¾«Æ·¹ú²ú×ÔÏßÎçÒ¹¸£Àû

How is your firm communicating to relevant parties about your firm’s use of personal data? Make a list of all the documents that your firm currently uses to communicate about personal data. This may include the privacy statement on your website, your engagement letter and your employee contracts. It is important that this list and contents are subject to regular review to ensure accuracy and compliance with GDPR obligations,. In some circumstances your firm might identify a new area where a notification is required and will need an entirely new document.

The requirements for notifications are contained in Articles 13 and 14 of GDPR. There are different notification requirements for data which is collected directly from an individual and data which is obtained from a third party. These templates apply where the data is collected from the data subject. Where the data is sourced from a third party there are additional requirements, please see Article 14.

Note that there are extra requirements relating to the form of such notices where the notice is directed to children or vulnerable people.

In order to complete these templates and keep these notices up to date, firms will have to consider the lawful basis upon which they process the personal data. For a list of lawful bases to process data, please see Article 6 of GDPR and the Data Protection Act 2018: . When law firms rely on the ‘legitimate interests’ ground, they must specify the legitimate interests upon which they are relying in the Article 13 and 14 notifications.

Firms may consider referring to the privacy notice in their terms of engagement and attaching the privacy notice as a schedule to the terms of engagement or the s.150-152 notices. It is not recommended to embed the privacy notice in the body of the text of the terms of engagement as this is unlikely to be considered appropriate for the GDPR notification standards. Also, firms may need to update a privacy notice from time to time and it may be convenient to do so without amending the entire terms of engagement.

The Article 29 Data Protection Working Party  are a useful source of information to consider when drafting a privacy notice. One common sense rule contained in that guidance relating to the privacy notices is that the people whose personal data is processed should not be taken by surprise at a later point about the ways in which their personal data is used.

Article 14 of GDPR contains some exemptions from the requirement to provide information where the data has been obtained indirectly and Member States are permitted to legislate for further restrictions on the scope of data subject rights related to transparency. The Data Protection Act  should be consulted for restrictions on obligations. See section 60 Data Protection Act, which for example sets out a restriction  for the establishment, exercise or defence of a legal claim where ‘necessary and proportionate.  

It is a difficult task to communicate appropriately about data processing in privacy notices as there is a conflict between the complexity of the information required to be provided and the obligation to present that information in clear and plain language. 

Helpful Templates

• Template 4: Privacy notice (website)
• Template 5: Privacy notice (terms of engagement). Note: a data processing agreement (Article 28 GDPR) may also be required to be included within the terms of engagement where the firm is processing personal data on behalf of a client. This template is drafted for use with individuals or private clients and is not suitable for clients that are legal persons such as companies.
• Template 6: Privacy notice (employees)
• Template 7: Data protection clauses for employee contracts

Communicating checklist

• Has your firm a list of all documents and notifications (including privacy statement or notice) used to communicate about personal data?
• Are these accurate and up to date to ensure compliance with GDPR, including the transparency obligation?
• Is the information concise, transparent, easily accessible and easy to understand?

Return to GDPR Guidance and templates >