Data protection information notice for customers
This notice is designed to help data controllers to comply with the disclosure requirements of the General Data Protection Regulation (GDPR) with respect to customers.
This notice sets out the categories of personal data that may be processed and, with respect to each category of personal data, the legal basis of that processing. Where the legal basis is "legitimate interests", then the specific interests should be identified.
Where data is obtained from a person other than the data subject, then the source of that data should be identified. In addition, the data controller will need to provide the notice to the data subject "within a reasonable period after obtaining the personal data, but at the latest within one month, having regard to the specific circumstances in which the personal data are processed" (Article 14(3), GDPR).
The persons or categories of person to whom personal data may be disclosed should also be identified in the notice, as should details of international transfers (outside the EEA) and the safeguards adopted to ensure that such transfers are lawful.
Data protection information notice for customers contents
- Introduction: commitment to privacy; document applies to controlled personal data; data controller name.
- How we use your personal data: introduction to categories, purposes and legal bases of processing; processing of customer relationship data; processing of transaction data (customers); processing of notification data (customers); processing of service data (customers); processing of other data; processing for legal claims; processing for risk management; general purposes of processing personal data; disclosure of third party personal data.
- Providing your personal data to others: intra-group disclosures of personal data; disclosure of personal data to insurers etc; disclosures of personal data to subcontractors; disclosure of personal data to payment services providers (customers); disclosure of personal data necessary for legal compliance etc.
- International transfers of your personal data: introduction to international personal data transfers; international transfers within business; international transfers to other recipients.
- Retaining and deleting personal data: data retention introduction; personal data retention default rule; personal data retention specific rules; personal data retention criteria; personal data deletion exception.
- Security of personal data: appropriate technical and organisational security measures; personal data stored on secure servers and computers; encrypted storage of personal data; unencrypted data sent over internet is insecure; password security (software and IT systems).
- Amendments: changes to document published on website; notification of changes to document.
- Your rights: introduction to data subject rights summaries; list of data subject rights; summary of right to access personal data; summary of right to rectification of personal data; summary of right to erasure of personal data; summary of right to restrict processing of personal data; summary of right to object to processing of personal data; summary of right to object to processing of personal data for direct marketing; summary of right to object to processing of personal data for research purposes; summary of right to personal data portability; summary of right to complain to data protection supervisory authority; summary of right to withdraw consent to personal data processing; exercise of data subject rights.
- Our details: legal name; company registration details; place of business; contact information.
- Representative within the European Union: identity and contact details of representative of data controller.
- Data protection officer: data protection officer contact details.