Do the laws in your jurisdiction require providing notice to individuals of the business’ processing activities? If so, please describe these notice requirements (e.g. posting an online privacy notice).

Data Protection & Cyber Security

Russia Small Flag Russia

Under Russian law all aspects of processing should be reflected in the internal data processing policies.

As per Russian legislation and recommendations of Roskomnadzor internal policy on data processing shall contain the following sections:

  • data controller’s identity (name, address);
  • terms and definitions used in the document;
  • explanation of the policy’s goals;
  • purposes of data processing;
  • lawful basis/legal grounds for data processing, categories of data subjects whose PII is processed and categories of PII being processed;
  • operations on PII and general description of PII processing methods;
  • information on transfer of PII to the third parties, including cross-border transfer of PII;
  • information on data processors engaged to process PII on behalf of the data controller;
  • information on measures taken to ensure security and confidentiality of PII;
  • terms of PII processing, including retention terms and conditions regarding termination of processing;
  • data subjects’ rights and how they can exercise their rights.

Policy shall be drafted in Russian (or bilingual). If data controller has its website or app, it shall make it available to website/app’s users.

Practically speaking, there should be a general data protection policy covering all issues above and a number of more detailed policies setting out in details how this or another aspect of data processing is carried out (e.g., a separate policy on data retention and procedure of data destruction; policy setting out procedure of how different departments should react on data subject’s queries about their rights, etc.).

Policies should be duly implemented in the company which means i) policy is approved by the order of the company’s General director (other duly authorized officer), ii) policy is in line with Russian law and iii) all employees put their wet signatures in special acknowledgment form confirming that they are aware with the policy’s provisions (so-called “familiarization procedure”).

Argentina Small Flag Argentina

Under Argentine data protection regulations, the general basis for data processing is the informed consent of the data subject. As stated in question 5, consent must be prior, given freely, based upon the information previously provided to the data subject (informed) and expressed in writing or by equivalent means, depending on the circumstances of the case. Businesses processing data must comply with those requirements.

Brazil Small Flag Brazil

Yes. The data subject has the right to easy access of the information about the processing of the respective data, which should be provided in a clear, adequate and ostensible manner concerning it, including other aspects provided for in regulations for compliance with the principle of free access:

  • The specific purpose of processing;
  • Form and duration of the processing, observing business and industrial secrets;
  • Data controller identification;
  • Information about the shared use of data by the controller and for which purpose;
  • Responsibilities of the agents that will carry out the processing;
  • Rights of the data subject, explicitly mentioning the rights provided in the LGDP.

If the legal basis of the treatment is consent, whenever there are changes in the purposes of the processing of personal data that are not compatible with the original consent, the controller shall previously inform the data subject of the changes of the purpose, and the data subject may revoke the consent whenever there may exist disagreements with the changes.

If the processing of personal data is a condition for the supply of a product or service or for the exercise of a right, the data subject shall be informed of this fact and of the means by which the exercise of the rights set forth in the LGDP may be carried on.

Bulgaria Small Flag Bulgaria

Data subjects’ information rights, outlined in the GDPR, fully apply in Bulgaria. No special national rules have been adopted in this regard.
Pursuant to the provisions of Article 13 and 14 GDPR, data controllers shall duly inform data subjects on activities involving processing of their personal data. The information notice must include:

  • identification of the company – data controller: title and contact details, including contact details of the company’s data protection officer, if such is appointed (address, e-mail, telephone, etc.);
  • the categories of personal data processed and the purposes of the processing;
  • the categories of recipients of personal data outside the company, and whether data will be transferred to third countries, outside the EU;
  • the storage periods;
  • information on data subjects’ rights and on how they can be exercised;
  • information on data subjects’ right to lodge a complaint with the national data protection authority;
  • whether the provision of personal data is a statutory or contractual requirement, as well as the possible consequences if data are not provided;
  • (if applicable) whether the company performs automated decision making, including profiling.

In addition to the above, pursuant to the provisions of the PDPA (Article 25e and 25i PDPA) data controllers (the employers) shall inform data subjects (the employees) in case the following practices are implemented and carried out within the company:

  • whistleblowing systems;
  • restrictions on the use of business resources;
  • systems for access control and of control of the working time and the work discipline.
  • videosurveillance.

