A failure to ensure data privacy notices comply with the transparency principle of the GDPR is a common problem. I recently completed some work for a German technology client, including a review of their existing Article 13 privacy statement, prepared by a legal professional. The client wasn’t particularly happy when I highlighted the statement didn’t meet the requirements of the GDPR and couldn’t understand why this carefully crafted (and apparently expensive) “legal document” needed to be rewritten.
The statement failed in a fundamental and very common way, ensuring it couldn’t meet the foremost principle of the GDPR: it was not clear from the statement how personal data was being collected, and how it was going to be used.
The GDPR’s transparency requirements are set out in detail in Chapter III, Sections 1 and 2. In particular, Articles 13 and 14 set out the information to be provided to data subjects. However, it wasn’t in respect of these two articles the statement fell down. Instead, it was the failure to meet the requirements of Article 12.
In my view, Article 12 is most important in reflecting the intent of the transparency principle. It says a privacy statement must (amongst other things):
- be concise;
- be intelligible; and
- use clear and plain language.
Unfortunately, very few privacy statements we see meet the requirements of Article 12, and we have heard representatives of supervisory authorities make the same observation.
So, when we develop privacy statements, Article 12 should be at the heart of our drafting process. Here are ten core principles we use to guide us:
Avoid long, single statements
Long statements covering every single data processing operation are not going to be concise and will unlikely meet the other requirements of the GDPR.
Instead, develop separate privacy statements for discrete activities or products which can be easily accessed by the affected data subjects at the point they start providing their personal data. For instance, your on-line customers don’t need to know how you will treat their personal data as a job applicant. So, have a separate privacy statement for job candidates. If you have different products, consider discrete privacy statements for those products if they process personal data in different ways. Equally, if you have different audiences (for instance corporate customers and consumers), you may want a separate statement for each audience.
Provide summaries at interaction points
Wherever data subjects are asked to provide personal data, provide short one- or two-line summaries of what the personal data is going to be used for, even where consent for the processing isn’t being sought. Links should be provided to relevant, more expansive privacy statements, focussed on the specific product or business process the personal data is being used for.
The expansive privacy statements do not always need to restate the information already provided.
Don’t use legalese
Recital 39 of the GDPR says the principle of transparency requires information relating to the processing of personal data be easy to understand, and that clear and plain language be used.
This means avoiding:
- legalese;
- language that is not going to be understood by the reader; and
- language that is confusing or ambiguous
A statement like “this data privacy statement supplements other policies and notices and is not intended to override them”, is a good example of language that is not plain and clear.
Be concise
In addition to having separate statements for different processing operations, each statement should be concise. This can be achieved in a number of ways:
- Where it is legitimate, avoid trying to be exhaustive in your statement. Instead, ensure you describe processing activities clearly and expansively enough to cover them in a way that fairly sets the expectations of the data subjects.
- Don’t include unnecessary information. For example, it is not necessary to discuss consent, and the right to withdraw it, where consent is not relied on as a lawful basis for processing.
- Think carefully what you actually do need in your privacy statement. Do you really need your privacy statement to describe privacy law in detail, to provide lists of definitions, and to explain things in minutiae?
Segment by process or category
Segment your privacy statement in a way that is logical and meaningful for the reader.
Where your privacy statement covers several associated data processing activities, structure the statement by discrete activity or category (for example: Personal Details; Health Information; and Financial Information). Aggregate all the core disclosures relating to the discrete category or activity (purposes, legal basis for processing, retention period, and where appropriate, the recipients) under a single heading for that category or activity.
By contrast, avoid structuring the statement in a way that disconnects the disclosures (or elements of them) from the description of the data processing activity they relate to. This happens most commonly in data privacy statements that segment by disclosure elements (e.g. the data we collect; how we use your personal data; purposes for which we use your personal data).
Presentation
Think carefully about the presentation. Consider whether the statement can be presented in a way where the most important information is immediately clear and obvious to the data subject and point them to where they can find more detailed information if they want it (for example through links or drop downs). However, the statements must always remain easily navigable.
Get a lay person to read the statement
Before you publish the statement, ask someone not connected with the privacy programme or the development of the statement to read it. Get them to explain in their own words what the statement is saying, and get their feedback on whether they found it to be concise, transparent and intelligible, as well as whether its language was clear and plain. If they are confused, or can’t get to the end, then you need to consider redrafting the statement.
Don’t ask data subjects to “accept” the privacy statement
Data subjects should not be asked to accept privacy statements. There is no requirement under the GDPR they do so, and asking a data subject to accept the statement suggests that consent is being sought for the data processing it relates to. This in turn could impose the GDPR’s conditions for consent on the processing, which are difficult to attain and are unlikely to have been met by the acceptance mechanism adopted.
Don’t call a privacy statement your Data Protection Policy
A data protection policy is the set of principles adopted by the data controller to manage the data protection risk it is subject to, in the way which reflects how it wishes to respond to that risk. It forms the framework for the procedures that will be implemented to deliver the policy. This is fundamentally different to a data privacy statement.
Be prepared to compromise
There is no “perfect” privacy statement. However, the best privacy statement is one the reader can actually understand, can get to the end of, and which provides them with sufficient information that they should not later be surprised by the processing of their personal data. This may mean making some compromises – so be prepared to if necessary.
Finally, read Article 12
Of course, we recommend you check out Article 12 yourself: https://gdpr-info.eu/art-12-gdpr/. Alternatively, ask us for help: https://www.impactprivacy.com/contact/
