GDPR Notice Requirements
How to adapt your Privacy Policy for the EU, with examples
In the previous chapter, we outlined the 10 essential areas of a comprehensive privacy policy that upholds Privacy by Design principles. As your organisation considers expanding its services to customers in the European Union (EU), it is crucial to adapt your privacy policy to comply with the General Data Protection Regulation (GDPR).
In this chapter, we will explain when the GDPR applies and discuss the specific requirements of GDPR Article 13, which describes the Information to be provided where personal data are collected from the data subject.
We will continue using the fictional company "FituraLife" as an example, as they decide to expand their services to customers in the EU.
When does the GDPR apply?
The GDPR applies to organisations that are either established in the EU or that process personal data of individuals in the EU, regardless of location. This includes those that offer goods or services to individuals in the EU or that monitor their behavior.
Given FituraLife's plan to expand its customer base to the EU, it must comply with the GDPR's requirements.
Requirements of the GDPR
Article 13 of the GDPR outlines the information that organisations must provide to individuals when collecting their personal data. In contrast, Article 14 requires organisations to provide similar information when they obtain personal data from sources other than the individual, such as third parties or publicly accessible sources.
We will use the scenario of FituraLife expanding to the EU to provide examples of how the company can adapt its privacy policy to meet these requirements set by Article 13.
Identity and contact details of the organisation and, where applicable, their representative
FituraLife should include the organisation's identity, contact details, and the contact details of its EU representative in its privacy policy.
Example
FituraLife, Inc., located at 123 Main St., San Francisco, CA 94103, USA, is the data controller responsible for processing your personal data. Our EU representative can be reached at contact-eu@fituralife.com.
Contact details of the data protection officer
If FituraLife appoints a data protection officer (DPO), it must provide their contact details in the privacy policy.
Example
Our Data Protection Officer can be contacted at dpo@fituralife.com.
Purposes and legal basis for processing personal data
FituraLife should state the purposes and legal basis for each type of personal data processing.
Example
We process your personal data for the following purposes and based on the following legal grounds:
Personalising fitness programs and meal plans (legal basis: contract performance)
Sending newsletters (legal basis: consent)
Processing payments (legal basis: contract performance)
Legitimate interests pursued by the organisation
If FituraLife relies on legitimate interests1 as a legal basis for processing, it must describe these interests.
Example
We process your personal data for marketing purposes based on our legitimate interest in promoting our products and services.
Recipients or categories of recipients of personal data
FituraLife should disclose the recipients or categories of recipients of personal data in its privacy policy.
Example
We share your personal data with payment processors, nutrition experts, and partner gyms.
International data transfers
FituraLife must mention the existence or absence of an adequacy decision2 or provide information about appropriate safeguards and the means to obtain a copy of them or where they have been made available.
Example
We transfer your personal data to our US-based servers under the standard contractual clauses approved by the European Commission, in lieu of an adequecy decision.
Data retention period or criteria
FituraLife should state the retention period or criteria for each type of personal data.
Example
We retain your personal data for the duration of your subscription plus an additional 12 months for record-keeping purposes.
Data subjects' rights
FituraLife must inform users about their rights under the GDPR, including access, rectification, erasure, restriction of processing, objection to processing, and data portability.
Example
You have the right to request access, rectification, erasure, restriction of processing, objection to processing, and data portability of your personal data. To exercise these rights, you can contact us at privacy@fituralife.com.
Right to withdraw consent
If processing is based on consent, FituraLife must mention the individual's right to withdraw consent at any time.
Example
You have the right to withdraw your consent to receive our newsletters at any time by clicking the "unsubscribe" link in the email or by contacting us at privacy@fituralife.com.
Right to lodge a complaint with a supervisory authority
FituraLife should inform users about their right to lodge a complaint with a supervisory authority.
Example
You have the right to lodge a complaint with the data protection authority in your country if you believe that our processing of your personal data violates the GDPR.
Legal, contractual, or necessary requirements to provide personal data
FituraLife must clarify whether providing personal data is a legal, contractual, or necessary requirement and the possible consequences of not providing such data.
Example
Providing your personal data is necessary for us to create your personalised fitness program and process your payments. If you choose not to provide your personal data, we may be unable to offer our services to you.
Automated decision-making and profiling
If FituraLife engages in automated decision-making or profiling, it must provide meaningful information about the logic involved and the consequences for the individual.
Example
We use automated decision-making and profiling to tailor fitness programs based on your health information and preferences. This helps us provide more effective and personalised services but does not have legal or similarly significant effects on you.
Further processing for a different purpose
If FituraLife intends to further process personal data for a different purpose, it must provide information on that other purpose and any relevant further information.
Example
We decide to use your personal data for research purposes, we will provide you with information about the new purpose and obtain your consent if required.
By understanding and adhering to the GDPR's notice requirements, FituraLife can ensure that its privacy policy complies with EU data protection regulations, thereby fostering trust and transparency with its European customers. In the next chapter, we will explore the California Consumer Privacy Act (CCPA) and how to adapt your privacy policy for compliance with this important US-based regulation.
The ICO (the UK data regulator) provides a three-part test to assess the appropriateness of relying on legimate interest. This ensures that the processing is necessary to achieve a specific legimate interest, and that the interest is balanced against the individual’s interests, rights and freedoms.
The European Commission publishes a list of all effective adequency decisions. The European Commission has so far recognised Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland , the United Kingdom under the GDPR and the LED, and Uruguay as providing adequate protection.