The controller is responsible to make sure that the concerned are informed about the content of the information notice without specific requirement on how to inform them. It is, however, both in the interest of and an obligation for the controller to be able to prove the compliance with its information obligation. In its ’10 Practical Steps on the Application of the GDPR’ guidance document, the Bulgarian PDPC suggests that information notices may be brought to the attention of data subjects through the website of the respective company, or by other suitable means available to the data subjects.

Switzerland Small Flag Switzerland

For “normal” personal data, FADP does not explicitly require a notice to the data subjects. It solely requires that the data collection and data processing must be transparent (see art. 4 para. 4 FADP). Transparency may also derive from the context or the constellation.

Only for the collection of sensitive personal data and personality, profiles an active and comprehensive information is required (see art. 14 FADP).

It is, however, quite common to have data privacy notices in place. This is particularly true if transparency cannot be achieved solely through the context or implicit information. Such data privacy notices are usually posted online. There is no case law regarding the question on whether the information about offline data collection may be provided in the form of an online data privacy notice, i.e. by referring to the online notice. Depending on the circumstances, it is quite common to include some few data privacy information in offline documents and refer for more detailed information to the data privacy notice on the company website.

Spain Small Flag Spain

The principle of transparency of the GDPR implies the obligation for the companies to give detailed information about the processing of the data to the person affected by it. Article 13 and 14 GDPR establish the minimum content of the information to be provided where personal data are collected from the data subject and when the personal data has not been obtained from them.

In Spanish LOPD, the duty of information will be fulfilled if the Controller provides the affected person with the following information: The identity of the data controller and its DPO, if applicable; the purpose of the treatment; the possibility to exercise the rights set out in Articles 15 to 22 of GDPR and an e-mail address or other means that allows easy and immediate access to the rest of the information.

Chile Small Flag Chile

No. The Data Privacy Act does not require providing notice to individuals of the business’ processing activities; in some cases, it is required the consent/authorization of the data holder. The “consent” of the data holder according to answer to question 5 shall be accurately informed about the purpose of the storage of the personal data and if those data will be communicated or not to the public.

Germany Small Flag Germany

The principles of good faith and transparency require that the data subject will be informed of the processing operation and of its purposes prior to processing. The controller must provide information on the processing including

  • information on the identity of the controller;
  • information on the purposes of data processing;
  • any other relevant information for data subjects to obtain their right of access;
  • information and education on the risks, rules, safeguards and rights related to the processing of personal data and how to assert their rights

The rights to information are further substantiated by the provisions of Artt. 13, 14 GDPR. Regarding the requirements of Art. 13 GDPR, the controller must provide all information to the person concerned as set out in the catalogue of Art. 13 GDPR. Concerning the requirements of Art. 14 GDPR, the controller must provide all information to the person concerned such as contact information of the controller and the data protection officer, the purpose of the data processing and the legal basis, the recipients as well as information about whether the data is transferred to third countries.

According to Art. 13 GDPR the controller is obliged to inform the data subject at the time when personal data are obtained. Depending on the specific situation, there are different possibilities how to inform the data subjects. If for example, the data processing happens on websites, the person concerned can be informed via a link to the information on a privacy policy subsite. In case of concluding contracts, the information can be provided in the T&Cs or elsewhere, such as separate instructions. If employees are concerned, they must be notified with info sheets.

India Small Flag India

Privacy Rules

Yes, the Privacy Rules require Data Subjects to be informed via a notice / privacy policy, which should be posted online. For more details, please refer to our response to Query 4 above.

Privacy Bill

The Privacy Bill proposes for Data Subjects to be able to obtain brief activity summary of the processing of their PD undertaken by data fiduciaries.

