GDPR (12) What is the best way to present a privacy statement?

31 October 2017

In the previous instalment of this blog we went over the different matters that need to be included in a privacy statement to ensure that all data subjects have been correctly informed about the processing operations carried on with their data. The way in which this is done is also important, and the GDPR drafters paid specific attention to this matter.

As a data controller, your duty is to provide this information in a concise form and in clear and plain language. Some companies have excelled at producing convoluted texts, often dozens of pages in length, containing formulations that are incomprehensible to the layman, which deters users from actually reading the document and is the antithesis of transparency. The GDPR expects you to use simple language that can be understood by just about everyone. In the Netherlands, CEFR language level B1 is specifically recommended, which is equivalent to primary school level. If your audience includes any children, it is particularly important that you explain in a simple, intelligible way what you do with the data they supply. Drawing up a separate privacy statement for children is often the best solution.

Transparency can also be enhanced by providing an outline of the main elements first and by ensuring the text has a good structure. For example, you can describe each topic in one sentence or a brief paragraph, and then give visitors the option to click for further information. In this way, users can quickly find the items they are looking for and learn more if they so wish. It can be a good idea to use icons so that the message can be communicated more simply than with words alone. There are working groups that have been working on developing specific icons for years, but this task is proving a challenge.

Do not forget to place the date and version number on your privacy statement. Texts of this kind are not set in stone, since the nature of the data you process, the recipients or the protection measures taken may change. Your text must provide accurate, up-to-date information and will therefore be changed frequently. You are also supposed to keep data subjects informed about such changes. At the very least, you need to make clear to them that the privacy statement may change in future. Ask them to visit the page on your website regularly. It is worth keeping the old versions of your privacy statement so that if a processing operation is challenged you can check which information was available to data subjects at the time the relevant processing operation was carried out.

The form your privacy statement should take and the best place to publish it depend on the circumstances. You need to ensure that it is easy to find. You should avoid hiding your privacy statement among your general terms and conditions. While the most common method is to provide a link on the website, a privacy statement can also be communicated on paper or even orally. There are, however, a number of rules you need to take into account.

If you allow users to enter personal data on a website or in an application, you have to ensure the required information about data processing is provided first. The best way to do this is to refer to the privacy statement in the introduction to the application in question. Many websites do this in a bar at the bottom of each page. This is, of course, not very specific and does not relate to a single specific purpose, but it does ensure the information is made accessible to visitors as soon as they enter your website. This is important for websites that use cookies or other tools to collect information about the surfing behaviour of visitors. As they start working as soon as the website is entered, visitors must be notified immediately.

There is certainly nothing wrong with making several privacy statements that are adapted to different target groups. Your existing or prospective clients are probably not interested in how your organisation deals with staff data, and so using different privacy statements allows you to adjust the length of the text.

As it is, the GDPR provides an excellent opportunity for every organisation to examine their policy on processing staff data and report on this internally. The volume of data about staff in circulation is greater than you would imagine and includes sensitive data.

  • Payroll processing requires all kinds of data (salary, attendance, sick leave and composition of family). At many businesses, this information is processed externally by a social secretariat, which is therefore the processor of the data. Furthermore, data have to be passed on to the government for social security and tax administration purposes.
  • In addition, the organisation’s personnel files contain all kinds of career-related data. This information is also accessed by people outside the HR department in connection with recruitment activities, evaluations and promotions. It is important that you make any necessary improvements to the procedures surrounding confidentiality.
  • Other data that are available relate to the use of IT tools. These can range from the content of e-mails to user accounts, user groups, authorisation levels and logs of the use of applications or visits to websites. It is important that you provide transparent information about the data recorded in the logs and the related purpose. You also need to make clear what the employer may and may not do with this information.

Larger organisations have to discuss this subject with the Works Council. Employees at smaller companies also need to be informed about all processing operations using personal data. This can be done in the form of an internal privacy statement, which you can include in your employment terms and conditions, or alternatively distribute as a separate document, either on paper or in a digital format. It is not a bad idea to ask your employees to sign this text to indicate they have read it.

While more creativity may sometimes be required, every organisation can, with a few efforts, shed light on the personal data processing operations it carries on and why they are necessary, as transparency is a basic requirement.  Our next instalments of this blog will consider what the GDPR means by adequate measures to protect personal data that are processed. This could present a major challenge for many companies.



Viktor D’Huys is the ICT manager of Group Joos. He is responsible for matters including data security and the coordination of the GDPR project. He is a Certified Information Security Manager (CISM certified by the ISACA) and has been awarded the CIPP/E (Certified Information Privacy Professional/Europe) credential by the IAPP (International Association of Privacy Professionals).

If you have any questions or comments, please write to us at