Privacy Notice / Privacy statement / Privacy Policy (rarely) | Privacy Policy / Data Protection Policy | |
---|---|---|
Type | Notice | Policy / Statement |
Glossary of Privacy Terms by IAPP | A statement made to a data subject that describes how an organization collects, uses, retains and discloses personal information. A privacy notice may be referred to as a privacy statement, a fair processing statement or, sometimes, a privacy policy. The General Data Protection Regulation requires a controller to provide a privacy notice prior to processing and to specify in the privacy notice the legal basis for the processing, in addition to other details, such as the contact information for the organization's Data Protection Officer. When relying on the legitimate interest ground, the controller must describe the legitimate interests pursued. | An internal statement that governs an organization or entity’s handling of personal information. It is directed at those members of the organization who might handle or make decisions regarding the personal information, instructing them on the collection, use, storage and destruction of the data, as well as any specific rights the data subjects may have. May also be referred to as a data protection policy. |
Requirements | GDPR art.13 and 14 | GDPR art.24 ISO 27701 (5.3.2), |
Audience | Usually External (Customers) | Internal (Employees) + External (Suppliers and Customers) |
Content | Required:
| Recommended:
Other specific internal requirements and procedures should be described in the Data Protection Framework and other internal documents |
Other | It is recommended to add links to the Information Security Policy and the Data Protection Policy | - |