Website Privacy Statement and Notice

1.1 Introduction

A Privacy Notice will be presented to data subjects before their personal data is collected and processed. This requirement is fundamentally linked to the GDPR requirement for processing lawfulness, fairness and transparency (Article 5(1)a). Data subjects must have the means to manage their own privacy risks, make an informed choice, and understand how to exercise their rights as data subjects when they are asked to share personal data. The Privacy Notice also provides a point in time reference for (among other things) planned processing purposes, retention periods and third parties involved in processing data for a given purpose. It is vital that this information is accurate, sufficiently granular, and clear because it will inform decisions about future data processing, and management of Data Subject Requests to
exercise GDPR rights.

1.2 Policy Scope

This policy sets out mandatory Privacy Notice inclusions, high level guidance on required, transparency, granularity, and clarity (Articles 12, 13, and 14, plus Article 29 Working Party WP260 Guidelines 1 ) on Transparency), and requirements to maintain accuracy of the Privacy Notice over time (Article 13(3)).

This policy should be read and used in conjunction with the Privacy Policy, Policy on Lawful Personal Data Processing, and Personal Data Processing Consent and Consent Withdrawal Policy.

1.3 Exceptions to this Regulatory Requirement

If personal data is rendered anonymous so that it cannot be used to identify any living individual, either by using the data set, or supplementary data readily available, then requirements in this policy do not apply.

However, if your activity does not render data anonymous before data collection or processing begins, a Privacy Notice is still required.

See Section 4 of Article 13 and Section 5 of Article 14 for specific exceptions relating to these Articles. All exceptions must be interpreted narrowly and rationale must be carefully documented.

1.4 Definitions

Please see Section 2 above.

1.5 Privacy Notice Delivery

Data Subjects must be given access to the privacy notice in a timely manner and in a format that allows prompt and easy access:

  1. The privacy notice will be in hard copy, digital, or oral form;
  2. The privacy notice will be easy to access (e.g. if data is obtained via a website, there must be a clear link to the privacy notice);
  3. Access to a privacy notice will be free of charge and must not be conditional on accepting other terms and conditions or on providing personal data;
  4. The privacy notice will not be obscured by being combined with other terms and conditions;
  5. We will ensure that data subjects have access to an appropriate privacy notice and ensure that records are kept of this (e.g. a recorded verbal confirmation, signature, email confirmation, box ticked).
Timing of Privacy Notice Delivery

Data subjects cannot manage their privacy risks and make informed decisions about data sharing if they are not told about planned processing in a timely manner. If the Children’s Rights Alliance obtains data from a third party instead of directly from Data Subjects, that timing may differ.

1.5.1 When Data is obtained directly from Data Subjects

The privacy notice will be made available to data subjects before we begin collecting and/or processing personal data.

After accessing the Privacy Notice, data subjects must have the time and opportunity to prevent collection and commencement of processing should they choose to. This will be taken into account when defining how and when a privacy notice is delivered.

1.5.2 When Data is obtained from a Third Party

Where data is obtained from a third party as opposed to directly from the Data Subject (e.g. a data broker, another data subject, a public source, a research service provider, an advertising supplier, or a partner organisation), the controller needs to inform data subjects about planned processing:

  1. within a reasonable period after obtaining the personal data, but at the latest within one month, taking processing circumstances into consideration.
  2. if the personal data are to be used for communication with the data subject, at the latest at the time of the first communication to that data subject; or
  3. if a disclosure to another recipient is envisaged, at the latest when the personal data are first disclosed.

1 Article 29 Working Party, WP260, Guidelines on Transparency under Regulation 2016/679,3 See section 3 and Appendix A for potential exceptions.

1.5.3 Privacy Notice Updates

When we intend to use data for new purposes, or extend processing to new third parties, or use processing means that pose an additional risk to Data Subjects, we will update the

Privacy Notice and inform impacted Data Subjects of that update. This will include unchanged information from the original privacy notice to ensure updates remain in a meaningful context.

1.6 Privacy Notice Inclusions

Mandatory privacy notice inclusions as per GDPR Articles 13 and 14.

For Data Obtained Directly from the Data Subject

Article 13 of the GDPR sets out the information that a Data Controller must include in a Privacy Notice at the time when data is obtained from the data subject:

  1. the identity and the contact details of the data controller;
  2. the contact details of the person responsible for data protection;
  3. the planned processing purpose(s) and the legal basis for processing;
  4. where the processing is based on a third party Legitimate Interest (point (f) of Article 6(1)) of the GDPR details that Legitimate Interest);
  5. third party recipients or categories of recipients, if data will be shared;
  6. the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period (see the Policy on Data Retention for more details)
  7. the existence of the right to access, rectify, erase or restrict processing of personal data held by you, as well as the right to object to processing and data portability;
  8. the existence of the right to withdraw consent at any time, where processing is based unambiguous or explicit consent ((a) of Article 6(1) or point (a) of Article 9(2)) of the GDPR;
  9. the right to lodge a complaint with a supervisory authority
  10. whether the provision of personal data is a legal or contractual requirement, or a requirement necessary to enter into a contract. Explaining why you cannot honour the contract without requested data, or why data is necessary to enable you to meet legal obligations, outlining consequences if personal data is not made available.
  11. the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4), including meaningful information about the logic involved, as well as the nature and significance of potential consequences for the data subject.
1.7 Article 13 Exceptions

The only Article 13 exception applies when a data subject already has the information specified in section 4. The principle of accountability requires that data controllers demonstrate (and document) what information the data subject already has, how and when information was received, and prove that the information is still relevant and accurate.