China Small Flag China

The CSL stipulates that Network operators shall abide by the "lawful, justifiable and necessary" principles to collect and use personal information by announcing rules for collection and use, expressly notifying the purpose, methods and scope of such collection and use, and obtain the consent of the person whose personal information is to be collected.34 The PI Specification requires personal information controllers to establish privacy policies35 and promptly send notification to the information if the privacy policy is updated.36 When personal information controller stops operating their products or services, they shall notify personal information subjects of cessation of operation individually or through public announcement.37 Personal information controller shall promptly notify affected personal information subjects of incident-related information through means such as email, letter mail, telephone, or push notification. If it is difficult to individually inform personal information subjects, a public warning should be delivered in an appropriate and effective manner.38

34 - CSL. § 41.
35 - PI Specification. 5.6 a).
36 - PI Specification. 5.6 f).
37 - PI Specification. 6.4 b).
38 - PI Specification. 9.2 a).

Indonesia Small Flag Indonesia

Under Indonesian laws, there are no explicit requirements to provide privacy notice to the Data Subject. However, MCI Regulation 20/2016 does require ESO to obtain consent on how it processes and analyzes the Personal Data during the data collection. Normally, explanation of the processing activities will be included within the Consent Form provided to the Data Subject.

Portugal Small Flag Portugal

Yes, under the terms and conditions foreseen in articles 12, 13 and 14 of the GDPR. Controllers are required to provide at least the following information:

a) identity and contact details of the controller and, where applicable, its representative;

b) contact details of the DPO;

c) purpose and legal basis for the processing;

d) legitimate interests pursued by the controller or a third party when that constitutes the legal basis for the processing;

e) categories of personal data concerned (only required where the data are not obtained from the data subject)

f) recipients or categories of recipients of the personal data;

g) details of transfers to third countries and reference to the safeguards and the means to obtain a copy of them or where they have been made available;

h) period for which the personal data will be stored;

i) rights of the data subject (access, rectification, erasure, restriction on processing, objection and portability);

j) right to withdraw the consent at any time where processing is based on consent;

k) right to lodge complaint with a supervisory authority;

l) whether there is an obligation (legal or contractual) to provide the personal data and the possible consequences of failure to provide such data;

m) from which source the personal date originate, and if applicable, whether it came from publicly accessible sources (only required where the data are not obtained from the data subject);

n) the existence of automated decision-making, including profiling, and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

The information above shall be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language. It can be provided in writing, including electronically (on-line) or orally.

Article 29 Working Party in its Guidelines on transparency (WP260rev.01) “recommends that the entirety of the information addressed to data subjects should be available to them in one single place or one complete document (e.g. whether in a digital form on a website or in paper format)” regardless the privacy layered approach to avoid information fatigue and other methods such as “push” and “pull” notices.

Finally, the Guidelines on transparency (WP260rev.01) above referred provide further guidance on what, when, where and how to provide the required information that controllers, in the absence of specific laws, regulations and guidelines in their jurisdiction, should have into consideration as these guidelines reflect the position of the European Data Protection Authorities and their interpretation of the GDPR provisions.

United Kingdom Small Flag United Kingdom

Individuals have the right to be informed about the collection and use of their personal data. Transparency is a key requirement.

At the time personal data is obtained from a data subject, a controller must provide the data subject with all of the following privacy information:

  • the identity and the contact details of the controller and, where applicable, of the controller’s representative;
  • the contact details of the data protection officer, where applicable;
  • the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
  • the legitimate interests pursued by the controller or by a third party where the legitimate interests lawful basis is being used;
  • the recipients or categories of recipients of the personal data, if any;
  • source of the data;
  • retention periods;
  • details of the individuals rights, including the right to withdraw consent;
  • the right to lodge a complaint with a supervisory authority;
  • if there is a statutory or contractual obligation to provide certain details and the consequences of not providing these;
  • if automated decision making or profiling is being conducted with meaningful information about the logic used and the intended consequences of the processing; and
  • where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation and the mechanism that is being relied upon to allow the transfer and where relevant how to obtain a copy.

When personal data is obtained from a source other than the individual it relates to, the individual needs to be provided with the above privacy information

  • within a reasonable period of obtaining the personal data and no later than one month;
  • if you use the data to communicate with the individual, at the latest, when the first communication takes place; or
  • if you envisage disclosure to someone else, at the latest, when you disclose the data.

