|Author: ||Alasdair Taylor |
|Updated: ||4 January 2021 |
|Length: ||7 pages |
|Notes: ||10 pages |
|Format: ||MS Word (.DOCX) |
Both the EU and UK GDPRs require that businesses and other data controllers provide information to data subjects (i.e. individuals) about the personal data that they collect and process. This template data protection notice, prepared with reference to both the statutory rules and the regulatory guidance from the EU and UK authorities, has been drafted to assist with these disclosure obligations
This data protection notice It comes in three versions, covering:
- individual customers and the personnel of corporate customers;
- freelance personnel; and
- the personnel of suppliers and services providers.
The data protection notice lays out the different types of personal data that could be processed, and the legal bases of that proceeding. For example, processing may be based on consent, the performance of a contract, or legitimate interests. In this last case, the specific interests should be identified in the notice.
The persons to whom the data is disclosed should also be identified in the data protection notice, as should details of international transfers (outside the EEA/UK).
If data is collected from some person other than the data subject, then the method of data collection should be described in the data protection notice. In this case, the data controller must provide the notice to the data subject "within a reasonable period after obtaining the personal data, but at the latest within one month, having regard to the specific circumstances in which the personal data are processed" (Article 14(3), GDPR).
With reference to the "suppliers" version of this notice, relatively few businesses produce data protection information notices for supplier personnel. Nonetheless, businesses often act as data controllers with respect to the personal data of such personnel.