Do we need to rewrite our Privacy Notices for GDPR? (Download updated for 2020)

Yes, Eden Legal can guarantee that your notice under the old laws won’t give all the information required by GDPR. And if we are collecting data from or about children, all the more so. What if we only receive data from another party? Yes again.

Download in Section 3 below

Do we need to rewrite our Privacy Notices for GDPR? (Download updated for 2020)

1. Is this just about making consent fully informed?

No, this is information that data subjects must receive in order to make any type of processing fair. It might be linked to consent (data subjects need to know how their data will be used and shared in order to know what they’re consenting to). But this information needs to be given even if consent is not relied on, and our processing is based on our legitimate interests, necessity for legal compliance or performance of a contract (or any other legal basis).

2. Does this only apply if we collect data directly from data subjects?

No, we also need to give similar information if we obtain the data from a third party. The GDPR specifically forsees that situation. The information is not so different – and the GDPR helpfully explains that:
a) We don’t need to provide things the data subject already has received from somewhere else – so if we can convince the first party to include everything necessary in the information that they provide then we might be fine. Eden Legal is naturally suspicious of depending on third parties to do these things so doesn’t recommend (or see much benefit in) solely relying on the third party to give all the required information forever.
b) We don’t need to contact every data subject if this is impossible or would involve a disproportionate effort. Or if this would defeat the object of the processing (which might be the case in scientific studies).
c) The collection and protection of the data are mandated by law.
d) The data is confidential under a professional or statutory secrecy obligation (so you can pass data to your lawyer and they don’t need to reveal this to the data subjects, who might be your employees, users, vendors etc.)

Eden Legal recommends not paying too much attention to this part. It might be nice to fall back on if something goes wrong. As an example, if our website says “we need to pass your data to DHL to deliver your package” then that might be clear enough (and as other delivery companies are available perhaps it could save us from having to specify and keep changing the list in our Privacy Notice).

But websites change. A lot. Apps are hard to read. And change a lot too. Third parties may change the information disclosed and not tell you. And even within our own organisation, often the person writing the Privacy Notice is not the same (or even in the same office or country) as the one writing the website. Eden Legal would prefer to be sure that everything required is in our own Privacy Notice, under our control.

3. Are there any options?

In fact there are, and we can boil down the information to be given into two lists:

List 1: compulsory information that needs to be given always, and
List 2: information that may at times need to be given “as necessary” in order to make the processing fair.

We’re getting used to GDPR now so there are plenty of examples of how to do this, and the Working Party of Data Protection Authorities produced some (rather conservative) Guidelines.

Or download Eden Legal’s handier table here

Eden Legal takes the view that more transparency, clarity and specificity rather than less is very likely to help us, and may even reduce the impact of any future discrepancies over legal bases or transfers. Not only regulators but also our business partners are now asking to check privacy notices.

Not just the content, but also the way it is given may also be important. Is our current privacy notice “concise, transparent, intelligible and easily accessible…”, using clear and plain language? Ease of understanding will be even more under scrutiny for information addressed specifically to a “child” (usually under 16s but not everywhere and not for all purposes). If you have millennials as your target group, consider whether lots of long text is even the correct medium and whether something like a video could be more suitable. Where our notice is long, then the EU Guidelines encourage a “layered” approach (e.g. short paragraph summaries with fuller text behind a link). However, in practice this is not that commonly seen, possibly due to the difficulties of updating multiple pages. The GDPR also envisages icons, certification systems, seals and marks, which may be interesting options where they become available and commonly used.

There are also special situations where information can (or must) be given in other ways than in writing – e.g. when collecting data by telephone (though even then we’d say the call should be followed up by an email or some other way of accessing the information and showing it was given).

Whatever the situation, almost everyone needs a clear, GDPR compliant privacy notice in a publicly accessible place. GDPR doesn’t quite turn us into one of those restaurants where diners can see into the kitchen, but it does set out a few things that they are entitled to know before they sit down.