The controller must actively provide privacy information to individuals. They can meet this requirement by putting the information on their website, but they must make individuals aware of it and give them an easy way to access it which includes at the point of collection of their data. For all audiences, information must be:

  • concise;
  • transparent;
  • intelligible;
  • easily accessible; and
  • use clear and plain language.

When providing the information to individuals a combination of techniques can be used such as a layered approach to presenting the information, privacy dashboards, just in time notices and icons. It is also good practice to carry out user testing on draft privacy information to get feedback on how easy it is to access and understand. After it is finalised, regular reviews should be carried out to check it remains accurate and up to date. If the controller plans to use personal data for any new purposes, they must update their privacy information and proactively bring any changes to people’s attention.

Sweden Small Flag Sweden

Yes, according to articles 13 and 14 of the GDPR, the controller is required to provide data subjects with notice of its processing activities, such as identity and contact details of the controller and the purposes as well as the legal basis for the processing.

The information to provide the data subjects with varies to some extent depending on whether the personal data have been obtained from the data subject or not. Further, information shall under certain conditions be provided to the data subject in case of a data breach or other personal data incidents.

The information to the data subject shall be provided in an easily accessible, written form in a clear and simple language. Many chose to provide the information by posting an online privacy notice and include hyperlinks to the notice in for example its email signatures and marketing messages.

In addition to the above, chapter 6 paragraph 18 of the Cookie Act stipulates that a website with cookies must always provide its visitors with information about the purpose of the cookies being used, regardless of what data the cookies collects. This information is normally provided by posting a so-called cookie policy on the website.

Greece Small Flag Greece

Law 2472/1997 explicitly provides for the right to information of the data subjects (article 11). According to this framework the data controller should inform the data subjects already upon collection of their data in a clear and appropriate way for at least its identity or its representative’s identity, the purpose of processing, the recipients or the categories of recipients, the existence of the right of access and other rights available i.e. objection and judicial protection. The Greek draft law (article 31) under the GDPR includes more details and further differentiates the level of information depending on the collection from the data subject itself, without however precising on the manner of provision i.e. through the website.

Under the GDPR the right to inform the data subjects is subject to more fairness and transparency as part of the accountability principle applying on data controllers. The HDPA has already conducted ex-officio investigations on the compliance of data controllers with the requirements of the GDPR and data protection in electronic communications. Within this context the HDPA checked the information provided to data subjects on the websites through relevant privacy notices sections, as per their content, in accordance with articles 13 and 14 of the GDPR. Therefore, it has pointed out in practice that websites are subject to compliance with the information obligation towards the data subjects.

Turkey Small Flag Turkey

Pursuant to Article 10 of the Law No. 6698, data controllers are under the obligation to inform the related subjects on the following:

  • the name of the data controller and/or the representative of the data controller (if any),
  • to whom and for which purposes personal data shall be transferred;
  • the method and legal reason for collecting personal data,
  • rights of the data subjects as envisaged under Article 11 of the Law No. 6698.

The Board further published the Communiqué on Principles and Procedures to Be Followed When Fulfilling the Obligation to Inform (“Communiqué on the Obligation to Inform”) in order to clarify principles to be followed by data controllers while informing data subjects and obtaining explicit consent, where deemed necessary. Additionally, the Board has published a guideline document concerning the fulfilment of the obligation to inform, in order to illustrate best practices.

Austria Small Flag Austria

Such information obligations are governed by Articles 13 and 14 of the GDPR. These are usually published on the enterprise’s website or are even posted on the company's premises. In some industries (e.g. banks, insurance companies) it is even customary to hand these over to the customers.

France Small Flag France

Individuals have the right to be informed about the collection and use of their personal data. Transparency is a key requirement.
At the time personal data is obtained from a data subject, a controller must provide the data subject with all of the following privacy information:

  • the identity and the contact details of the controller and, where applicable, of the controller’s representative;
  • the contact details of the data protection officer, where applicable;
  • the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
  • the legitimate interests pursued by the controller or by a third party where the legitimate interests lawful basis is being used;
  • the recipients or categories of recipients of the personal data, if any;
  • source of the data;
  • retention periods;
  • details of the individuals rights, including the right to withdraw consent;
  • the right to lodge a complaint with a supervisory authority;
  • if there is a statutory or contractual obligation to provide certain details and the consequences of not providing these;
  • if automated decision making or profiling is being conducted with meaningful information about the logic used and the intended consequences of the processing; and
  • where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation and the mechanism that is being relied upon to allow the transfer and where relevant how to obtain a copy.

