The GDPR clearly describes the rules on giving privacy information (articles 12, 13 and 14). So, you can either go look up  those articles and skip the next paragraph, or read our summary (I have my fingers firmly crossed you will  stay on this page).

Understandable, clear and plain language

You are expected to take ‘appropriate measures’ to make your privacy notice understandable and accessible. Furthermore, information you provide to your website visitors about how you process their personal data must be concise, transparent, intelligible, easily accessible, written in clear and plain language (in particular for any information addressed specifically to a child) and free of charge.



Let’s stop there for a minute. I’m guessing some of you were already thinking about not reading any further. Because let’s be clear about a privacy notice. How often have marketing or communication been involved in this process in the past?  Most of you were probably about to forward this article to your legal department, so that they can take care of this as they always do.

Well, … I still don’t think copywriting falls under a legal expert’s remit. The notion that the privacy notice should be written in clear and plain language (and in case of minors, adapted to their age group) in particular calls for marketing & communications to get involved.

So please do continue reading, because frankly, you should seize the opportunity to have your privacy notice on the bestseller list (preferable not under the ‘horror’ category…)  And I promise to write in ‘clear and plain language’ from this point on.

Warmed up to start writing your novel? What should it contain?

Let us focus first on the data that you collected directly. The information you need to provide listed below has to be available at the time the data are collected. So, don’t forget to put a link to your privacy notice whenever you ask for data.

When you start (re-)writing your privacy notice, make sure you include at least the following elements:

1. Your contact details as data controller and those of your DPO (if your company needs one).
   
   
2. The purpose of the personal data processing and the legal base: First, be precise. As we wrote in an earlier article, don’t just put all data you collect under the umbrella of legitimate interest. Think of what data you ask for and why, and document your procedures in such a way that every consumer dealing with you understands why you ask details. Second if you use consent as a legal basis, don’t forget that it needs to be unambiguous, specific, informed and freely given.
   
   
3. If you collect certain data as a part of statutory or contractual requirements, you need to explain the possible consequences of not providing such data.
   
   
4. Where do you transfer data to? Be as precise as possible, either a list of recipients or categories of recipients.  So, get rid of such sentences as ‘We share your data with our partners’.
   
   
5. If you transfer data outside of the EU or to an international organisation, you need to give details. What do you transfer, to whom and how are you making sure that such data remain secured?
   
   
6. How long do you plan to keep the data? Or if you can’t be specific yet, what criteria will you use to determine this retention period?
   
   
7. Repeat all the data subject’s rights under the GDPR and indicate how you make sure that said rights can be exercised.
   
   
8. Stress the fact that consent can be withdrawn at any time (where relevant).
   
   
9. Explain that people always have the right to lodge a complaint with the supervisory authority (in Belgium: The Privacy Commission).
   
   
10. Describe whether, and if so, how you use automated decision making, including profiling.
    
    

Third party data

Don’t forget the notion of data you did not obtain directly from the data subject.  The above list still applies, but you will need to add at least two elements:

1. The category of personal data
   
   
2. The sources of the personal data and whether they are publicly accessible
   
   

Here is the tricky part. When do you need to provide this information?  At least within one month after you have obtained the data. If you use these data to communicate with the data subject, upon the first communication. If you intend to share the data outside your company, inform them before you do so.

This means that you can no longer state that how third-party data are collected (and whether they are collected lawfully) is no concern of yours. This aspect has become much more of a shared responsibility.


You should now be able to write your privacy notice. I nonetheless wish to reiterate what I said earlier about not only leaving this up to your legal department.

And for inspirational purposes, The Guardian shows you how you can make your privacy notice easy to read, clear and understandable, and has even gone a step further by posting a video.