A privacy notice or privacy information is a statement and a legal agreement that gives people vital information on their personal data and its processing. In doing so, it informs the data subjects of their rights and how their personal data is being collected, used, shared, stored, etc. Your privacy policy must be easily accessible and written in clear and straightforward language that can be easily understood by anyone.
Why You Need A Privacy Notice;
Privacy notices are a requirement of the law. The General Data Protection Regulation, as well as the National Data Protection Regulation (NDPR) mandates all data controllers and processors to provide the data subjects with a privacy notice prior to collecting their personal data. A data controller is one who determines the purposes for which Data will be used. So, if you have a website or an app(mobile or web) that collects personal information from its users, you are required by law to have a privacy policy. Apart from being a requirement of the law, a privacy notice creates a level of trust between a user and an organization.
What To Include In Your Privacy Policy?
- Information about your organization – It is good practice to include relevant details about your organization in the privacy policy.
- The information you collect – Your privacy notice should outline the specific type of personal information you collect. This is because the definition of personal data is broad. In addition to stating the type of information being collected, your privacy notice should also include the sources from which the personal information of users is being collected/obtained, e.g., contact forms or from the collection of IP addresses and user’s location.
- The contact details of a data protection officer in the organization – This person is responsible for overseeing the organization’s data protection strategy and ensuring compliance with the requirements of the law. The officer also serves as an interface that handles complaints and enquiries from users with respect to the organisation’s data processing measures.
- Lawful basis for processing data – The law provides that organisations can only process personal data if there is a lawful basis for doing so. The lawful bases recognised by the law are:
- If the data subject gives their explicit consent or if the processing is necessary;
- To meet contractual obligations entered into by the data subject;
- To comply with the data controller’s legal obligations;
- To protect the data subject’s vital interests;
- For tasks carried out in the public interest or exercise of authority vested in the data controller; and
- For the purposes of legitimate interests pursued by the data controller
Your privacy policy should specify which of the bases you are relying on for processing the personal data of users.
- Retention period – The law states that the personal data of users can only be retained for as long as the legal basis for processing is applicable, and in other situation, it specifies a maximum period for the retention of personal data. A privacy policy should specify the relative number of years for which personal data of the users will be retained.
- Third parties with whom you share the personal data of users – Your privacy policy should state whether or not you will be sharing the personal data of users with third parties.
- The rights of the data subject – Data subjects have rights under the law. It is imperative to include these rights in your document. Data subjects have the right to:
- to obtain information on the processing of their personal data of access to their data;
- to rectification of their data;
- to the erasure of their data and to be forgotten;
- to restrict the processing of their data;
- to data portability;
- to object to the processing of their data; and
- not to be subject to a decision based solely on automated processing;
If you are yet to have a privacy policy on your app or website, now would be a good time to do that, and yes you should reach out to a Lawyer to help with your privacy policy.