Internal Privacy Policy

An Internal Privacy Policy (also known as a Data Protection Policy) shows that you have taken your data processing into consideration. By means of an Internal Privacy Policy, you will be able to identify what measures are taken within your organisation to protect personal data. The Data Protection Policy shows how your organization handles the processing of personal data, more specifically: how the organization ensures that the rules of the General Data Protection Regulation (GDPR) are observed in the processing of personal data. An Internal Privacy Policy is not mandatory for every organization, but it is recommended.

When is an Internal Privacy Policy required?

The General Data Protection Regulation (GDPR) requires an organization to develop and implement an Internal Privacy Policy when it is " proportionate to your processing activities ". To assess this, it is necessary to consider the nature, scope, context and purpose of the data processing that takes place in the organization. In order to avoid being fined for non-compliance with the GDPR, we recommend that you always seek legal advice in assessing whether or not to draw up and implement an Internal Privacy Policy. Is your organization not required to draw up a privacy policy? Even then, it may still be advisable to do so. First of all, this shows that you take the security of your customer's/ supplier's/employee's personal data seriously and have thought about the protection. In addition, it is clear to your employees how your organization handles the processing of personal data. As a result, they are more likely to comply with the standards of the AVG.

What is the difference with the Privacy Statement?

The Privacy Statement is used for external purposes (informing customers/suppliers) and the Internal Privacy Policy is in principle intended for internal use (policy formulation and informing employees).

What is stated in an internal privacy policy?

The GDPR does not specify what exactly should be included in the Internal Privacy Policy. In any case, the Data Protection Policy should show how you intend to comply with the GDPR within your organization.

Tips for drafting the internal privacy policy

The Dutch Data Protection Authority has made a number of recommendations for the preparation of an Internal Privacy Policy. These are briefly described below:

Assess whether you are actually required to draw up an Internal Privacy Policy;

Call in a specialist, for example a Data Protection Officer. He or she can advise you with the preparation of the Internal Privacy Policy and verify whether or not your organization as a whole complies with the policy;
Record the Internal Privacy Policy in a single document. In this way, fragmentation of information is avoided and the people within your organization can clearly and easily find out what the policy is;
Be concrete. A proper Internal Privacy Policy translates the GDPR standards into the data processing within your organisation. It is more than just adopting the standards from the AVG. It must state how these standards are complied with within your organisation; and
Ensure that everyone in your organisation is familiar with the Data Protection Policy. There is no obligation to publish the Data Protection Policy externally, but this is recommended in some cases in the context of transparency.

Contact us

We at Legal Q can assess if your organization is required to develop and implement an Internal Privacy Policy. We can also advise you on the preparation of an Internal Privacy Policy. For more information about this service or if you have any other questions about the GDPR, please feel free to contact us.

Specialist internal privacy policy

An Internal Privacy Policy is not always mandatory, but it is recommended. It shows that you have thought about your data processing and its protection.