn again.
If there is automated decision-making or profiling, then you must state why this is being done and what the expected consequences are.
When data are not obtained from the person concerned
The source where the personal data comes from, even if they come from a public source.
When do you provide the above information?
If the person concerned provides the data, you must inform him / her immediately. If you do not receive the personal data from the person concerned, you must inform him / her within one month after receiving the data or at the first contact (such as via direct marketing).
If you process the data on the basis of permission (such as a legal obligation or an agreement), then you will have to provide all information before you get permission. An example: you would like to collect data from interested people (for example to send them newsletters). Then you need permission to collect names and address details. At the subscription form you place a link to the privacy statement. In this way, the person concerned is already informed before he / she enters the personal details in the form.
We are happy to help you writing the privacy statement and ensure that your organization is ready for GDPR. Knowing more? Contact our specialist or download the whitepaper.