Privacy Policies Built for GDPR Compliance

KirkpatrickPrice

Privacy Policies Built for GDPR Compliance Do you need to update your privacy policy to meet GDPR requirements? Article 13 under Section 2 of GDPR, “Information and Access to Personal Data,” states the required information that should be provided when personal data is collected from a data subject. Following Article 13’s guidance and others, this checklist should help your organization create a GDPR-compliant privacy policy.

To ensure fair and transparent processing, the law states that privacy policies must demonstrate the following: • Identify the data controller • Article 13(1)(a) • Identify of data protection officer • Article 13(1)(b) • Define the purposes of processing • Article 13(1)(c) • Define the legal basis for processing • Article 13(1)(c) • When “legitimate interests” are your legal basis for processing, describe the legitimate interests for processing • Article 13(1)(d) • Describe the recipients or categories of recipients of personal data • Article 13(1)(e) • If applicable, identify any intent of international transfers of personal data • Article 13(1)(f) • If applicable, identify safeguards for international transfers of personal data • Article 13(1)(f) • Define the data retention period • Article 13(2)(a) • Describe data subjects’ right of access to personal data • Article 13(2)(b)

• Describe data subjects’ right to rectification of personal data held where it is incorrect, incomplete, or out of date • Article 13(2)(b) • Describe data subjects’ right of erasure of personal data if certain grounds are met • Article 13(2)(b) • Describe data subjects’ right to restrict processing of personal data in certain cases • Article 13(2)(b) • Describe data subjects’ right to complain to a supervisory authority • Article 13(2)(d) • If processing is based on consent and automated means, describe data subjects’ right of data portability • Article 13(2)(b) • If processing is based on consent, describe data subjects’ right to withdraw consent at any time • Article 13(2)(c) • If processing is based on legitimate interests, describe data subjects’ right to object to processing • Article 13(2)(c) • Describe data subjects’ right to object to processing of personal data for direct marketing purposes • Article 13(2)(c) • Identify whether the requirement to provide personal data is a legal or contractual requirement • Article 13(2)(e) • If applicable, identify the use of automated decision-making, including profiling • Article 13(2)(f) • Describe the use of online identifiers (cookies, IP addresses, or other unique identifiers) • Recital 30 • Describe the safeguards for processing personal data • Recital 39 • Describe the risks to data subjects • Recital 39

Turn static files into dynamic content formats.

Create a flipbook

Privacy Policies Built for GDPR Compliance

Published on Jul 31, 2020

kirkpatrickprice

Privacy policies are critical to GDPR compliance efforts, as this statement or notice explains how an organization handles personal data. We know that in order to comply with GDPR, a privacy policy should be concise and written in clear, plain language. However, in the weeks since GDPR became enforceable, many privacy policies are not meeting these requirements. This may be due to organizations rushing to create what they believe to be GDPR-compliant privacy policies but has resulted in quite the opposite. We’re seeing privacy policies that have a higher reading level, longer word count, and longer reading time, making them much more difficult to understand than before GDPR when into effect.