Privacy Notices Checklist Under the GDPR
This article covers a general checklist for the implementation and compliance of the General Data Protection Regulation (GDPR). Under GDPR, personal data may be considered as being collected from the data subject, where:
- A data subject consciously provides personal data to a controller (e.g., when completing an online form) -or-
- A controller collects personal data from a data subject by observation (e.g., using automated data capturing software/devices such as network equipment, wifi tracking, or other types of sensors)
General Checklist for Privacy Notices Under GDPR
- Provide the identity and contact details of the controller and their appointed representative (if any).
- Provide the contact details of the Data Protection Officer (where one has been appointed).
- Identify the purpose and legal basis for the processing.
- Where legitimate interests will be the legal basis for the processing of the personal data, provide details of those legitimate interests.
- Identify any recipients (or categories of recipients) with whom the personal data will be shared.
- Where personal data will be transferred to a third country outside the European Economic Area (EEA) or to an “international organization” (as defined in the GDPR):
- Inform data subjects that personal data will be transferred in this way
- An explicit list of all third countries to which the data will be transferred
- The existence or absence of a Commission adequacy decision
- Provide details of the appropriate or suitable relevant safeguards for transfers and How a data subject may obtain a copy of the such safeguards
- Confirm the storage period
- Explain the rights of the data subject
- How to object to the processing of personal data
- Data portability
- How to withdraw consent
- How to lodge a complaint
This article’s checklist sets out a non-exhaustive list of information required to be included in privacy notices of companies under GDPR. Further related articles include i) checklist where personal data is collected and not collected from the data subject; and ii) checklist on circumstances in which information is required to be given with or without personal data being collected.