Here is a free document I created a while back and which I feel hasn't…

HP’s Privacy Policy – Reviewed and Assessed
This is a review of HP’s privacy policy, as it applies to the UK…and hence is under the requirement to meet the General Data Protection Regulation. It’s not a legal review and should not be construed as such. if you want a legal view, please speak with a suitably experienced and qualified lawyer.
I’m using a template of questions and making an assessment of HP’s adherence to each question, together with some commentary and my assessment of it adequacy of the policy as it applies to each element.
Overall, HP’s Privacy Policy is okay. Not brilliant by any means, but adequate. It mostly (apart from two omissions – explanation of Legitimate Interests and Retention Polices) meets the bare minimum and some aspects (the layout and use of English) are good – as you can read below.
The main issue is that it simply isn’t specific enough, when it comes to how it uses our data.
HP’s Privacy Policy
URL
https://www8.hp.com/uk/en/privacy/privacy.html
Content
Area |
Present |
Standard -Minimum or Good |
Note/Comment |
Is HP’s Privacy Policy dated? |
Y |
Minimum |
Month/year only and states ‘This policy becomes effective 30 days after posting’, but doesn’t make clear how this works in without an actual day date |
Name and content details of the organisation |
Y |
Good |
Includes electronic methods and address for written communications |
Name and contact details of the representative (if applicable) |
N/A |
||
Contact details of Data Protection officer (if applicable) |
Y |
Minimum |
Title and contact details provided |
Purposes of Processing (what does the organisation do with Personal Data) |
Y |
Good |
Includes a list of processing purposes |
Lawful basis for the processing |
Y |
Minimum |
Has a link to a processing matrix – http://www8.hp.com/us/en/pdf/privacy/HP_Privacy_Matrix.pdf
Does not specifically define which Lawful basis applies to each of the Personal Data collected. Simply groups the personal data and lists several lawful bases |
Description of the legitimate Interests applied for processing (where used) |
N |
Legitimate Interests is listed as one of the lawful bases for processing but no additional description is provided | |
Categories of personal data obtained and the source, including whether it comes from publicly accessible sources (if the personal data is not obtained from the individual it relates to) |
Y |
Good for categories Minimum for cookies |
Describes the categories and provides examples. Explains where the data is provided directly, through use of HP services and (in general terms) where personal data is obtained from third parties
The policy has a separate section on cookies and other data collection methods (How we use automatic data collection tools) which explains the ways Hp and its advertisers use them, but provides no list of cookies and their ‘owners’ |
Recipients or categories of recipients of the Personal Data (who is the Personal Data given to or shown to?) |
Y |
Minimum |
Uses general terms and descriptions e.g. ‘sharing information with advertisers’. No list of organisations with whom data is shared |
Details of transfers of the Personal Data to any third countries or international organisations (if applicable) including the safeguards to be employed and how to access a copy of those safeguards |
Y |
Minimum |
Operates under Privacy Shield and ‘Binding Corporate Rules’ https://www8.hp.com/uk/en/binding-corporate-rules.html but these aren’t specific in listing where personal data may be transferred to. Does provide links to copies of the safeguards. Also uses the commercial organisation TrustArc’s Truste privacy seal. |
Personal Data retention periods or criteria used to determine the periods |
N |
‘We will keep personal data for no longer than is necessary for the purposes for which it was collected and then we will securely delete or destroy it’ is the only reference to retention periods | |
Notification of the rights to; request access, rectification, erasure of the Personal Data and to restrict processing or object to processing of the Personal Data as well as the right to data portability (as required) |
Y |
Minimum |
All rights are listed and straightforward language is used |
The right to withdraw consent (where applicable) |
Y |
Minimum |
present |
The right to lodge a complaint with a supervisory authority |
Y |
Minimum |
Present – but no links provided |
Details of whether individuals are under a statutory or contractual obligation to provide the personal data (if applicable, and if the personal data is collected from the individual it relates to) |
Y |
Minimum |
The processing matrix provides some information – listing ‘contract performance’ and ‘required by law’ within several of the activity areas…but again, nothing is specific |
Details of the existence of automated decision-making, including profiling (if applicable) |
N/A |
Not mentioned | |
Details of any intention to further process the Personal Data for other purposes |
N/A |
Not mentioned | |
Inclusion of action to be taken by the organisation when receiving personal data about a data subject from a third party |
Y |
Minimum |
Explains that data may be received from third parties and therefore relies (we assume) on this providing sufficient grounds to meet the requirement under Article 14 Para 5 that ‘the data subject already has the information’ by virtue of this privacy notice |
Structure – HP’s Privacy Policy
Area |
Present |
Standard -Minimum or Good |
Note/Comment |
Is there a summary? |
Y |
Minimum |
Provides an overview of HP’s Privacy Principles |
Does HP’s Privacy Policy provide information in a ‘layered’ way? |
Y |
Good |
Yes – uses a concertina system to let you expand and contract the various sections, plus links to more detailed information on other pages or pdfs |
Is it easy to read (e.g. does it use icons and pictures? Is it well designed? |
Y |
Good |
Yes – a few icons, no pictures. Easy to read typography |
Does it use clear and plain language? |
Y |
Good |
Language is non-technical and avoids legal language |
Does it work on mobile and tablets? |
Y |
Minimum |
Responsive design except for the pdf document that provides more information about processing data, purposes and legitimate interests |
This isn’t an assessment of what HP actually does with Personal Data – only of it’s Privacy Policy. However, having now read the policy, I’ve been disturbed to find out about some of the data that is seems to collect – and as an HP user (computers and printers) I now want to find out more about the data is has on me and my firm.
So I’ve submitted a Subject Access Request and will see what happens.
And if you want to know more about the GDPR and how to approach it, then read this…