This month we’re concentrating on privacy notices. Your organisation’s privacy notices are a key area of compliance with the 1st Data Protection Principle, that personal data must be dealt with fairly, lawfully and transparently. Privacy notices are the mechanism by which you tell individuals what personal data you hold and your purpose for processing their personal data.

Privacy notices are a prominent public facing aspect of your organisation’s GDPR compliance measures, and will be an obvious area to challenge if they do not meet the required standards under the GDPR. On that basis, ensuring that your privacy notices are GDPR compliant should be one of your organisation’s key compliance priorities.

Our action point for this month therefore, is to review and amend your privacy notices. Privacy notices are already an aspect of data protection law, but under the GDPR your organisation’s privacy notice must provide much more information to the individual. The GDPR sets out a long list of information which must be included in a privacy notice for example, you must tell the individual, not only your purpose for processing their personal data (as is currently required), but also specify which of the permitted legal bases for processing personal data you are relying upon e.g. legitimate interests or consent etc. If legitimate interests are relied upon, you must set out what those legitimate interests are and how they are balanced with the interests of the individual. The period for which personal data will be retained must also be included as will details of details of whom you share the individual’s personal data with.

You will also need to consider how the information is presented to individuals. This is likely to vary depending upon the category of data subject the privacy notice is addressing, for example, the privacy notice you provide your staff will differ in content from the privacy notice you provide customers, clients or the public generally. Your staff privacy notice can be placed on an intranet, while your customer privacy notice may be best placed on your website (this is what is suggested by the most recent European guidance).

Remember that when your organisation is collecting personal data directly from an individual then the privacy information must be provided at the point of collection, you will need to think how this information can be provided in practical terms. If you obtain personal data from a 3rd party, rather than from the individual directly, you are still required to provide privacy information to the individual concerned in most cases. This must be done within one month of receiving the personal data, or at the first time you communicate with the individual concerned (whichever is sooner).


The Information Law team at Geldards can assist your organisation with this key compliance requirement. We can provide template GDPR privacy notices. We can also assist with advice on the method and timeframe for delivering privacy information. For more information contact a member of our Specialist GDPR Team.




Geldards successfully advises on BioCity Group acquisition
Geldards is proud to have successfully advised on a landmark deal for the city.


Employment Cardiff Webinar Series - The Post Covid-19 Workplace
Geldards Cardiff Employment Team invite you to a series of events looking at the key considerations for the post Covid-19 workplace:


Transforming the lives of children and young people with special educational needs and disabilities
Parents of children with a disability often face significant uncertainty and struggle when seeking to secure an appropriate education and care package for their child. Each educational milestone and life stage can present fresh challenges.


Salus – Wealth and Family Protection
Salus Magazine is brought to you by the Private Client team at Geldards to help you protect your wealth and family.


Debra Martin


Partner, Derby

+44 (0)1332 378 355


Lowri Phillips


Partner, Cardiff

+44 (0)29 2039 1758