Here are some tips for writing a GDPR compliant Privacy Notice:
- Identify the Controller (the company responsible for the collection and use of the date, usually the company whose app it is);
- Say whether or not the Controller has a Data Protection Officer (GDPR requires some organisations to appoint one, but not all).
- Outline each item of personal data being collected by the Controller or obtained from a third party, including setting out the legal basis of processing, the recipients (or categories of recipients) of the personal data; and the period of retention, or criteria used to determine it.
- Explain whether any personal data will be transferred to a third country/international organisation and if so on what basis and how the individual can obtain a copy of any "safeguards" relied on by the Controller.
- Explain the existence of any automated decision making (including profiling), explaining the logic involved, and the significance and consequences of the processing for the individual.
- Explain the various enhanced rights that people have in relation to processing (e.g. the new right to data portability).
- Explain the right to lodge a complaint with the supervisory authority.
The deadline set by Apple isn't that far away. If you need any assistance in creating an appropriate GDPR Privacy Notice, or with any other aspect of GDPR compliance, please do get in touch.