EU watchdog turns its attention to privacy policies and data notices | DMA

Filter By

Show All

Connect to


EU watchdog turns its attention to privacy policies and data notices

UK businesses need to take a long, hard look at their data collection notices and privacy policies to ensure they comply with EU data protection laws, an EU privacy watchdog warns. Vague and general phrases such as "improving users' experience", "marketing purposes", and "IT security purposes" are not acceptable reasons, the Article 29 Working Party said in a recent opinion paper.

The Article 29 Working Party, which is made up of the heads of the national data protection authorities in EU Member States, believes that such general statements need further explanation if they are to comply with EU data protection laws. Organisations are required to identify the purpose for which they are collecting personal data, clearly and specifically.

Big data vs simple data
Businesses should almost always seek consent when using personal data in complex analytics and big data projects: for example, for tracking and profiling for purposes of direct marketing, online behavioural advertising, data-brokering, location-based advertising or tracking-based digital marketing research.

The good news for small businesses is that the Article 29 Working Party recognises that there is a huge difference between a local firm gathering simple data from local people and multinationals using complex analytics to target and profile large numbers of consumers throughout Europe.

This means that a local shop selling to local people which collects limited information about its customers may be allowed to use a general statement about how it will process the customers’ personal information.

However, a large retail company selling goods via a website across all European countries and using complex analytics to send personalised offers and targeted advertisements will not be able to use vague and general statements as to how it will process its customers' personal information in data collection notices and its privacy policy.

User-friendly privacy policies/data notices
The Working Party also warns against the use of complicated disclaimers written in legalese which data subjects find hard to decipher. It recommends a layered notice that allows data subjects to read key information in a concise, user-friendly manner. This could include a link to a more detailed description of how data will be processed.

Access to data profiles
Individuals and customers should have access to their profiles as well as to the logic of the decision-making (algorithm) that led to the development of the profile. Organisations should also disclose their decisional criteria. (In this case the Working Party is overstepping the mark and going beyond what is currently legally required.)

Privacy risks of anonymised data
Organisations should be aware of the problem of re-identification in the case of pseudonymous or annoymised data. (Annoymised or pseudonymous data is where an organisation scrambles information to make the data record less identifying.) However, in certain cases because of the uniqueness of an individual’s information, it may still be possible to re-identify an individual.

Why the opinion of the Article 29 Working Party matters
This Working Party paper is important in the context of the negotiations over the draft Data Protection Regulation. Although the Article 29 Working Party does not have a formal role in the legislative process, it is an influential lobbying organisation given its composition. Some of the issues raised in the paper relate to the issues of profiling of individuals and anonymous/pseudonymous data, which are contentious issues in the draft Data Protection Regulation.

The draft Data Protection Regulation also requires organisations to focus more on their compliance obligations and to be able to demonstrate to the national data protection authority (the Information Commissioner’s Office in the case of the UK) that they are complying with the legal requirements.

What the current law says
Current UK and EU Data protection law requires that:

Personal information must be collected for specified explicit and legitimate purposes (purpose specification) and it is not to be further processed in a way incompatible with those purposes (compatible use).

The paper suggests that in order to determine whether further processing is compatible with the original purpose(s) there is a need for a compatibility assessment/test.

The assessment/test should take account of the following key factors:

  • The relationship between the purposes for which the personal information was originally collected and the further processing
  • The context in which the personal information was collected and the reasonable expectations of individuals’ as to its further use
  • The nature of the personal information and the impact of the further processing on individuals’
  • The safeguards adopted by the organisation to ensure fair processing and to prevent any undue impact on individuals.

The paper contains examples as to how this test works in practice. The DMA will continue to monitor developments in this area and will keep members updated in this newsletter.

James Milligan, Solicitor, Direct Marketing Association

Hear more from the DMA

Please login to comment.


Related Articles

Economic pressures have plagued households for several years, with brands facing the challenge of engaging consumers who are more budget-conscious than ever before. As a result, brand loyalty has sharply declined, with 61% of consumers being less likely to stick with brands in 2023 compared to 41% in 2022.

Cost of Living Exit Strategy Report 20244

When thinking about sustainable marketing, often we think about the channels we use, or materials we use in a physical sense. We overlook things like the audience targeting, data cleanse & optimisation, which have a big impact on minimising wastage.


The telecom industry boasts an array of touchpoints, presenting both opportunities and challenges for marketers. Ensuring that campaigns not only resonate but also yield results is critical.


The telecommunications sector grapples with a pressing issue: customer data silos.

iStock-1180187740 600x400.jpg