This document should be as transparent and clear as possible for the recipients.
For this reason, it should be written in a basic language, contain specific information, it is also a good practice to prepare it in the native language of customers (although it is not a legal requirement), e.g. in Spanish, if the content of your website is written in this language, directed to Spanish customers in the UK.
The minimum information you need to provide to your customers in this document is:
- who is the controller of personal data and his contact details (usually the owner of the website, who should be listed by name and address of the company);
- contact details of the Data Protection Officer / EU Representative / UK Representative, if one has been appointed;
- the purposes of personal data processing and the legal basis for this processing (legal basis can be found in Article 6 of the GDPR) – however, it is about specifying the purposes of your processing and the legal basis you choose, not about rewriting the content of Article 6;
- if the processing is based on the legitimate interest of the controller, an indication of what that interest is;
- information on recipients of personal data or categories of recipients, if any;
- information on whether the data will be transferred to third countries or international organisations;
- the period of personal data processing – retention time (specifically for each processing purpose – in the minimum time needed to achieve the goal by the controller);
- data subjects rights – information on the right to request access to personal data, rectification, portability deletion or limitation of processing or the right to object to the processing, as well as the right to transfer data;
- if you process data on the basis of consent – information about the right to withdraw consent at any time without affecting the lawfulness of the processing that was carried out before its withdrawal;
- about the right to lodge a complaint with the supervisory authority;
- whether providing personal data is a statutory/contractual requirement or a condition for concluding a contract and whether the person is obliged to provide it and what are the possible consequences of not providing data;
- about automated decision making, including profiling.
Remember, however, that although this document is very important, it does not replace your company’s internal document in the event of an inspection, which lists all the most important principles according to which you protect personal data.
Despite the publication of your “Privacy Notice” on the website, you should still post brief information about the UK GDPR rules in your company under the contact form, on company portals in social media.
It is your responsibility to inform anyone who entrusts you with their personal data about the rules of data processing in your company – within a maximum of 30 days – from the moment of receiving the data.
This can help to build trust with your customers and show that you take data protection seriously.