Data Protection Summer Dive - Transparency & Privacy Policy - common mistakes

Each week in July and August, we focus on a different topic that has been scrutinized by the Belgian Data Protection Authority. With a few simple tips, your summer cocktail of data protection news will be complete.

As the summer is coming to its end, we hope our tips & tricks have been useful and we are of course always willing to further discuss some of these topics with you.

Our final topic: Transparency & Privacy Policy - common mistakes

When drafting a privacy policy or privacy statement, there is one golden rule: describe what you actually do. Transparency is key!

Nevertheless, in practice, we see that this golden rule is often not fully respected. This has not escaped the attention of the Belgian Data Protection Authority, which has imposed various sanctions on companies for failure to comply with the transparency requirements.

Below you can find an overview of “common mistakes”, together with some do’s & don’ts.

1.    No correspondence with reality.

The privacy policy should always reflect the actual reality of the data processing operations. However, data processing operations included in the privacy policy are often incomplete or incorrect and do not fully correspond to reality.

Don’t: use standardized templates or use the same privacy policy for all group entities without further review.
Do: map your data flows in your internal processing record and draft a tailormade privacy policy based on this mapping exercise.

2.    Forgetting about ‘further processing’ of personal data or other changes in your data flows.

Data collected for one purpose may become interesting to process for a new purpose other than that for which the data were initially collected. The data subject must be informed thereof prior to such further processing.

Don’t: consider having a privacy policy as something that you can cross of your ‘to-do list’ once and never have to look at again.
Do: regularly update your data flows in the internal processing record, adjust your privacy policy accordingly, and actively notify data subjects of such changes prior to implementing them.

3.    Not informing data subjects whose data you have obtained from a third party.

When you process personal data that you have not obtained directly from the data subject, but e.g. through a business partner, you should timely inform the data subject thereof (limited exceptions exist).

Don’t: assume that the third party from whom you received the data has lawfully collected the data and/or informed the data subject of the disclosure of their personal data to you.
Do: actively review the privacy policy of this third party and verify whether you still have an information obligation, or fall under one of the exemptions of art. 14.5 GDPR.

4.    Not specifying which legitimate interests you rely on.

If you rely on legitimate interests for processing personal data,  you must specify such legitimate interests in accordance with article 13.1.d) GDPR.

Don’t: state, for example, in vague terms that the processing is based on your legitimate business interests.
Do: state, for example, that the processing is based on your legitimate interests as a company to promote your products or services towards existing clients for business development purposes.

5.    Not mentioning how changes to the privacy policy will be communicated.

Don’t: merely state that the privacy policy may be subject to changes from time to time.
Do: include how you will bring changes to the privacy policy to the attention of data subjects (e.g. per e-mail or through a pop-up screen when visiting the website).

Do these common mistakes set alarm bells ringing? Want to have your privacy policy fully and thoroughly reviewed? Don’t hesitate to reach out!