Attached to this article are 2 templates for creation of a Privacy Notice
What to do with template?
Adapt to your organisation, specifically formulated for the small-medium business.
Same as above, but the 'full Monty'.
Why is a Privacy Notice Necessary?
internal policy on privacy and data protection of an organization, whereas a Privacy Notice is an
external-facing document conveying information to the public about the organization’s policy on data
protection with regards to processing of personal data of customers, website visitors, app users etc.
external-facing document. This is not a grave error, seeing as it has become widely known that Privacy
Policies contain relevant data protection information.
With that being said, it is not the name of this document that matters so much as its content. Relevant data
protection legislation, such as the General Data Protection Regulation (GDPR) prescribe a set of information
that must be provided in a Privacy Notice to data subjects. The list of information to be provided to data
subjects according to GDPR is a relatively long one, and it is necessary, among other things, that the
content be relevant, concise, written in clear and plain language.
Moreover, a Privacy Notice does not only inform the data subjects about what data you need and why, but
also what rights they have and can exercise when it comes to the processing you do. This guide will help
you understand what you must include in your Privacy Notice and the best ways of doing that.
Privacy Notice templates in both English and Swedish are attached as FREE downloads to this article.
WHERE PERSONAL DATA HAVE BEEN OBTAINED FROM THE DATA SUBJECT
Introduce yourself and be approachable
A good Privacy Notice will always include the identity and contact details of the controller of personal data. A
good Notice will also include the relevant contact information (e.g. email address) in every relevant part of
the Notice, so as to make it easier for the data subjects to get in touch with the controller. It is vital that your
customers know how to reach you should they have questions, complaints or comments.
This is emphasized in the GDPR as well, you must provide the individual with contact details to your Data
Protection Officer (if applicable) or to someone who is tasked with dealing with Subject Access Requests,
i.e. requests for access to data as well as exercise of other rights of the data subject. It is vital to maintain a
healthy rapport with your customers, and this will mean transparency on your behalf, as well as
approachability. A good rule of thumb is to avoid making available just a physical address of your company –
instead be sure to be available and reachable via email or phone, or both.
A Privacy Notice is a list of enforceable promises. That means that it must be honest and complete because
it doesn’t matter if your Notice looks good and satisfies criteria on paper, but reality does not reflect it. In this
case, your Notice will be found misleading and untrue, which brings about a violation of the principle of
lawfulness, fairness and transparency as per Article 5(1)(a) GDPR.
This is not an easy task, but a Privacy Notice must be written in a clear and plain language. This means that
there will have to be a way to incorporate necessary legal text into a document aimed at the general public.
This is a challenging balancing exercise, but it is doable.
How this is most commonly done is by layering a Privacy Notice, i.e. dividing it into clearly distinguishable
sections. Furthermore, in order to fulfill the legal requirement of being clear, concise and writing in plain
language, it is best if you make available a summary of the Notice, point by point. A recommended way to
do this is to design or use icons that could help visualize your Notice in a user-friendly way.
Data subjects have the right to know what you are doing with the personal data you collect. This means that
you should include a description of the processing, as well as the legal grounds for processing that has been
determined as the most well suited for your processing. According to GDPR processing will only be lawful if
processing is done based on one of the following grounds (not in hierarchical order): (1) the data subject has given consent, (2) processing is necessary for the performance of a contract to which the data subject, (3) processing is necessary for compliance with a legal obligation to which the controller is subject, (4) processing is necessary for the performance of a task carried out in the public interest, (5) processing is necessary in order to protect the vital interests of the data subject or of another natural person, (6) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a
Du måste även vara specifik avseende lagrings- och retentionsperioder eller de kriterier du använder för att bestämma retentionsperioder. Försök att ha så korta lagringstider som möjligt om du inte har en laglig skyldighet att behålla uppgifterna under en viss tidsperiod (t.ex. finansiell- och skatteinformation, bokföringsinformation osv.).
Slutligen, om behandlingen inkluderar automatiserat beslutsfattande (t.ex. registerutdrag från belastningsregistret, kreditupplysning osv.) inklusive profilering, måste den registrerade informeras om detta inklusive, om möjligt, en beskrivning av den logik som är involverad i processen och de förväntade följderna för den registrerade av sådan behandling.
The cornerstone of trust in your organization is the way you treat personal data of your customers. In this
sense, it is advised to be protective and ensure that you have assessed and implemented appropriate
technical and organizational measures of security. In other words, ensure that you are keeping personal
data secure and show it in your Notice: mention if you have earned any ISO certifications, mention if your
staff is trained in personal data processing, if you are using pseudonymization or anonymization, or if you
are implementing Data Protection by Design and by Default. These are all elements of your security-related
Be straightforward about the individual’s rights
As a controller, you must facilitate the exercise of the rights of the data subject. This starts with describing
the rights in the Notice. This means that you should explain each of the rights that the data subject has in a
concise way so as to inform them of their existence. Furthermore, if you are using consent as your legal
basis, you need to inform the data subject that they may withdraw consent at any time.
This part of the Notice is later completed by having mechanisms in place to do this when requested, so
ensure to put something in place to manage these requests. In addition to explaining the rights of the data
subjects, make sure to let them know that they can lodge a complaint to the Supervisory Authority and
preferably provide a link to their website.
Disclose any international transfers
As a controller, you must ensure that the data subject is aware that you intend to or are transferring personal
data outside EU/EEA (European Economic Area), where you are transferring and based on what grounds.
WHERE PERSONAL DATA HAVE NOT BEEN OBTAINED FROM THE DATA SUBJECT
In the situation where personal data have not been obtained from the data subject, you have to ensure to
include all of the above and the source of the personal data, and whether it came from publicly accessible