  • EU International Data Transfers - new 2021 Standard Contractual Clauses

    EU International Data Transfers - new 2021 Standard Contractual Clauses

    The European Commission has issued a new set of standard contractual clauses (“SCCs”) to address new requirements under the GDPR, changes in the digital economy, but most importantly the European Court’s judgment in Schrems II requiring supplementary measures for some exports. The new SCCs are comprehensive and fill some gaps; but they require data importers and exporters to invest significantly in documenting how they will overcome local government surveillance laws.

  • Adtech Regulation under the EU’s draft Digital Services Act

    Adtech Regulation under the EU’s draft Digital Services Act

    A lot has been made of the liability and transparency provisions of the EU’s proposed Digital Services Act.

    However, there are also a few advertising-specific obligations (proposed to be) coming for online platforms that deserve a closer look.

  • "Due diligence" obligations for EU online platforms

    The quickest-possible look at the EU’s draft Digital Services Act and proposed new obligations for intermediaries and online platforms.

    Eden Legal will return with additional posts on: (1) liability for illegal content; and (2) specific adtech-related obligations, under the proposed Regulation.

    #Lawinagraphic – minimum wordiness, maximum user-friendliness.

  • How will Artificial Intelligence Systems be regulated in the EU?

    How will Artificial Intelligence Systems be regulated in the EU?

    The European Commission has put forward a proposed Regulation on a European Approach for Artificial Intelligence, also known as the “Artificial Intelligence Act”. It’s a proposal and before entering into application faces a likely lengthy path through the EU institutions which seems bound to produce a hefty amount of debate and amendments.

  • 2021 will be the Year of Smart Contracts

    2021 will be the Year of Smart Contracts

    Smart contracts are here. Eden Legal’s very initial, very personal thoughts on them.

  • GDPR EU/UK Representative - do we need one?

    GDPR EU/UK Representative - do we need one?

    Everything you need to know about appointing an EU and/or UK representative as required by the GDPR.

    Update 14 February 2021: under the EU Council’s agreed position on the future E-Privacy Regulation, providers of electronic communications services, providers of publicly available directories, senders of direct marketing over electronic communications services, and anyone using processing and storage capabilities or collecting information processed by or emitted by or stored in the end-users’ terminal equipment (i.e. adtech!) will also be required to appoint a representative in the EU and communicate it to the relevant national supervisory authority.

  • GDPR and Brexit - take us to the bridge

    GDPR and Brexit - take us to the bridge

    The EU-UK Trade and Cooperation Agreement has avoided major changes to personal data flows between the EEA and UK at least until 30 April 2021. However, if we process data of individuals in both the EEA and the UK, then we face the prospect of complying with two similar but distinct regulatory regimes.

  • The ICO fines Marriott and BA for GDPR Breaches - 10 Takeaways

    The ICO fines Marriott and BA for GDPR Breaches - 10 Takeaways

    If you’re handling personal data subject to EU (and/or UK) laws then you would do well to read the UK Information Commissioner’s (“ICO”) decisions to fine Marriott and BA for failures to have in place appropriate cyber-security measures. And this post for 10 more easily digestible takeaways.

  • EU Court invalidates Privacy Shield - what to do?

    EU Court invalidates Privacy Shield - what to do?

    The Court of Justice of the EU has struck down the EU Commission’s EU-U.S. Privacy Shield Framework decision, but in principle left in place the EU Commission’s Standard Contractual Clauses, which organisations can sign in order to impose EU-style data protection obligations on non-EU data importers. For now, where we used to rely the Privacy Shield framework, the pragmatic approach may be to sign SCCs – but the story won’t end there.

  • How do we become certified under the EU-U.S. Privacy Shield?

    How do we become certified under the EU-U.S. Privacy Shield?

    The EU-U.S. Privacy Shield framework may be an interesting tool to permit international transfers of personal data without any other permissions or contracts.
    UPDATE: The Privacy Shield framework remains in place and we can still apply to be certified, but on 16 July 2020, the EU Court of Justice decided that it could no longer be used to authorise transfers of personal data from the EU/EEA/UK to the USA, and other mechanisms need to be used.