The policy must be concise, easy to understand and presented in an accessible form.
- the identity of the organisation which collects and uses the personal data (e.g. its full name and contact information);
- what personal data is collected (e.g. name, email address, telephone number);
- how personal data is collected (e.g. through a contact form on the organisation’s website or via cookies);
- why personal data is collected and the lawful basis which is being relied on to process the personal data (the lawful bases include consent, legitimate interest and necessary for the performance of a contract);
- when personal data may be disclosed to third parties and the purpose of such disclosures;
- when personal data is transferred outside the European Economic Area and details of the safeguards used to legitimise such a transfer;
- details of the additional rights which individuals have in respect of their personal data (e.g. to request access to, deletion of or correction of, their personal data or to request their personal data be transferred to another person).