How to create a Privacy Notice?

How to create a Privacy Notice?

Attached to this article are 2 templates for creation of a Privacy Notice

Type
What to do with template?
Privacy_Notice_Template_SMB.docx
Adapt to your organisation, specifically formulated for the small-medium business.
Privacy_Notice_full.docx
Same as above, but the 'full Monty'.

Why is a Privacy Notice Necessary?


A Privacy Notice is often confused with a Privacy Policy. A Privacy Policy is a document reflecting the internal policy on privacy and data protection of an organization, whereas a Privacy Notice is an external-facing document conveying information to the public about the organization’s policy on data protection with regards to processing of personal data of customers, website visitors, app users etc. Regardless of this distinction, one will often stumble upon websites that display a Privacy Policy as the external-facing document. This is not a grave error, seeing as it has become widely known that Privacy Policies contain relevant data protection information.
With that being said, it is not the name of this document that matters so much as its content. Relevant data protection legislation, such as the General Data Protection Regulation (GDPR) prescribe a set of information that must be provided in a Privacy Notice to data subjects. The list of information to be provided to data subjects according to GDPR is a relatively long one, and it is necessary, among other things, that the content be relevant, concise, written in clear and plain language.

Moreover, a Privacy Notice does not only inform the data subjects about what data you need and why, but also what rights they have and can exercise when it comes to the processing you do. This guide will help you understand what you must include in your Privacy Notice and the best ways of doing that. 
Privacy Notice templates in both English and Swedish are attached as FREE downloads to this article.

WHERE PERSONAL DATA HAVE BEEN OBTAINED FROM THE DATA SUBJECT


Introduce yourself and be approachable

A good Privacy Notice will always include the identity and contact details of the controller of personal data. A good Notice will also include the relevant contact information (e.g. email address) in every relevant part of the Notice, so as to make it easier for the data subjects to get in touch with the controller. It is vital that your customers know how to reach you should they have questions, complaints or comments.

This is emphasized in the GDPR as well, you must provide the individual with contact details to your Data Protection Officer (if applicable) or to someone who is tasked with dealing with Subject Access Requests, i.e. requests for access to data as well as exercise of other rights of the data subject. It is vital to maintain a healthy rapport with your customers, and this will mean transparency on your behalf, as well as approachability. A good rule of thumb is to avoid making available just a physical address of your company – instead be sure to be available and reachable via email or phone, or both.
Be Honest
A Privacy Notice is a list of enforceable promises. That means that it must be honest and complete because it doesn’t matter if your Notice looks good and satisfies criteria on paper, but reality does not reflect it. In this case, your Notice will be found misleading and untrue, which brings about a violation of the principle of lawfulness, fairness and transparency as per Article 5(1)(a) GDPR.
Be Clear
This is not an easy task, but a Privacy Notice must be written in a clear and plain language. This means that there will have to be a way to incorporate necessary legal text into a document aimed at the general public. This is a challenging balancing exercise, but it is doable. How this is most commonly done is by layering a Privacy Notice, i.e. dividing it into clearly distinguishable sections. Furthermore, in order to fulfill the legal requirement of being clear, concise and writing in plain language, it is best if you make available a summary of the Notice, point by point. A recommended way to do this is to design or use icons that could help visualize your Notice in a user-friendly way.
Be Specific
Data subjects have the right to know what you are doing with the personal data you collect. This means that you should include a description of the processing, as well as the legal grounds for processing that has been determined as the most well suited for your processing. According to GDPR processing will only be lawful if processing is done based on one of the following grounds (not in hierarchical order): (1) the data subject has given consent, (2) processing is necessary for the performance of a contract to which the data subject, (3) processing is necessary for compliance with a legal obligation to which the controller is subject, (4) processing is necessary for the performance of a task carried out in the public interest, (5) processing is necessary in order to protect the vital interests of the data subject or of another natural person, (6) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party.
Du måste även vara specifik avseende lagrings- och retentionsperioder eller de kriterier du använder för att bestämma retentionsperioder. Försök att ha så korta lagringstider som möjligt om du inte har en laglig skyldighet att behålla uppgifterna under en viss tidsperiod (t.ex. finansiell- och skatteinformation, bokföringsinformation osv.).
Slutligen, om behandlingen inkluderar automatiserat beslutsfattande (t.ex. registerutdrag från belastningsregistret, kreditupplysning osv.) inklusive profilering, måste den registrerade informeras om detta inklusive, om möjligt, en beskrivning av den logik som är involverad i processen och de förväntade följderna för den registrerade av sådan behandling.
Be protective
The cornerstone of trust in your organization is the way you treat personal data of your customers. In this sense, it is advised to be protective and ensure that you have assessed and implemented appropriate technical and organizational measures of security. In other words, ensure that you are keeping personal data secure and show it in your Notice: mention if you have earned any ISO certifications, mention if your staff is trained in personal data processing, if you are using pseudonymization or anonymization, or if you are implementing Data Protection by Design and by Default. These are all elements of your security-related information provision.
Be straightforward about the individual’s rights
As a controller, you must facilitate the exercise of the rights of the data subject. This starts with describing the rights in the Notice. This means that you should explain each of the rights that the data subject has in a concise way so as to inform them of their existence. Furthermore, if you are using consent as your legal basis, you need to inform the data subject that they may withdraw consent at any time. This part of the Notice is later completed by having mechanisms in place to do this when requested, so ensure to put something in place to manage these requests. In addition to explaining the rights of the data subjects, make sure to let them know that they can lodge a complaint to the Supervisory Authority and preferably provide a link to their website.

Disclose any international transfers


As a controller, you must ensure that the data subject is aware that you intend to or are transferring personal data outside EU/EEA (European Economic Area), where you are transferring and based on what grounds.

WHERE PERSONAL DATA HAVE NOT BEEN OBTAINED FROM THE DATA SUBJECT


In the situation where personal data have not been obtained from the data subject, you have to ensure to include all of the above and the source of the personal data, and whether it came from publicly accessible sources.