The first principle of data protection in the GDPR states that personal information must be processed fairly and lawfully. For the processing to be fair, the Controller (the organisation in control of processing the data) must communicate certain information to the individual whose data is being collected, such as:
• the identity of the Controller;
• the purpose, or purposes, for which the information is being collected
• any further information that is necessary for the processing to be fair.
This applies whether the personal information was acquired directly from the individuals, or indirectly via a third party.
The GDPR also states that the information provided to people about how the organisation processes their personal data must be:
• concise, transparent, intelligible and easily accessible
• written in clear and plain language, particularly if addressed to a child
• provided free of charge
The Privacy Notice (PN) delivered to the individual is the vehicle for communication and is an important element of “fair” processing, describing who the organisation is and what is being done with the data. However, providing a PN does not by itself mean that the processing is necessarily fair. The organisation must also consider the effect of collecting, holding and processing their personal data on the individuals concerned.
Fairness must, therefore, also include:
• using information in a way that individuals would reasonably expect
• considering the impact of the processing and if it will have any unjustified negative effects on them
• being transparent and ensuring that people know how their information will be used
These considerations must be borne in mind when implementing a PN for a new process or reviewing any existing PNs. Communicating privacy information or making it available using the most appropriate mechanisms is key to this. The way in which the PN is delivered will depend on the way in which the data is collected, from a paper form to an email or online privacy settings.
There may be a requirement to design a number of PN for the organisation, for example different ones for employees, suppliers and customers. Separate PN may also be needed for distinct processing activities, for example for different products. If the organisation has subsidiaries, then separate PNs will also probably be required for these.
It is the policy of LR Legal Recruitment to fully comply with the GDPR, and other applicable legislation, in relation to the use of PNs to inform individuals of the use of their personal information, and of their rights.
Collecting Personal Data
Personal data acquired to manage the business operation can be obtained either directly from the individuals or indirectly, for example from an agency selling prospect lists or social media data. In both cases, we will deploy a PN. The organisation must be certain that all individuals have all the information and where applicable, document their justification for not communicating a PN.
Personal data can be collected directly, for example in the following circumstances where an individual person can be identified:
• Through a telephone call
• Via an online form
• Through a paper form
• From an email
• Using a visitor registration book
• Utilising an individual’s mobile phone location data
• From a loyalty card
• From social media
In these cases, the PN will be provided at the point of collection.
Where personal data is not acquired directly, there are some additional circumstances whereby the PN information does not necessarily have to be provided, such as:
• If it is impossible to provide the information, or it would require disproportionate effort
• If it is covered by other applicable laws that protect the interests of the individual
• Where the data is legally confidential
Again, and as above, the justification for not deploying a PN will be documented.
Where personal information is collected from a third party, the privacy information (PN) will be delivered to the individuals:
• Within a reasonable time; maximum one month after acquiring it
• If used for communication, at the latest when the first communication takes place
• At the point where the information is disclosed to another recipient
The Privacy Notice
The table below summarises the information that we will provide, within the timeframes stipulated, for data collected directly and indirectly. It will be fine-tuned according to the nature of the personal data processing activities. In all cases, we will ensure that the PN:
• uses clear, straightforward language
• has a simple style and language that individuals find easy to understand, in particular vulnerable • groups like children
• avoids complex terminology and legal terms
• does not assume that all citizens share the same level of understanding of the service as the business
In order to define exactly what specific information LR Legal Recruitment requires to communicate for a specific processing purpose, we carry out a data mapping exercise. This identifies:
• what information is held that constitutes personal data
• what we do with the personal information we collect, hold and process
• what data are required to carry out these processes
• whether we are collecting the information we need
• whether we are creating data about individuals, for example by building profiles of their behaviour and habits
• whether we are transferring data to third countries where the EU does not feel that data security measures are adequate
• whether it is likely that other things will be done with the data in future, so that we can anticipate requirements that can be built into the PN
If there is doubt, we will take an approach that gives more, rather than less, information on the PN than may appear to be required. This ensures a fair and transparent approach that maximises trust and minimises the risks associated with non-compliance.
Communicating the Privacy Notice
The PN will be delivered in any one of a number of ways to provide the privacy information required, depending on the way in which the data is collected. For example:
• Verbally - face to face or on the telephone (where it should also be documented)
• In writing – letters, forms, advertisements, application forms
• Electronically - text messages, emails, interactive forms on websites, mobile apps
• Through signs - for example, a public information poster relating to CCTV monitoring
We follow best practice and use the same method to deliver the PN as is used to collect the personal data. For example, when information is collected through a website form, an email link to a PN will be sent, so the two activities can be combined.
LR Legal Recruitment considers the use of just-in-time PNs. These give a brief message explaining how the information individuals are inputting, will be used. These appear on the screen at the point at which the individual is registering personal information.
Where we are constrained by the space on our website, email or paper form, we may find it appropriate to take a multi-layered approach. In this scenario, the key privacy information is delivered in a short PN, with links to the full version. The information that appears first in a PN usually relates to the identity of the organisation, what data is being collected and for what purpose.
LR Legal Recruitment also designs PNs in accordance with the medium used by the individual. In the case of mobile phones and tablets, the PN will still be clear and readable and fit on the screen. We will use responsive web design to help us to achieve this aim by changing the information on the screen according to the device used. A layered approach, with privacy information headings that link to greater detail will also be considered in such cases.
Where we share data with a Joint Controller, we will ensure that contractual agreements are in place to ensure that each party is aware of its obligations around delivering privacy information to the citizens whose data are shared, in accordance with GDPR.
Updating Privacy Notices
LR Legal Recruitment regularly reviews its PNs to ensure that they reflect new and modified processing activities, as well as changes in legislation. PNs are updated following these reviews.
If the nature of the processing changes and this change was not included in the original PN, we will contact the individuals in question to actively seek their consent and update the PN. For example, if we have assured individuals that we will not share information with a third party, but now wish to do so.
In particular, where personal data is already processed for individuals who did not receive privacy information when the data was collected, we will provide the PN retrospectively.