On 17 October 2018, the SDPA published a report in which it analyzed the way owners of websites inform data subjects about the processing of their personal data. Additionally, the SDPA included several recommendations and guidelines which will be of interest to data controllers who process data using websites and similar digital services.
The report generally evidences the efforts of companies to comply with the new information requirements. However, it also uncovers several shortfalls in the drafting of privacy policies that may entail the disinformation of data subjects. To solve these issues, the SDPA has provided data controllers with the following guidelines and recommendations, among others:
- The purposes of the processing, the recipients of the personal data and the safeguards applied to international data transfers must be indicated to the data subjects. However, the description should not be too long for them to read. If the information is too detailed, there is a risk that the data subjects will not find the desired information or not even look for it.
- The SDPA recommends addressing this by grouping the purposes and recipients by category.
- If applicable, the data controller must specify what its legitimate interest is for the processing of the personal data. The SDPA also recommends indicating the balance of rights assessed by the data controller to determine that its legitimate interests are not overridden by the rights of the data subjects.
- The SDPA states that reducing the retention period of information on purchases of the data subjects and deleting this data just after the expiry of the statute of limitations of potential claims is a best practice.
- According to the SDPA criteria, it is convenient to display the information in a double layer format, meaning the SDPA recommends drafting the second layer as an interactive text that contains a summary of the information and links to more elaborate information.
Although these recommendations were prepared by the SDPA for an online environment and websites, they should be also seen as indicative guidelines for other kinds of privacy policies and informative documents.