On 17 October 2018, the SDPA published a report in which it analyzed the way owners of websites inform data subjects about the processing of their personal data. Additionally, the SDPA included several recommendations and guidelines which will be of interest to data controllers who process data using websites and similar digital services.

The report generally evidences the efforts of companies to comply with the new information requirements. However, it also uncovers several shortfalls in the drafting of privacy policies that may entail the disinformation of data subjects. To solve these issues, the SDPA has provided data controllers with the following guidelines and recommendations, among others:

  • The information on the identity and contact details of the data controller and, if applicable, its data protection officer (DPO) should be placed in the first part of the privacy policy. That way, data subjects may find it as soon as they access the policy.
  • The purposes of the processing, the recipients of the personal data and the safeguards applied to international data transfers must be indicated to the data subjects. However, the description should not be too long for them to read. If the information is too detailed, there is a risk that the data subjects will not find the desired information or not even look for it.
    • The SDPA recommends addressing this by grouping the purposes and recipients by category.
    • Safeguards do not need to be described, but the privacy policy must describe how to get a copy of them.
  • The legal basis of processing must be correctly described and should be displayed in relation to the relevant purposes or just after them in the privacy policy.
  • If applicable, the data controller must specify what its legitimate interest is for the processing of the personal data. The SDPA also recommends indicating the balance of rights assessed by the data controller to determine that its legitimate interests are not overridden by the rights of the data subjects.
  • The SDPA states that reducing the retention period of information on purchases of the data subjects and deleting this data just after the expiry of the statute of limitations of potential claims is a best practice.
  • According to the SDPA criteria, it is convenient to display the information in a double layer format, meaning the SDPA recommends drafting the second layer as an interactive text that contains a summary of the information and links to more elaborate information.

Although these recommendations were prepared by the SDPA for an online environment and websites, they should be also seen as indicative guidelines for other kinds of privacy policies and informative documents.