GDPR: Privacy Policies, Documentation and the Data you collect.

GDPR: Privacy Policies, Documentation and the Data you collect.

As we mentioned in the last article documentation is core to your compliance with GDPR. What you need to document depends on whether you have m

GDPR is coming – How does it affect Estate Agents
Individual Rights under GDPR
The relationship between Data Controllers and Data Processors

power of the bran

As we mentioned in the last article documentation is core to your compliance with GDPR.

What you need to document depends on whether you have more than 250 employees:

  • If you have 250 or more employees, you must document all your processing activities.
  • There is a limited exemption for small and medium-sized organisations. If you have less than 250 employees, you only need to document processing activities that:
    • are not occasional; or
    • could result in a risk to the rights and freedoms of individuals; or
    • involve the processing of special categories of data or criminal conviction and offence data.

So, all sizes of business will have an obligation to document some of their data processing activities – it is likely that you have activities that you do on a regular basis (I.e. not occasional)

The ICO have published some good guidance on Documentation which can be found here

It includes some templates which will help you to document your processing activities.  Your internal documents of your processing activities will likely form the basis of your privacy policy/notice, it will be impossible to write this unless you have a good understanding of what data you hold, how you use it and how long you retain it for.

GDPR Estate Agents

Privacy policies and notices

  • Privacy policies cannot be generic – they must be specific to the organisation and how they collect, store and process personal data.

A privacy policy must be:

  • concise, transparent, intelligible and easily accessible;
  • written in clear and plain language, particularly if addressed to a child; and
  • free of charge.

Your privacy notice myst contain the following information :

  • The lawful basis for the processing – one or more of the bases laid out in Article 6(1) of the GDPR.
  • If applicable, the legitimate interests for the processing – these are the interests pursued by your organisation or a third party if you are relying on the lawful basis for processing under Article 6(1)(f) of the GDPR. You could also include a link to the record of your assessment of whether legitimate interests apply to the particular processing purpose.
  • The rights available to individuals regarding the processing – e.g. access, rectification, erasure, restriction, data portability, and objection. The rights vary depending on the lawful basis for processing. Your documentation can reflect these differences.
  • If applicable, the existence of automated decision-making, including profiling. In certain circumstances you will need to tell people about the logic involved and the envisaged consequences.
  • If applicable, the source of the personal data. This is relevant when you didn’t obtain personal data directly from an individual.

There are a number of resources for privacy policies – SEQ Legal has a number of templates which can be tailored and have guidance notes to help you complete them.

Other Documentation

You are required to maintain comprehensive documentation on your processing activities – this is outlined in Article 30 of the GDPR and on the ICO website

COMMENTS

WORDPRESS: 0