that doesn’t mean your business should be standing still when it comes to
updates earlier this year, we have now updated our website privacy policies
and “offline” privacy notice again, building on best practice that has
become established since 25 May.
Keeping Data Subjects Even More Informed!
One of the key requirements of UK data protection legislation, now
comprising both the GDPR and the Data Protection Act 2018, is the so-called
or privacy notice.
We have now made it easier for you to provide clear and precise details in
a number of areas:
The section on data subjects’ rights now includes a specific reference to
the right to withdraw consent. This will not always apply as your chosen
lawful basis for data processing (see below) may not be ‘consent’.
Furthermore, the right to withdraw consent is not listed alongside the
other rights included in this section in the GDPR. Nevertheless, we
consider this to be an important update that leaves no doubt about the full
panoply of rights available to data subjects while also making it clear
that it only applies in certain circumstances.
Second is the section headed “What Data Do You Collect and How?” which now
takes the form of a table listing the data collected on one side and the
method of collection and/or source on the other. Where data comes from a
third party, your privacy information should specify the type of
organisation and/or sector, and whether that source is private or public.
It may also be helpful to indicate whether the source is inside or outside
the EEA. Finally, while you do not have to name names, in the interests of
transparency, it may also be desirable to provide specific details of each
Next comes the “How Do You Use My Personal Data?” section. This has again
been enhanced with the addition of a table designed to be easy for you to
fill in and for data subjects to understand. Across the table’s three
columns, you should state what you do, what data you use to do it, and –
most importantly – your lawful basis for doing so. Under UK data protection
legislation, you must have a ‘lawful basis’ for using personal data. You
may, for example, need to use the personal data in question to perform a
contract with the data subject; you may have the data subjects’ express
consent to use their personal data; or it may be in your ‘legitimate
interests’ to use it. It is important that you choose your lawful basis
carefully. Consent may seem like the easiest and safest option, but it can
often be the least desirable choice and the hardest to rely on. ‘Legitimate
interests’ is a broad and somewhat flexible basis, but if you choose to
rely on it, you should state what your legitimate interest actually is in
your privacy information.
A further important point to note where your use of personal data is
concerned is the use of automated decision-making and profiling.
Restrictions apply to such types of personal data processing, and data
subject have certain rights with respect to them. These restrictions and
rights, however, only apply where the decision resulting from such
processing has ‘a legal or similarly significant effect’. In such cases,
not only to the rights and restrictions apply, but you must also provide
‘meaningful information about the logic involved’ as well as the
significance and envisaged consequences for the individuals concerned.
Another table has been added to the document under “How Long Will You Keep
My Personal Data?” Again, this has been designed to make this document
easier for you to use, and for data subjects to understand.
Under the heading of “Do You Share My Personal Data?” we have added – yes,
you guessed it – another table. When sharing personal data with other
parties, there are certain minimum details you should provide to data
subjects such as the category of recipient, the activity or activities
carried out using the personal data, and where that third party is located
(i.e. inside or outside of the EEA). It is also desirable, where possible
and practical (although not all third parties will be happy with their
identity being shared for commercial reasons), to provide the name and
contact details of third-party recipients. In addition, it is important to
state whether the third party in question will be receiving data in the
capacity of a data controller or a data processor, and to provide details
of their business sector.
The contents of this Newsletter are for reference purposes only and do not constitute
legal advice. Independent legal advice should be sought in relation to any specific