The General Data Protection Regulation (the “GDPR”),[1] which took effect on May 25, 2018,[2] has reshaped the protection scheme for personal data across the European Union (the “EU”).[3]  The GDPR also has a significant impact on the privacy management practices[4] of many companies and organizations throughout the world because the GDPR may apply to any “enterprise”[5] who is a data “controller”[6] or a data “processor”[7] that processes “personal data”[8] belonging to a data subject[9] in the EU, despite whether the “processing”[10] occurs in the EU.[11]  Controllers and processors who have no establishment in the EU should not ignore the GDPR because the GDPR applies to both EU-based and non-EU based enterprises as long as the personal data processing relates to activities “offering [] goods or services” to such data projects in the EU or “monitoring” the behavior of such data subjects in the EU.[12]  It is likely no responsible controller or processor can afford to ignore the GDPR[13] since non-compliance with the GDPR may face a costly and severe financial penalty[14] up to €20 million euro (€20 million) or four percent (4%) of the total worldwide annual turnover, “whichever is higher.”[15]  Among various GDPR compliance suggestions offered by different commentators, updating privacy notices in line with the GDPR is certainly one of the top priorities on your GDPR compliance roadmap.[16]  Here, the so-called “privacy notice” (some may call it “privacy policy” or “privacy statement”[17]) refers to the publicly-viewable document stating how your company or organization collect, manage, use, disclose, and/or share the personal data of a data subject.[18] This article introduces some GDPR privacy notice requirements that deserve the attention of those who are subject to the GDPR.  Beginning with stating the importance of updating privacy notices in line with the GDPR, this article covers some lawful bases for personal data processing, some required information that should be included in privacy notices, the timing of providing privacy notices, and the manner in which a privacy notice should be presented.
 
I.  Why Do You Need to Update Your Privacy Notices?
 
Updating your privacy notices (or creating one if you have no privacy notice yet) in line with the GDPR requirements matters if you are a controller subject to the GDPR.[19]  Doing so not only ensures your compliance with the GDPR but also tells data subjects what you do or will do with their personal data,[20] which likely helps you build trust with data subjects.[21]  The GDPR provides data subjects with several enhanced rights concerning their personal data,[22] including the right to be informed.[23]  As a feature covering some key transparency requisites under the GDPR,[24] the right to be informed requires a controller to “take appropriate measures”[25] clearly and concisely informing data subjects how the controller deals with their personal data.[26]  Updating your privacy notices in the light of the GDPR is, therefore, one of those appropriate measures you should take to ensure compliance with the GDPR.[27]
 
II.  Do You Have a Lawful Basis for Your Processing of Personal Data?
 
You should figure out and record your lawful basis (or bases, if you have more than one) for your processing of personal data when updating your privacy notices for GDPR compliance.[28]  The GDPR requires personal data to be processed “lawfully” (and also “fairly, and in a transparent manner”).[29]  In addition, the GDPR accountability requirement holds a controller accountable for demonstrating[30] that the controller has an appropriate lawful basis for the processing of personal data.[31]  It is thus important that a controller identifies and includes the controller’s proper lawful basis for processing personal data in its privacy notices to communicate this information to data subjects.[32]  The GDPR has provided a series of lawful basis for the processing of personal data, such as the data subject’s “consent,” a “contract,” compliance with a “legal obligation,” protecting “vital interests” of data subject or another natural person, performing a “public task,” and pursuing “legitimate interest.”[33]  The GDPR also has specified lawful bases for the processing of special category data[34] and criminal offense data.[35]  These GDPR lawful bases for the processing of personal data may help to determine what right a data subject may have under the GDPR.[36]  Identifying and including a controller’s proper lawful basis for the processing of personal data in its privacy notices help demonstrating the controller’s compliance with the GDPR.[37]  Failing to do so likely renders a controller’s processing of personal data be regarded as “prima facie unlawful” and indicates the controller’s non-compliance with the GDPR.[38]
 
III.  What Information Should You Include in Your Privacy Notices?
 
The GDPR has set forth the required information that should be included in a controller’s privacy notice and divide the information into two different groups on the basis of whether a controller obtains the personal data directly from the data subject.[39]  The following presents an inclusive (but not an exhaustive) list of what these two groups of information have in common and also what they differ from each other.
 
A.  Required Information in Common
 
1. the controller’s identity and contact details (and, if applicable, the identity and contact details of the controller’s representative);[40]
2. the contact details of the controller’s data protection officer (“DPR”), if a DPO is required;[41]
3. the purposes of the personal data processing;[42]
4. the lawful basis (or bases, if more than one) for the personal data processing;[43]
5. “the recipients or categories of recipients of the personal data;”[44]
6. the details of personal data transfers to a third country or international organization together with safeguards taken;[45]
7. the period for which the personal data will be retained, or if a time frame is not feasible, how this period is determined;[46]
8. “the legitimate interests pursued by the controller or by a third party;”[47]
9. data subject’s rights with regard to the personal data processing (e.g., the right to access, the right to erasure (the right to be forgotten), the right to object to the processing of personal data, the right to data portability);[48]
10. data subject’s right to withdraw consent;[49]
11. data subject’s right to lodge a complaint with a supervisory authority;[50] and
12. the existence and details of automated decision-making, including profiling.[51]
 
