GDPR (11) What is a privacy statement and what should it contain?

23 October 2017

In the previous instalments of this blog we took a detailed look at the records of data processing operations. You need to keep records of the personal data that are processed by your organisation, the purpose for which these data are processed and the legal basis for these processing operations. Every organisation will be required to keep such records with effect from 25 May 2018. These records can prove very useful in many other ways. They form the perfect starting point for performing a risk assessment and for producing an overview of your organisation’s data protection measures and internal procedures. We will consider this in more detail in future instalments of this blog. In addition, well-kept records provide you with the input you need in order to inform data subjects about the processing of their data, which is the topic of this instalment.

The GDPR requires that you give transparent information to all data subjects, in other words every person whose data you use. Data subjects have the right to be aware of the processing operations in which their data are used. The text in which an organisation publishes this information is known as a privacy statement.

The GDPR lays down rules on the information that must be supplied to the data subject. Each of these items must be covered in the privacy statement.

  • The data controller must identify itself by supplying the official name of the company or organisation in question and the full address of its registered office. If the organisation has appointed a Data Protection Officer (DPO), the privacy statement must also provide information on how to contact this person. An address, telephone number or e-mail address where the DPO can be reached must be provided as a minimum, but it is not necessary to provide his or her name. Organisations that do not have a DPO must refer to a contact point.
  • The most important part of the statement is the list of the personal data processing operations carried on by your organisation. The processing operations must be described in sufficient detail, with separate listings for each purpose. Each time, you must indicate the purpose for which specific data are collected, the categories of data you process and the categories of persons involved, the processing operations that are carried on and the legal basis on which you rely in order to be able to process the data. When producing this list, you can, of course, draw on your internal records to ensure you do not leave anything out.
  • You also need to be clear about the recipients of the information, in other words who will have access to it and who it will be passed on to. You should state which categories of your employees are involved in processing the data and are therefore able to access the information, and whether any external parties are involved in the data processing operations. If the collected information is passed on to third parties for further use, this must be indicated explicitly. This is normally done using general wording such as ‘sister companies’ or ‘partners’. The GDPR expects you to be as transparent as possible, since it is important that the data subjects understand where their data ends up, although you obviously cannot be expected to list the full names of each of your partners or suppliers.
  • You must demonstrate that adequate security measures have been taken to guarantee the confidentiality and integrity of the data. Once again, you do not have to go into detail about all the technologies and procedures involved, as this would obviously undermine the security measures, but you should disclose the principles you followed and how you are able to safeguard them within your company or organisation.
  • You are specifically required to provide information about the retention time (length of time data are kept). The GDPR states that you may use personal data for the intended purpose only, and you may therefore not keep data any longer than is necessary for that purpose. Moreover, as a data controller you have to guarantee the quality of the data. This includes guaranteeing that the data are not obsolete. Information about the retention time should be provided separately for each purpose.
  • Moreover, the privacy statement must also clearly set out the rights of data subjects.
    • They may submit a complaint to the Privacy Commission at any time if they believe data are being processed wrongfully.
    • They may ask the controller to supply information about the processing operations that use their data, and you must explain how to do this.
    • They may inspect the information available on them personally and arrange for it to be changed or erased if they so wish.

The rights of data subjects will be the subject of a separate instalment of this blog.

  • Finally, the GDPR demands that you specify whether you transfer certain data outside the EU. In that case, additional risks exist in relation to data protection and the rights of data subjects. These risks include the powers held by foreign authorities, such as NSA in the United States. Other guarantees apply, depending on the country to which the data are exported or the sector in which the company or organisation is active. This is a very complex subject from a legal perspective. In most cases, all you will need to state is that the data will remain within the EU and will therefore continue to enjoy the full legal protection provided by the GDPR. If that is not the case, you have to specify where the data will be sent and the form of protection that will apply. Data subjects can then decide for themselves whether their data will remain sufficiently confidential.

Besides specifying what the privacy statement must contain, the GDPR also provides guidelines for its design and structure. Important aspects include the way in which information is communicated to data subjects, when you present this information and how you keep it updated. These aspects will be considered in the next instalment of this blog.


Viktor D’Huys is the ICT manager of Group Joos. He is responsible for matters including data security and the coordination of the GDPR project. He is a Certified Information Security Manager (CISM certified by the ISACA) and has been awarded the CIPP/E (Certified Information Privacy Professional/Europe) credential by the IAPP (International Association of Privacy Professionals).

If you have any questions or comments, please write to us at

Related news