Table of Contents Table of Contents
Previous Page  124 / 192 Next Page
Show Menu
Previous Page 124 / 192 Next Page
Page Background

privacy policy statement in compliance with DPP5.


DPP5 does not require the data user’s policies or practices to be laid down in writing.

However, in order to effectively communicate its data handling policies and practices

and for the avoidance of doubt, it is proper and prudent to have a written statement,

which is commonly known as a Privacy Policy Statement, or in short, “PPS”. A PPS should

be made generally available to anyone, in an easily accessible manner, whether

personal data is collected by the data user in the physical or in the online world, directly

from the data subject or otherwise.


The PPS should be presented in an easily understandable and readable (if in writing)

manner, taking into account factors such as content, language and font size used. Data

users should avoid using technical or legalistic terms that may not be easily understood

by the data subjects.


Where different PPSs are used by the data users for performing different functions and

activities, the data users should consider consolidating and/or rearranging the PPSs so

that they are clear and easily accessible.

What Goes into a PPS?


In order to meet the requirements of openness and transparency under DPP5, a PPS is

required at all times if a data user controls the collection, holding, processing or use of

personal data. The PPS covers generally a wider scope than a PICS and, in addition to

some of the core elements of the latter, includes other privacy related policies and

practices such as data retention policy, data security measures, data breach handling,

and the use of special tools such as cookies on websites. The essential difference

between the two is that a PICS is provided by a data user to a data subject when his

personal data is being directly collected whereas a PPS is a general statement about a

data user’s privacy policies and practices in relation to the personal data it handles.



Typically, a PPS may contain

• a statement of policy which expresses a data user’s overall commitment to

protecting the privacy interests of the individuals; and

• a statement of practices which include the kind of personal data held by the data

user and the purposes for which it uses the data.

The kind of personal data collected should depend on the actual operational needs of

the data user. For instance, they may include identification information, contact details,

financial data, location information, and/or browser details. Common purposes for

which these types of personal data are used may include the delivery of goods or

services, the management of accounts, the processing of orders, the facilitation of



AAB No.233/2013

, the AAB took the view that a data user is not required to supply a tailor-made PPS to a particular

data subject in particular circumstances but to cover the information regarding its privacy policies and practices, the

types of personal data it held and main purposes of use for complying with DPP5.