skip to Main Content
+44 (0)1252 727980 CONTACT
HP’s Privacy Policy – Reviewed And Assessed

HP’s Privacy Policy – Reviewed and Assessed

This is a review of HP’s privacy policy, as it applies to the UK…and hence is under the requirement to meet the General Data Protection Regulation. It’s not a legal review and should not be construed as such. if you want a legal view, please speak with a suitably experienced and qualified lawyer.

I’m using a template of questions and making an assessment of HP’s adherence to each question, together with some commentary and my assessment of it adequacy of the policy as it applies to each element.

Overall, HP’s Privacy Policy is okay. Not brilliant by any means, but adequate. It mostly (apart from two omissions – explanation of Legitimate Interests and Retention Polices) meets the bare minimum and some aspects (the layout and use of English) are good – as you can read below.

The main issue is that it simply isn’t specific enough, when it comes to how it uses our data.

HP’s Privacy Policy

URL

https://www8.hp.com/uk/en/privacy/privacy.html

Content

Area

Present

Standard -Minimum  or Good

Note/Comment

Is HP’s Privacy Policy dated?

Y

Minimum

Month/year only and states ‘This policy becomes effective 30 days after posting’, but doesn’t make clear how this works in without an actual day date
Name and content details of the organisation

Y

Good

Includes electronic methods and address for written communications
Name and contact details of the representative (if applicable)

N/A

Contact details of Data Protection officer (if applicable)

Y

Minimum

Title and contact details provided
Purposes of Processing (what does the organisation do with Personal Data)

Y

Good

Includes a list of processing purposes
Lawful basis for the processing

Y

Minimum

Has a link to a processing matrix – http://www8.hp.com/us/en/pdf/privacy/HP_Privacy_Matrix.pdf

Does not specifically define which Lawful basis applies to each of the Personal Data collected. Simply groups the personal data and lists several lawful bases

Description of the legitimate Interests applied for processing (where used)

N

Legitimate Interests is listed as one of the lawful bases for processing but no additional description is provided
Categories of personal data obtained and the source, including whether it comes from publicly accessible sources (if the personal data is not obtained from the individual it relates to)

Y

Good for categories

Minimum for cookies

Describes the categories and provides examples. Explains where the data is provided directly, through use of HP services and (in general terms) where personal data is obtained from third parties

The policy has a separate section on cookies and other data collection methods (How we use automatic data collection tools) which explains the ways Hp and its advertisers use them, but provides no list of cookies and their ‘owners’

Recipients or categories of recipients of the Personal Data (who is the Personal Data given to or shown to?)

Y

Minimum

Uses general terms and descriptions e.g. ‘sharing information with advertisers’. No list of organisations with whom data is shared
Details of transfers of the Personal Data to any third countries or international organisations (if applicable) including the safeguards to be employed and how to access a copy of those safeguards

Y

Minimum

Operates under Privacy Shield and ‘Binding Corporate Rules’ https://www8.hp.com/uk/en/binding-corporate-rules.html but these aren’t specific in listing where personal data may be transferred to. Does provide links to copies of the safeguards. Also uses the commercial organisation TrustArc’s Truste privacy seal.
Personal Data retention periods or criteria used to determine the periods

N

‘We will keep personal data for no longer than is necessary for the purposes for which it was collected and then we will securely delete or destroy it’ is the only reference to retention periods
Notification of the rights to; request access, rectification, erasure of the Personal Data and to restrict processing or object to processing of the Personal Data as well as the right to data portability (as required)

Y

Minimum

All rights are listed and straightforward language is used
The right to withdraw consent (where applicable)

Y

Minimum

present
The right to lodge a complaint with a supervisory authority

Y

Minimum

Present – but no links provided
Details of whether individuals are under a statutory or contractual obligation to provide the personal data (if applicable, and if the personal data is collected from the individual it relates to)

Y

Minimum

The processing matrix provides some information – listing ‘contract performance’ and ‘required by law’ within several of the activity areas…but again, nothing is specific
Details of the existence of automated decision-making, including profiling (if applicable)

N/A

Not mentioned
Details of any intention to further process the Personal Data for other purposes

N/A

Not mentioned
Inclusion of action to be taken by the organisation when receiving personal data about a data subject from a third party

Y

Minimum

Explains that data may be received from third parties and therefore relies (we assume) on this providing sufficient grounds to meet the requirement under Article 14 Para 5 that ‘the data subject already has the information’ by virtue of this privacy notice

Structure – HP’s Privacy Policy

Area

Present

Standard -Minimum  or Good

Note/Comment

Is there a summary?

Y

Minimum

Provides an overview of HP’s Privacy Principles
Does HP’s Privacy Policy provide information in a ‘layered’ way?

Y

Good

Yes – uses a concertina system to let you expand and contract the various sections, plus links to more detailed information on other pages or pdfs
Is it easy to read (e.g. does it use icons and pictures? Is it well designed?

Y

Good

Yes – a few icons, no pictures. Easy to read typography
Does it use clear and plain language?

Y

Good

Language is non-technical and avoids legal language
Does it work on mobile and tablets?

Y

Minimum

Responsive design except for the pdf document that provides more information about processing data, purposes and legitimate interests

This isn’t an assessment of what HP actually does with Personal Data – only of it’s Privacy Policy. However, having now read the policy, I’ve been disturbed to find out about some of the data that is seems to collect – and as an HP user (computers and printers) I now want to find out more about the data is has on me and my firm.

So I’ve submitted a Subject Access Request and will see what happens.

And if you want to know more about the GDPR and how to approach it, then read this…

This Post Has 0 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

Back To Top

We use Google Analytics cookies to monitor site usage

Click OK to accept these cookies, or Decline if you are uncomfortable with them. This will prevent tracking and you can continue to use the site with no data sent to Google.