Privacy Notice vs Privacy Policy

Privacy Notice / Privacy statement / Privacy Policy (rarely)

Privacy Policy / Data Protection Policy

Type

Notice

Policy / Statement

Glossary of Privacy Terms by IAPP

A statement made to a data subject that describes how an organization collects, uses, retains and discloses personal information. A privacy notice may be referred to as a privacy statement, a fair processing statement or, sometimes, a privacy policy. The General Data Protection Regulation requires a controller to provide a privacy notice prior to processing and to specify in the privacy notice the legal basis for the processing, in addition to other details, such as the contact information for the organization's Data Protection Officer. When relying on the legitimate interest ground, the controller must describe the legitimate interests pursued.

An internal statement that governs an organization or entity’s handling of personal information. It is directed at those members of the organization who might handle or make decisions regarding the personal information, instructing them on the collection, use, storage and destruction of the data, as well as any specific rights the data subjects may have. May also be referred to as a data protection policy.

Requirements

GDPR art.13 and 14

GDPR art.24

ISO 27701 (5.3.2),
ISO 27001 (5.2)

Audience

Usually External (Customers)

Internal (Employees) + External (Suppliers and Customers)

Content

Required:

  1. The identity and the contact details of the

    controller

  2. The contact details of the DPO

  3. The purposes and legal basis + Information

    on legitimate interest (if applicable)

  4. The categories of personal data concerned

  5. The recipients or categories of recipients

  6. Information on transfer to a recipient in a

    third country

  7. The period for which the personal data will be stored

  8. Rights of the data subject + the right to

    withdraw consent at any time

  9. The right to lodge a complaint with a

    supervisory authority

  10. Whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data

  11. Information on the source of origin of personal data

  12. Information on automated decision-making, including profiling

Recommended:

  1. Management statement on

    compliance

  2. A list of legal requirements

  3. Principles relating to

    processing of personal data

  4. Rights of the data subject

  5. Leadership and commitment

  6. Continual Improvement

  7. A short description of security

    measures

  8. The contact details of the DPO

Other specific internal requirements and procedures should be described in the Data Protection Framework and other internal documents

Other

It is recommended to add links to the Information Security Policy and the Data Protection Policy

-