Privacy Notices

The first principle of data privacy includes the principle of transparency. All Controllers and Processors (all self-employed barristers and Chambers) must have robust privacy notices in place which provide information in a manner prescribed under the UK GDPR. Privacy notices must be written in concise, clear and easy to understand language. It should include:

1. The identity and contact details of the Data Controller, and where relevant the contact details of the Data Protection Officer

2. The purposes of processing and the legal basis for doing so

3. The categories of personal data processed

4. Any legitimate interests relied on by the Controller to process data

5. Whether the provision of personal data is a legal requirement, or necessary for the performance of a contract/precontract enquiries and the consequences of not providing the information requested

6. If consent is the lawful basis of processing the right to withdraw consent

7. Whether the data will be shared, and with whom

8. Whether the data will be transferred out of the EU/EEA and the circumstances surrounding that transfer, the relevant additional safeguards put in place to ensure its security. Post Brexit this will change to out of the UK

9. The length of time over which personal data is stored and a general description of the security measure in place

10. The data subject’s rights and methods for exercising those rights

11. The right to make a complaint to the ICO

12. The existence of automated processing

Articles 13 & 14 of the UK GDPR provide more information including when to serve the privacy notice and what needs to be provided when the controller wishes to use data collected for a second purpose, or when personal data is received from a third party.