• 2 min read

My organisation has a customer privacy notice, but should we have other notices as well? 

Padlock Security cyber digital concept Abstract technology background protect system innovation vector illustration

In all likelihood the short answer to this is yes!

As consumers ourselves we are presented with customer privacy notices all the time, this is especially obvious when shopping online, and so they are perhaps the privacy notice we all think of first and are the most visible to the outside world.

However, when you consider the personal data your organisation collects and uses, there will be personal data relating to individuals who are not customers. This non-customer personal data requires equivalent protection to customer personal data and those individuals are entitled to understand, via the presentation of a privacy notice, how your organisation processes their personal data.

Therefore you may also need, or have in place already, the following privacy notices in addition to a customer privacy notice:

(a) Employee privacy notice – if your organisation has any employees then you will be collecting and processing their personal data. You may also wish to address in this privacy notice (or a separate one if it is considered more appropriate) any agency workers or consultants you may use and how you process their personal data.

(b) Recruitment privacy notice – when you look to recruit new staff, whether directly or with the assistance of a recruitment agency, you will collect personal data about the candidates but this will be different to the information you hold about employees and you would use it differently. Therefore it is typically appropriate to have a standalone privacy notice for recruitment / candidates.

(c) Supplier privacy notice – if you deal with suppliers who operate as sole traders or partnerships then any information you collect about them, and their business (for example payment information), will be personal data. If you deal with corporate suppliers then the employees working for those suppliers will provide their personal data to you (for example, names and contact details). Therefore most organisations will also require a supplier privacy notice.

(d) Website privacy notice – if your organisation sells goods only via a website then this may be your “customer privacy notice” or you may sell both on-line and off-line and have two different customer privacy notices given the differing nature of the two methods of sales. If you have a website which is merely a “shop front” (i.e. you do not sell via the website, it is more of a marketing tool) you may still need a website privacy policy if you collect (or may collect) personal data about visitors to the website. For example, your website may have a “contact us” form where visitors can complete a form to send you a question or ask for a call back thereby providing you with personal data.

Depending upon the nature of your organisation there may be other categories of individuals who you collect and process personal data in relation to for whom you may need a privacy notice in addition to those listed above. For example you may run an apprentice scheme and feel it is appropriate to have a privacy notice specifically drafted to address the personal data collected about apprentices.

Our data protection team has many years of experience in advising organisations on their compliance with UK data protection law. To speak to one of the team you can get in touch here or call us on 0800 2800 421

If you have not received this article directly, but would like to receive articles and data protection news alerts from Trethowans, please email [email protected].

Answers are just a click away

Make an enquiry