After entering all data of an organization and building the record of processing, we proceed with the creation of privacy policies in respect to the GDPR principles.
The legislation on the protection of personal data requires the data controller to comply with the so-called "information duty", which consists in communicating to the data subject all the details of the processing activities that involves him or her.
You only have a few more information to add:
Other information such as the roles involved in the processing activities (DPOs, representative of the controller, categories of data subjects or recipients), the purposes, legal basis, data retention or criteria and any transfers automatically come from the data in the section Processing activities.
Try to reach 100% of completion and increase the privacy score of your organization.
You must inform the data subject every time a processing activity takes place, when you receive his or her data or at most, the first time you communicate with the data subject. If, later on, you want to process the data for different purposes, you will have to specify further information.
Finally, the style of communication, in accordance with the principles enshrined in the Regulation, must be clear and concise in order to help the understanding of those concerned.
The regulation specify some cases in which the policy is not necessary. This happens when:
Even in the case that the data come from another controller, there are some exception cases. In particular when: