The privacy statement

Privacy Label summarieses your privacy statement. Or, you could use it for privacy communication concering a product, service or project. Privacy Label does not substitute your privacy statement. Your labels should always link to your privacy statement. If a data subject wants to learn more about what you do with personal data, he can take a look there. 
Accourding to the GDPR there are a coupe of key elements which should be stated in your privacy statement. Here, you'll learn more about them.

The inforamtion in your privacy statement should be:
  1. accurate, complete and up to date, understandable and clear;
  2. Informative and focused on understanding the target group;
  3. Not misleading;
  4.  Also take into account the information obligation ePrivacy Directive
Some leagle basics

Almost every organisation processes personal data. For example information about customers, users, suppliers or employees. When you process personal data, you must be clear on why and how. The clarification should be easy to find, so that people are able to read it before they buy anything, become a member or answer questions. All organisations have the obligation to inform their existing and future customers about the processing of their personal data.

Transparancy

Transparency is an essential principle in the GDPR. Without transparency, processing can never be lawful. For data subjects, it must be clear what personal data is processed and for which specific purposes. If data subjects are not informed about what happens to their personal data, they don’t have the ability to exercise their rights.

On a more technical note: Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject. Therefore, transparent communication is essential and there is no legitimacy in processing personal data without transparency.

GDPR articles

GDPR article 12 states that all data subjects have the right to transparent information, communication and modalities for the exercise of their rights.

GDPR Article 13 and 14 describe what you should communicate. Article 13 concerns Information to be provided where personal data are collected from the data subject. Artcile 14 concers Information to be provided where personal data have not been obtained from the data subject, that is: another sourse than the person itself.

Mandatory parts in every privacy statement

Description

Article 13

Article 14


Identity and contact details of controller

x

x


Contact details data protection officer

x

x


Purposes and legal basis for processing personal data

x

x


Legitimate interests pursued by the controller or by a third party

x

x


Categories of personal data

 

x

 

Categories of recipients

x

x

 

Third countries (and their level of protection)

x

 

 

Functioning of data subject rights

x

x

 

Retention periods

x

x

 

Functioning of complaints

x

x

 

Rights concerning automated decision making (including profiling)

x

x

 

Source of personal data (when collected from another source)

 

x

 

Not mandatory, but optional

How do you secure personal data?
It's not mandatory, however higly recommended to provide information concerning your technical and organisational measures to secure personal data. In this part of the privacy statement you can specify that data is being protected and what measures your take in general.

Explanation of your bussiness.
To provide some context to your privacy statement, we recomment to provide some infomration on what your organisation does. This way, the reader can get a better understanding on your privacy information.

A general explanation of GDPR law and privacy.
Your privacy statement should always take the knowledge and perception of data subjects into account. Data subject might not have knowledge about privacy and privacy law. Therefore, we recomment to explain to them what privacy is and give an explaination on jargon or technical concepts in the GDPR. For instance: Give a short explanation of the concept of personal data. If the organisation also processes special categories of personal data, then briefly explain what they are, and that it is legally prohibited to process those data, unless the organisation can invoke a specific exception

Go to Privacy Label's implementation documents

Implementation of Privacy Label