Even if the data subject has previously been provided with some of the information set out in Article 13, there is still an obligation on the data controller to ensure that is supplemented with the rest of the information specified in section 2.

Example
An individual signs up to an online email service and receives all of the required Article 13.1 and 13.2 information at the point of sign-up. Six months later the data subject activates a connected instant message functionality through the email service provider and provides their mobile telephone number to do so. The service provider gives the data subject certain Article 13.1 and 13.2 information about the processing of the telephone number (e.g. purposes and legal basis for
processing, recipients, retention period) but does not provide other information that the individual already has from six months ago and which has not since changed (e.g. the identity and contact details of the controller, information on data subject rights and the right to complain to the relevant supervisory authority). As a matter of best practice however, all of this information should be provided to the data subject again. The new processing for the purposes of the instant messaging service may affect the data subject in a way which would prompt them to seek to exercise a right
they may have forgotten about, having been informed six months prior. Providing all the information again helps to ensure the data subject remains well informed about how their data is being used and their rights.

1.8 For Data Obtained from a Third Party

Article 14 of the GDPR sets out the information to include in a Privacy Notice when data is obtained from a third party:

  1. the identity and the contact details of the data controller;
  2. where the personal data came from, and if applicable, whether it came from publicly accessible sources;
  3. the planned processing purpose(s) and the legal basis for processing;
  4. the categories of personal data concerned;
  5. third party recipients or categories of recipients, if data will be shared;
  6. any planned transfer of data to a Third Country 2 including a note of any pre-existing adequacy decision made by the European Commission about that country (e.g. the Swiss adequacy decision), or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them (See the Policy on Data Transfers for more details);
  7. the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
  8. where the processing is based on a a or third party Legitimate Interest (point (f) of Article 6(1)), details of that Legitimate Interest;
  9. the existence of the right to access, rectify, erase or restrict processing of personal data held by you as well as the right to object to processing and data portability;
  10. the existence of the right to withdraw consent at any time, where processing is based unambiguous or explicit consent ((a) of Article 6(1) or point (a) of Article 9(2))
  11. the right to lodge a complaint with a supervisory authority
  12. whether the provision of personal data is a legal or contractual requirement, or a requirement necessary to enter into a contract. Explaining why you cannot honour the contract without requested data, or why data is necessary to enable you to meet legal obligations, outlining consequences if personal data is not made available.
  13. the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4), including meaningful information about the logic involved, as well as the nature and significance of potential consequences for the data subject.
1.9 Article 14 Exceptions

In addition to the Article 13 exception (when a data subject is already in possession of privacy notice information), the following exceptions may apply when data is obtained from someone other than the data subject:

  1. The provision of such information is impossible or would involve a disproportionate effort or would make the achievement of the objectives of the processing impossible or seriously impair them. Examples of how this might apply:
  2. The data controller is subject to a national law or EU legal requirement to obtain or disclose the personal data and that law provides appropriate protections for the data subject’s legitimate interests; or
  3. An obligation of professional secrecy (including a statutory obligation of secrecy) which is regulated by national or EU law means the personal data must remain confidential.

See Appendix A for examples of how each condition might apply where a data controller wants to rely on one of the exceptions above they should document the circumstances and assess and document the potential risk to the rights and freedoms of data subjects versus the interests of the organisation.

You should publicly state information contained in the privacy notice, or privacy notice update where it is not possible to make that information directly available to specifically impacted data subjects. In such cases, Article 11.1 may also be relevant as it states that a data controller shall not be obliged to maintain, acquire or process additional information in order to identify the data subject for the sole purposes of complying with the GDPR.) Serious impairment of objectives

1.10 Privacy Notice Transparency, Clarity and Granularity

Article 12 sets out rules for the style and format of information provided to data subjects under Articles 13 and 14. When creating a Privacy Notice:

  1. it must be concise, transparent, intelligible and easily accessible
  2. clear and plain language must be used
  3. the requirement for clear and plain language is of particular importance when providing information to children
  4. it must be in writing “or by other means, including where appropriate, by electronic means”
  5. where requested by the data subject it may be provided orally (Article 12.1); and
  6. it must be provided free of charge

In addition, when listing the processing purpose(s) and third parties involved in processing it is important to balance the need to be clear and concise, with the need to be transparent. See Appendix C for more detail on each requirement including relevant examples.

APPROVED BY THE BOARD 11 SPETEMBER 2018