Creation of the GDPR privacy notice

• In section 1 of 02.3_Privacy_Notice_EN.docx, your comments state that I should include personal data categories. I cannot find much information about the definition of personal data categories. Is the following a good set of personal data categories?
Contact’s full name
Contact’s job title
Contact’s phone number
Contact’s email address
Registrant’s full name
Registrant’s gender
Registrant’s date of birth
Registrant’s examination venue
Registrant’s intended destination school
Registrant’s examination subject options
Registrant’s Special Education Needs (SEN) flag
Registrant’s current school

• In section 3 of 02.3_Privacy_Notice_EN.docx, your wording states ‘No third party providers have access to your data, unless specifically required by law’. Is the third party provider you mention the same as a third party processor? In the case of our company, we use a number of external processors to fulfill variou s aspects of our business (such as printers, online assessment providers etc) and these processors receive some of the data subject’s personal data. Should my use of external processors get declared in this document? If my assumption is correct, what level of detail should I include? Do I need to state each company and what personal data is transferred to them?

Answer:

Personal data is defined in EU GDPR article 4 – “ Definitions“ https://advisera.com/gdpr/definitions/ ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;. You can easily observe that the definition is very broad.

The examples you provided are consistent with the definition of personal data. To continue with some examples you can use the following taxonomy:
□ Personal master data (e.g. Name, surname, date of birth,)
□ Communication data (e.g. telephone, e-mail, address)
□ Contract master data (contractual relationship, product or contract interest)
□ Customer history
□ Contractual invoicing and payment data
□ Planning and control data.
□ Academic and professional data (training / qualifications, professional experience).
□ Employment details (work center, job position and department).
□ IP addresses
□ Transaction data (bank accounts, transaction history etc.)

2. Your assumption is right. Third parties refer to the suppliers to whom you may be transferring personal data to. Here you can be quite broad you can just refer to the categories of suppliers and you definitely don’t need to state the names of the suppliers.

You can use a wording something like :” We may transfer personal data to third party service providers, such as our IT systems providers, our hosting providers cloud service providers, database providers, consultants (including lawyers tax accountants, labor consultants) and third parties who carry out pre-employment or pre-engagement checks on prospective employees and contractors and other goods and services providers (such as food service providers) - each of these service providers has signed contracts to protect your personal information.”

You can find out more about Privacy Notices form our webinar “Privacy Notices Under the EU GDPR” - https://advisera.com/eugdpracademy/webinar/privacy-notices-under-the-eu-gdpr-free-webinar-on-demand/