The General Data Protection Regulation (GDPR), which takes effect from 25 May 2018, requires organisations to give individuals certain information about how their personal data is collected and used. This can be done via a privacy notice.

Who should get a privacy notice?

Under GDPR, privacy notices should be issued to:

  • Employees, workers and contractors;
  • Job applicants;
  • Volunteers and interns.

Organisations will usually use at least two separate kinds of privacy notice – a ‘worker privacy notice’ and a ‘recruitment privacy notice’.

When should a privacy notice be issued?

A privacy notice should be issued at the time data is collected. This means that:

  • A ‘recruitment privacy notice’ should be issued at the start of the recruitment exercise; and
  • A ‘worker privacy notice’ should be given to employees, workers and contractors at the start of the engagement.

What should a privacy notice say?

A privacy notice explains how individuals’ personal data is collected and used and sets out their rights in relation to that data. It must be:

  • Tailored to the business, reflecting the data processed, and the reasons and legal bases for processing each type of data;
  • Concise, transparent, easily accessible and in plain language.

To comply with GDPR, privacy notices must include certain information:

  • The identity of the organisation and contact details
  • Details of the data protection officer (if there is one)
  • The types of information processed
  • The source of the data (if it doesn’t come from the worker)
  • The legal basis and reasoning for processing each type of data
  • The recipients, or categories of recipients, of the data
  • Any ‘legitimate interests’ relied on as a basis for processing
  • If personal data could be transferred outside the EU or to an international organisation, certain information about that
  • The retention period for the data
  • The rights of the individual whose data is being processed in relation to access; rectification; erasure; restriction of / objection to processing; data portability; withdrawing consent (if relevant); complaining to the Information Commissioner
  • Whether information is required by statute or contract
  • Information around automated decision-making (if used)