Is your Privacy Notice complete?
A GDPR fine reveals gaps in necessary privacy information
A core GDPR theme is transparency; being upfront and open about how people’s personal information is collected and used. People have a fundamental right to be informed and one of the key ways organisations can do this is with easily accessible privacy notices.
Four years ago, in the run up to GDPR enforcement, many businesses rushed to make sure their privacy notices met the enhanced and specific requirements.
- When did you last review yours?
- Have your business activities changed in recent years?
- Are you sure you’ve got everything covered?
It can be easy to think nobody actually reads our privacy notices, but some do, and a regulator most definitely would. A recent 725,000 Euro fine for a lack of transparency shows how it can come back to haunt you if you’ve missed vital aspects out, or not been as clear as you could have been.
This is an area some major charities were found wanting before GDPR was even enforced. Back in 2017 the Information Commissioner’s Office (ICO) issued a series of fines and a key finding was the charities had failed to tell people about activities such as wealth-screening and appending telephone numbers.
The GDPR fine
Fast forward to 2022 and a recent fine against Klarna Bank AB, by the Swedish Data Protection Authority (IMY), reveals a failure to give customers necessary privacy information.
What necessary information did the bank not provide?
- Purposes and lawful basis for processing
It was found for one of the bank’s services Klarna did not provide information on the purpose(s) for which it was processing personal data and the lawful basis/bases it was relying on.
- Recipients who data is shared with
It was found incomplete and misleading information was provided about other companies they shared personal data with.
- International transfers
Information was not given on which countries outside the EU/EEA personal data was transferred to. There was also no information about the safeguards which might apply to such transfers.
- Individual rights
Incomplete information was provided about people’s privacy rights, such as the right to erasure, data portability and the right to object.
In conclusion it was found Klarna had failed to fulfil the basic principle of transparency and people’s right to information.
Privacy notice checklist
The 7 essential elements
- Name and contact details of your organisation
- Purposes of processing – explain each different purpose you use people’s personal information for.
- Lawful basis for processing – explain the lawful basis you rely on to collect and use people’s personal data.
- Data retention – tell people how long you envisage keeping personal data for, or at least the criteria used to decide retention periods.
- Privacy rights – tell people what their privacy rights are and how they can exercise them. The right of access, erasure, objection, rectification, data portability, restriction.
- Right to withdraw consent – tell people they can withdraw their consent at any time, where this is the lawful basis you are relying on. It should be as easy to withdraw consent as it is to give it and you should tell people how they can withdraw their consent.
- Right to lodge a complaint – tell people they have the right to complain to a supervisory authority, for example the Information Commissioner’s Office in the UK.
7 more points to include, if relevant for your business
Where applicable you’re also required to provide the following details:
- DPO – Provide contact details of your Data Protection Officer (if you have appointed one)
- Data Protection Representative – If you are based outside the EU/UK, but you offer services of monitor the behaviour of people based in the EU/UK you should have a Data Protection Representative and provide contact details for them.
- Legitimate Interests – Explain which purposes you rely on legitimate interests for.
- Recipients, or categories of recipients – Provide details of who you’ll share people’s personal data with. This includes suppliers acting as processors, handling data on your behalf. ICO guidance states you can provide specific names, or at least the categories of organisation they fall within.
- International Transfers – Inform people if you transfer their personal data to any countries outside the UK (or if based in the EU, outside the EU). Explain whether transfers are based on an adequacy decision. If not provide a description of other safeguards in place, such as Standard Contractual Clauses.
- Automated decision-making, including profiling – Tell people if you make solely automated decisions, including profiling that may have a legal or similar significant effect on individuals. Meaningful information should be provided about the logic involved, the significance and envisaged consequences.
- Statutory/contractual obligations – Let people know if you are required to collect their data by law or under contract, and the consequences should they not provide necessary information.
In addition to the above there are some other best practice points, such as indicating when the privacy notice was last updated and offering further assurances surrounding how personal data is protected.
Furthermore, if you collect details about people from another source, in order words not directly from them, you should make sure you tell them you are handling their personal data and provide the relevant privacy information.
This case serves as a reminder that we need to regularly review our privacy notices. Put very simply, the law says there should be no surprises about how we’re using people’s personal data.
Our privacy notice may be the least clicked link on our websites, but it’s not just regulators and people like me who read them. It’s not unusual for businesses, as part of their data protection due diligence when considering working with other companies, to take a peek at privacy notices to check they look relatively in order.