The ICO says:
“Individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the GDPR.
You must provide individuals with information including: your purposes for processing their personal data, your retention periods for that personal data, and who it will be shared with. We call this ‘privacy information’.
You must provide privacy information to individuals at the time you collect their personal data from them.”
“You must actively provide privacy information to individuals. You can meet this requirement by putting the information on your website, but you must make individuals aware of it and give them an easy way to access it.”
Agencies can choose how to inform the individual of their privacy policy. When using the Consent approach, the Agency could use Adapt to inform the individual of their privacy policy whilst using the ‘Consent/Permission Request’ workflow described above. Ensure documents relating to the privacy policy and/or consent are saved in the Office record of the Adapt user. This will ensure they are attached when the workflow is run.
Note: Please contact your Erecruit representative to save these documents for you.
When using the Legitimate Interest approach, Agencies can choose how to inform the individual of their privacy policy. They may choose to use the Adapt workflow ‘Consent/Permission Request’ and select the Permission Type of ‘Privacy Policy’ to send a link to their privacy policy (as described above).