When personal data is obtained from a source other than the individual it relates to, the individual needs to be provided with the above privacy information:

  • within a reasonable period of obtaining the personal data and no later than one month;
  • if the data is used to communicate with the individual, at the latest, when the first communication takes place; or
  • if it is envisaged to disclose the data to someone else, at the latest, when the data is disclosed.

The controller must actively provide privacy information to individuals. They can meet this requirement by putting the information on their website, but they must make individuals aware of it and give them an easy way to access it which includes at the point of collection of their data. For all audiences, information must:

  • be concise;
  • be transparent;
  • be intelligible;
  • be easily accessible; and
  • use clear and plain language.

When providing the information to individuals, a combination of techniques can be used such as a layered approach to presenting the information, privacy dashboards, just in time notices and icons. It is also good practice to carry out user testing on draft privacy information to get feedback on how easy it is to access and understand. After it is finalized, regular reviews should be carried out to check it remains accurate and up to date. Indeed, the controllers should always update their privacy information and proactively bring any changes to people’s attention.

Some examples of notices of information can be found on the CNIL's website.

United States Small Flag United States

There is no omnibus federal law that requires entities to provide notice to individuals when collecting, processing or disclosing personal information. However, the FTC, which serves as the closest thing the U.S. has to a lead data protection authority, takes the position that under Section 5 of the FTC Act (which prohibits deceptive or unfair acts or practices in or affecting commerce), it is an unfair business practice not to disclose material data practices, especially if they would be unexpected, and that any material omissions or inaccuracies in privacy notices are a deceptive practice. In addition, several federal sector-specific laws require privacy notices. For example, HIPAA requires covered entities to provide a health information privacy notice titled “Notice of Privacy Practices” and obtain consent prior to certain types of disclosures of PHI; GLBA requires financial institutions to provide annual privacy notices and certain privacy choices; the Cable Communications Policy Act requires notice and consent for cable communications providers to disclose subscriber information except to the extent necessary to render core cable services; and COPPA requires online service operators to post a privacy notice for parents to read, and further requires various levels of consent prior to collection of personal information from children. Most states have their own versions of HIPAA and GLBA that can set higher standards, and state insurance laws also regulate privacy notices and choices for insurers. Various state laws require privacy notices by internet service providers, and other states are considering similar legislation. Congress and various state legislatures are considering privacy and security requirements for internet of things providers, some of which include privacy notice obligations.

Certain states have laws requiring privacy notices with broader applicability, depending on the circumstances, including California, Nevada, Delaware and Connecticut. For example, business-to-business entities are required to post a privacy policy consistent with Delaware law, while California and Nevada merely regulate consumer transactions and solicitations. California has the most robust privacy notice laws, including CalOPPA, which requires online consumer services to post a privacy policy; the California Shine the Light Law, which requires entities to post a privacy policy (online or offline) disclosing whether they share consumer personal information with third parties for the third parties’ own direct marketing purposes; California’s Privacy Rights for California Minors in the Digital World law, which requires a disclosure describing how a minor under age 18 can delete publicly available personal information they have submitted online; and the forthcoming CCPA, which will require pre-collection notice, robust privacy policies, and businesses to provide California residents (referred to as consumers, but currently defined based on taxpayer status) with certain rights over the access to and control of personal information. More than a dozen other states are considering similar laws, as is Congress.

Malaysia Small Flag Malaysia

Section 7 of the PDPA requires data users to make available a written notice to data subjects prior to or as soon as possible after the collection of their personal data.

