This distinction of internal/external simply does not exist in the world of GDPR or Privacy. As we’ll see, it’s the obligation to give information – and that applies as much to data subjects who are employees as customers.
The bottom line is there’s no legal rule on this in Privacy law – the important thing is you provide data subjects with the information you’re meant to, when you’re meant to.
Not only does the term ‘Privacy Notice’ not appear in GDPR – ever – the word ‘notice’ only appears once in GDPR, in Recital 103 about when the Commission can give notice to revoke an adequacy decision.
Here’s the relevant parts of Article 13 and Article 14 from GDPR – no reference to the word ‘notice’ at all. It’s about giving information.
And Article 12 of GDPR, which goes into transparency of the information to be given, doesn’t use the word ‘notice’ either.
Articles 10 and 11 in the 1995 Data Protection Directive before GDPR were the same. And the word ‘notice’ didn’t appear at all, zero, in the 1995 Data Protection Directive. Not even in a recital.
As to UK law, the word ‘notice’ isn’t used in UK GDPR either and isn’t used in this sense in any of the 1984, 1998 or 2018 UK Data Protection Acts.
‘Notice’ appears 417 times in the 2018 UK DPA – we’ve looked at each one to check (!) – and it’s all about enforcement notices or penalty notices, not information to be given to the data subject.
You’re free to call the document whatever you want.
That’s the law. Let’s look at what the UK and EU regulators use, starting with the UK regulator, the ICO.
In July 2022, post-GDPR, the UK ICO uses ‘Privacy Notice’ in its footer and that links to a document they call a ‘privacy notice’. So the UK ICO used ‘policy’ for decades then switched to ‘notice’. Fine, but they didn’t need to.
Looking at EU regulators, starting with the French regulator, CNIL, CNIL uses donnée personnelle, or ‘personal data’, in their footer. And this links to what they call their Politique de protection des données or ‘Data Protection Policy’.
Do all these national data protection regulators have it wrong? Of course not.
Interestingly the European Data Protection Board, the EDPB, the evolution of the Article 29 Working Party, uses ‘General Data Protection Notice’. In 2018, they used ‘Data Protection Notice’.
And secondly the EDPB itself endorsed and adopted the Guidelines on transparency under GDPR issued by its predecessor, the Article 29 Working Party, on 11 April 2018, page 8 of which says:
So, are the supranational Article 29 Working Party and EDPB wrong? Again, no they don’t.
You can call the document whatever you want. ‘Policy’ is perfectly good, and not only recognised by Europe’s top regulators but recommended and used by them. Notice is fine too!
We’ve looked at the laws and regulators, all pretty clear. Let’s now look at some leading law firms.
Outside Europe, the leading Australian firm Minter Ellison uses ‘policy’, as does the leading US firm Wilson Sonsini.
These are great global firms. And they’re not wrong either.
So where did ‘notice’ come in if it’s not mentioned in GDPR?
But the word ‘notice’ is just a descriptor of the one or more ways combined in which you give the required information to the data subject. Everyone in the UK and EU used Policy.
The debate seems to have started after GDPR came in in 2018 and it may be related to GDPR being thrown at IT and Security professionals. Security has good reason to like tight nomenclature, for example to be able to differentiate between internal and external, or differentiate to secure different information appropriately. All perfectly reasonable – but again, it’s not a rule in UK or EU-level Privacy law, there is no official rule.
Well, surely ISO itself, the organisation, uses ‘Notice’? Nope, it uses ‘Policy’.
Which brings us onto commercial entities.
‘Privacy Notice’ appears precisely nowhere in GDPR. Regulators endorse and use ‘Policy’. Leading law firms use ‘Policy’. Major organisations use ‘Policy’, ‘Statement’ and ‘Notice’. And nowhere in the world of UK and European Data Protection is there a legal rule about Notice vs Privacy for internal vs external use, or otherwise.
You can call it what you want.
If you’re ready to get your Privacy governance into gear for your business, why not request a demo or free trial of our Privacy Management Software?
The UK government claims that the reforms in the draft UK Data Protection and Digital Information Bill, published by the government on 18 July 2022, will reduce ‘the burdens on…