General privacy policy/notice vs. entity-specific policy/notice
For a company that has subsidiaries with different processing, is it ideal for them to have a general privacy policy or notice or entity-specific ones?
Assign topic to the user
It all depends on the role of the subsidiaries, whether they are data controllers or data processors. If they are data processors, it is the role of the data controller to make sure that data subjects are informed by means of a privacy notice. If they are data controllers, they need to make sure that they have a privacy notice describing their processing operations. What is really important is to make sure that the data subject is informed. The privacy notice or notices can reside in a single location, however, they must be easy to read and understand, and contain information about all the processing operations.
Please visit these resources as well:
- Everything you need to know about the GDPR Privacy Notice: https://advisera.com/articles/gdpr-privacy-notice-6-key-elements-to-include/
- Article 13 GDPR: Information to be provided where personal data are collected from the data subject: https://advisera.com/eugdpracademy/gdpr/information-to-be-provided-where-personal-data-are-collected-from-the-data-subject/
- Article 14 GDPR: Information to be provided where personal data have not been obtained from the data subject: https://advisera.com/eugdpracademy/gdpr/information-to-be-provided-where-personal-data-have-not-been-obtained-from-the-data-subject/
Comment as guest or Sign in
Aug 16, 2022