September 20, 2021

Volume XI, Number 263


September 20, 2021

Subscribe to Latest Legal News and Analysis

GDPR Privacy Policy Checklist

If your company is a data controller under the GDPR (for US companies, follow this flowchart), then your company will need to update its privacy policy or privacy notice. Under the GDPR privacy policies must contain more detailed disclosures, while also being understandable and accessible. Even under the current privacy laws, EU regulators have demonstrated they will enforce rules on transparency in privacy disclosures. On February 16, 2018, a Belgian court threatened to fine Facebook US $125 million for failure to disclose its personal data collection practices. These fines may be steeper after May 25th since the GDPR increases the maximum penalties. Use the checklist below to identify the key disclosure requirements for privacy policies.

Information about processing of personal data

  • Purpose of processing

  • Legal basis for processing (e.g., consent, performance of a contract, necessary for the purposes of the legitimate interests of the data controller)

  • Legitimate interests of the controller (if any)

  • Whether automated decision-making, including profiling, will take place (this includes details of the significance and the potential consequences of such processing for the individual)

Details about collection and use of personal data

  • Categories of personal data collected

  • Recipients or categories of recipients that receive personal data

  • Any transfers of personal data to countries outside of the EEA (and the applicable safeguards in place)

  • Data retention policy (i.e., how long the data will be stored for or the criteria used to determine that period)

  • Any automated processing of personal data that will take place (including profiling) and how decisions will be made, the significance and any consequences of such processing

  • Whether provision of personal data is part of a statutory or contractual requirement and possible consequences if individual refuses to provide personal data

Existence of individual rights

  • Right of access to personal data

  • Right to rectification of personal data held where it is incorrect or incomplete

  • Right of erasure of personal data (“right to be forgotten”) if certain grounds are met

  • Right to restrict/suspend processing of personal data

  • Right to complain to a supervisory authority Additional rights that may apply in certain instances: • Right of data portability (if processing is based on consent and automated means)

    • Right to withdraw consent at any time (if processing is based on consent)

    • Right to object to processing (if processing is based on legitimate interests)

    • Right to object to processing of personal data for direct marketing purposes

Contact information

  • Name and contact details for data controller (and any representative)

  • Name and contact details for data protection officer (“DPO”), if a DPO is appointed

Copyright © 2021 Womble Bond Dickinson (US) LLP All Rights Reserved.National Law Review, Volume VIII, Number 59

About this Author

Theodore Claypoole, Intellectual Property Attorney, Womble Carlyle, private sector lawyer, data breach legal counsel, software development law
Senior Partner

As a Partner of the Firm’s Intellectual Property Practice Group, Ted leads the firm’s IP Transaction Team, as well as data breach incident response teams in the public and private sectors. Ted addressed information security risk management, and cross-border data transfer issue, including those involving the European Union and the Data Protection Safe Harbor. He also negotiates and prepares business process outsourcing, distribution, branding, software development, hosted application and electronic commerce agreements for all types of companies.


Orla M. O'Hannaidh, Womble Carlyle, Intellectual Property Attorney, Technology Commercialization Lawyer

Orla O’Hannaidh is an associate in Womble Carlyle’s Intellectual Property Practice Group and a member of the firm’s IP Transactions Team. Her practice focuses on drafting and reviewing a broad variety of contracts involving the use and commercialization of intellectual property and technology. Orla also practices in the areas of copyright, marketing, sweepstakes and promotions law. Before joining Womble Carlyle, Orla worked for the Irish Department of Foreign Affairs in Washington D.C. and Dublin, Ireland. Orla gained significant experience in government relations and negotiations. Orla...

Daryl Webb, Attorney, Womble Bond Dickinson

Darryl is an associate specialising in commercial contracts and commercial law.  He trained with the firm and now undertakes a broad range of commercial work, with particular expertise in drafting and negotiating: manufacturing contracts; contracts for the supply of goods and services; transitional services agreements; confidentiality agreements; and settlement agreements.

He advises on the commercial aspects of corporate transactions, including: commercial due diligence; NDAs; heads of terms; confidentiality provisions; contract assignments;...

+44 (0)1752 67 7729