Skip to content

menu

Open Legal Blog Archive logo
HomeAboutBlogsFAQsSubmit

Do companies have to create an internal privacy policy (not a privacy notice) under the ISO 29100 privacy framework?

By David A. Zetoony on April 28, 2021
shutterstock_1062285074

One of the provisions in the ISO 29100 privacy framework is that the top management of an organization should “establish a privacy policy” that, among other things:

  • Provides an internal organizational framework for setting objectives,
  • Includes a commitment to satisfy applicable privacy safeguarding requirements,
  • Includes a commitment to continual improvement.

The privacy policy envisioned under the ISO 29100 is not the same as public-facing privacy notices that are posted on company websites that explain to the public how personal information is collected, shared, and processed. Instead, it would be an internal company policy that is communicated within an organization and governs how the organization will handle personal information. The privacy policy is designed to be supplemented by more detailed rules and obligations, created by various stakeholders internally.

  • Posted in:
    Privacy & Data Security
  • Blog:
    Data Privacy Dish
  • Organization:
    Greenberg Traurig, LLP
  • Article: View Original Source

Open Legal Blog Archive, Inc. logo
Seattle, Washington
Copyright © 2026, Open Legal Blog Archive, Inc. All Rights Reserved.
Law blog design & platform by LexBlog LexBlog Logo