It specifically requires data users to provide data subjects such privacy notice stating:

(a) That personal data of the data subject is being processed by the data user and providing the data subject with a description of the personal data being processed by the data user;

(b) Purpose for which the personal data is being collected and processed;

(c) Source of the personal data;

(d) Data subject’s right to access and correct the personal data and the contact details to which a data subject may send the data access and/or correction request;

(e) Class of third parties the personal data is disclosed or may be disclosed to;

(f) Choices and means available to the data subject to limit the processing of his/her personal data;

(g) Whether it is obligatory or voluntary for the data subject to provide the personal data; and

(h) Where it is obligatory personal data, the consequences of failing to provide such obligatory personal data.

The aforementioned written notice shall be in the national and English languages, and the individual shall be provided with a clear and readily accessible means to exercise his choice, where necessary, in the national and English languages.

Further, the means of communication to serve such notice is to be determined by data users which can be done by any means deemed effective, such as posting an online privacy notice to the general public, including it in a service application form for new customers, and providing it in a portal for existing customers, as reflected in a brochure of “A Quick Guide to Privacy Notice” published by the Commissioner.

Gibraltar Small Flag Gibraltar

Article 13 of GDPR provides that where personal data relating to a data subject is collected from the data subject, the data controller shall, provide the data subject with all of the following information:

  • the identity and the contact details of the data controller and, where applicable, of the data controller’s representative;
  • the contact details of the DPO, where applicable;
  • the purposes of the processing for which the personal data is intended as well as the legal basis for the processing;
  • where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the data controller or by a third party;
  • the recipients or categories of recipients of the personal data, if any;
  • where applicable, the fact that the data controller intends to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the Commission.

Article 14 of GDPR provides that where personal data has not been obtained from the data subject, the controller shall provide the data subject with the following information:

  • the identity and the contact details of the data controller and, where applicable, of the data controller’s representative;
  • the contact details of the DPO, where applicable;
  • the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
  • the categories of personal data concerned;
  • the recipients or categories of recipients of the personal data, if any;
  • where applicable, that the data controller intends to transfer personal data to a recipient in a third country or international organisation and the existence or absence of an adequacy decision by the Commission.

Ireland Small Flag Ireland

Individuals have the right to be informed about the collection and use of their personal data. Transparency is a key requirement.

At the time personal data is obtained from a data subject, a controller must provide the data subject with the following information:

  • the identity and the contact details of the controller and, where applicable, of the controller’s representative;
  • the contact details of the data protection officer, where applicable;
  • the purposes of the processing for which the personal data are intended, as well as the legal basis for the processing;
  • the legitimate interests pursued by the controller or by a third party where the 'legitimate interests' lawful basis is being used;
  • the recipients or categories of recipients of the personal data, if any;
  • source of the data;
  • retention periods;
  • details of the individual's rights, including the right to withdraw consent;
  • the right to lodge a complaint with a supervisory authority;
  • if there is a statutory or contractual obligation to provide certain details and the consequences of not providing these;
  • if automated decision making or profiling is being conducted with meaningful information about the logic used and the intended consequences of the processing; and
  • where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation and the mechanism that is being relied upon to legitimise the transfer (and where relevant how to obtain a copy).

When personal data is obtained from a source other than the individual that it relates to, the individual needs to be provided with the above privacy information:

  • within a reasonable period of obtaining the personal data and no later than one month;
  • if that data is used to communicate with the individual, at the latest, when the first communication takes place; or
  • if disclosure of the data to another party is envisaged, at the latest, when the data is first disclosed.

The controller must actively provide the necessary information to individuals. The controller can meet this requirement by putting the information on its website, but the controller must make individuals aware of it and give them an easy way to access it. For all audiences, the information must be:

  • concise;
  • transparent;
  • intelligible;
  • easily accessible; and
  • use clear and plain language.

When providing the information to individuals, a combination of techniques can be used such as a layered approach to presenting the information, privacy dashboards, just in time notices and icons. It is also good practice to carry out user testing on draft privacy information to get feedback on how easy it is to access and understand. After it is finalised, regular reviews should be carried out to check it remains accurate and up to date. If the controller plans to use personal data for any new purposes, they must update their privacy information and proactively bring any changes to the attention of relevant individuals.

Updated: June 17, 2019