B.  Differences

 
IV.  When Should You Give Your Privacy Notices?
 
In general, you should put your privacy notices in public and make it easy to access by data subjects because the GDPR requires so.[55]  For instance, if your company or organization has an official website, your company or organization should consider putting the privacy notices of your company or organization on that official website.[56]  However, the GDPR demands more than disclosing your privacy notices on your website because the GDPR desires that you actively bring your privacy notices to the attention of data subjects and make your privacy notices easily accessible to them.[57]  Accordingly, promptly giving your privacy notices to a data subject every time you obtain personal data of that data subject for a different purpose[58] in a new way for the first time is likely a more recommended practice for your consideration.[59]
 
Under the GDPR, you should provide your privacy notices to a data subject when obtaining personal data directly from that data subject.[60]  Nonetheless, you do not have to give a data subject any information already known to the data subject.[61]
 
If you obtain personal data of a data subject from somewhere other than that data subject, you should notify the data subject of your privacy notices (1) within one month after you obtain the said personal data; (2) before or at the time of the first communication to that data subject if you use the said personal data to communicate with that data subject; or (3) no later than the time of disclosure if you envisage disclosing the obtained personal data to a third party.[62]  On the other hand, there is no need to provide a data subject with the aforesaid privacy notices in any of the following circumstances: (1) the data subject already knows the information; (2) providing the privacy notices to the data subject is impossible; (3) it would “involve a disproportionate effort” to provide the privacy notices to the data subject; (4) the provision of such privacy notices “is likely to render impossible or seriously impair the achievement of the objectives of that processing;” (5) the obtaining or disclosure of personal data is required by law; or (6) you are required to maintain the confidentiality of the obtained personal data under a professional secrecy obligation set forth by law.[63]
 
V.  How Should You Present Your Privacy Notices?
 
Your GDPR compliant privacy notices should be easy to find, read, and understand by anyone,[64] ideally in a manner understandable to children.[65]  Under the GDPR, a privacy notice provided by a controller is required to be “in a concise, transparent, intelligible and easily accessible form,” and use “clear and plain language, in particular for any information addressed specifically to a child.”[66]  Your privacy notices should be provided in written form, but by other means, such as electronic means, may be accepted when appropriate.[67]  Providing your privacy notices in oral upon a data subject’s request is allowed only if “the identity of the data subject is proven by other means.”[68]
 
VI.  Conclusion
 
A few months have passed since the GDPR came into effect on May 25, 2018.[69]  Uncertainty arises from that nobody knows “how lenient GDPR regulators will be about compliance gaps” or “which [GDPR] provisions will be examined first.”[70]  In the post-GDPR era, your privacy notice matters because this publicly-viewable document is likely one of the very first items inspected by the GDPR regulators if your GDPR compliance implementation falls under GDPR regulatory scrutiny.[71]  Drafting a GDPR compliant privacy notice could be challenging because it requires careful attention to not only what the law says, but also those unique facts and circumstances in each respective case.[72]  Furthermore, it is not easy to strike a balance between the comprehensibility and readability of a GDPR privacy notice when crafting it in the light of the GDPR.[73]  A key challenge lies in how to include an accurate, detailed, and forward-looking description about data processing activities in a privacy notice while simultaneously presenting the said privacy notice in a straightforward manner easily understood by a child or an adult.[74]  Unfortunately, there is no one shot solution for all (i.e., there is no one GDPR compliant privacy notice template that completely fits the needs of everyone caught by the GDPR) since the factual circumstances of personal data processing activities may vary from one case to another.  This also explains why many privacy notices out there differ from each other. 
 
This article summarizes some GDPR requirements for privacy notices that you need to know when updating your privacy notices (or creating one if you do not have any privacy notice yet) for GDPR compliance.  If you have not updated your privacy notices (or have not created one) in line with the GDPR, you are late in getting compliant with the GDPR because the GDPR applies from May 25, 2018.[75]  It will take tremendous time and efforts to meet those requirements posed by the GDPR and become GDPR compliant.[76]  Please put updating your privacy notices on your must-do list and do it as soon as possible on your way toward compliance with the GDPR.  If you have no idea where to start from scratch, you may consider once again reviewing your initial assessment of your data processing activities, which you will find it helpful when developing your GDPR compliance plan.[77]  You need to know what data you are processing and how you process these data, and then develop your GDPR compliance plan (including your privacy notices) tailoring to your processing activities before you deliver your privacy notices to the public.[78]  When you are drafting or updating your GDPR compliant privacy notices, you may begin with asking yourself the following questions: (1) what personal data do you process; (2) why do you process that personal data; (3) for what purposes are you processing that personal data; (4) from where or from whom do you obtain that personal data; (5) to where do you transfer that data; (6) to whom do you share that personal data with; and (7) how you process that personal data.[79]
 

---