GDPR and personal data
Abstract
These guidelines explain how IPSPs should handle personal information and comply with relevant regulations.
Main Text
The GDPR (General Data Protection Regulation) aims to ensure transparency and inform the public – the users, workers, team members etc of the Diamond OA publication service – about how your organisation uses, stores, and processes their personal data.
If Diamond OA publishers and service providers handle the personal information of people within the EU, they must comply with GDPR and they must have a privacy notice that explains how they do that.
Easy to read and understand
A privacy notice, a key requirement of the GDPR, is a public document that outlines how an organisation processes personal data. Articles 12, 13, and 14 of the GDPR provide guidance on creating these notices, emphasising clarity and accessibility. Privacy notices must be concise, transparent, clear, and accessible. They should be in plain language, delivered promptly, and provided free of charge.
Tips for writing a clear and easy to understand privacy notice:
- Avoid vague qualifiers like ‘may’, ‘might’, ‘sometimes’, ‘often’. Use ‘will’ and ‘always’ instead.
- Write in active tense with well-structured sentences.
- Use a spelling and grammar checker to help you keep sentences short and clear.
- Provide clear, specific explanations, e.g. instead of ‘We will retain your personal details’ write ‘We will retain your name, email address and institution name.’
What’s required
The specific information required in a privacy notice depends on whether the data is collected directly from individuals or is received indirectly from a third party.
When your organisation collects data directly, the notice must include:
- The organisation's identity, contact details, and those of its Data Protection Officer, if
There is one, or the individual responsible for monitoring and implementing the guidelines of the GDPR).
- Purpose and legal basis for data processing.
- Legitimate interests of the organisation or third party.
- Recipients or categories of recipients.
- Details of any data transfers to third countries.
- Retention period or criteria for determining it.
- Details of the data subject's rights.
- Right to withdraw consent and
- Right to lodge a complaint with a supervisory authority.
- Whether the provision of personal data is part of a statutory or contractual requirement or obligation and the possible consequences of failing to provide the personal data
- Automated decision-making systems, including profiling.
- If data is obtained indirectly, the notice must also specify the categories of data obtained.
For example:
When your organisation obtains personal data indirectly (via another organization or service), your privacy notice must provide all the same information as above, except for:
- Whether the provision of personal data is part of a statutory or contractual requirement or obligation and the possible consequences of failing to provide the personal data
And must include:
- The categories of personal data obtained
For example:
If Diamond OA publishers and service providers obtain personal data from a third party, they have to let the data subject know either:
- within one month of obtaining the data,
- upon first communication, or
- before sharing the data with another organization
How and where to inform individuals
Organizations should provide privacy notices in writing and electronically, making them
accessible on their websites under the title “Privacy Policy” with a direct link from each page. Notices should also be available orally upon request via the Data Protection Officer.
Best practices
The EU website for GDPR offers a section on best practices for writing a compliant privacy notice: https://gdpr.eu/privacy-notice/, including a template for a privacy policy.
Related Guidelines
Related Training Materials
References
- European Commission. General Data protection Regulation. https://gdpr.eu/tag/gdpr/
- European Commission. Writing a GDPR-compliant privacy notice (template included) https://gdpr.eu/privacy-notice/
Licensing
This article is made available under a Creative Commons Attribution 4.0 International License