Your privacy policy is your way to fulfill your obligation to let your data subjects know that you are collecting personal data about them, how it will be used, and what their rights are. We agree to them (or not) almost every time we enter and use a website (particularly since the General Data Protection Regulation (GDPR) came into force in May 2018). However, the idea of creating one's own privacy policy can be daunting. Keep reading as we explain what your privacy policy must include and how it must be written (according to Articles 12, 13, and 14 of the GDPR).
Paralegal
First, bear in mind the style in which you write your privacy policy. It must be “concise, transparent, intelligible, and easily accessible”. You must make sure that your data subjects will be able to understand the policy, for example, by avoiding overly technical vocabulary and by using lists or tables to facilitate comprehension.
Also, think about the language your data subjects speak. How can you best communicate this information to them?
If your content or service is directed at children, you must adapt your language appropriately.
Similarly, the privacy policy should be easy to find, so you’ll want to create a specific web page just for your policy. Don’t distract from the content of the policy with adverts or with images that might interfere with access on some browsers.
If you are unsure of what counts as ‘personal data’ and who ‘data subjects’ are, check out our post about the GDPR and what it means for you, and then come back.
This includes name, address, email address and phone number of the company or of its representatives. If the data controller is not established in the European Union, a representative in the Union must be designated and indicated here.
If you are a public authority/body or if you process particularly personal data or carry out systematic monitoring on a large scale, you’ll have a data protection officer, whose information should also be included.
You must choose at least one of the legal bases for the collection and processing of data outlined in the GDPR which legitimises your actions. Note that you will need additional bases for legitimation if you are processing one of the special categories of data (health, religion, etc.) or data about crimes and criminal offences.
Here, you have to outline the objectives. Why are you collecting and processing this personal data?
It’s a good idea here to set out all of the different ways that you and your website collect data. For example:
Three purposes that you have no doubt seen being used are analysis of user behaviour for website optimisation, for the designing of more personalised content or for marketing purposes.
Note that if you have chosen ‘legitimate interests’ as your legal basis for processing, you should specify what these legitimate interests at this point and check that you are meanwhile protecting the interests and fundamental rights of the user.
If you send the personal data that you collect to third parties or third countries, you must make that clear at this point. For example, if you use online payment platforms or external contractors who receive personal data about your data subjects, this will apply to you.
Don’t forget cookies, social buttons and plugins. In the case of cookies, you must get user consent before you use any cookies except those which are strictly necessary and you must make your data subjects aware of the types of data the cookies track and what the purpose is of collecting that data.
If you will be transferring data to a third country or international organisation, you will need to outline the existence or absence of an adequacy decision by the European Commission or make reference to the appropriate safeguards put in place and where to find them.
How long will you store the data? The time frame cannot be infinite, it has to be reasonable taking into consideration your purposes.
If you can’t give an exact time frame, refer to the criteria used to determine the time frame. For example, do you have any data that is automatically set to delete after a certain period of time? Is a certain type of data only stored and processed under a certain condition?
Those people whose personal data you are collecting have a collection of rights themselves and these must be made clear. For example, they have rights to request that the controller give them access to the personal data about them, or rectify or erase that data. They can restrict the processing of their data, object to it or request that the data be transferred to someone else. If they have consented to data processing, they can withdraw that consent at any time and they have the right to lodge a complaint with a supervisory authority.
If the provision of personal data is a statutory or contractual requirement, or is necessary in order to enter into a contract, that must be referred to here, outlining whether the data subject is obliged to provide that data and what the possible consequences would be if they didn’t provide that data.
In the case of the existence of automated decision-making, meaningful information must be provided about the logic involved in that decision-making and about the significance and envisaged consequences of that processing. Bear in mind that, pursuant to Article 22 of the GDPR, data subjects have the right to not be subject to such decision-making unless to do so is necessary for a contract between them and the data controller, is authorised by the EU or the Member State whose law the controller is subject to, or is based on the data subject’s explicit consent.
You will also want to bear in mind that, according to Article 21 of Ley 34/2002, de 11 de julio, de servicios de la sociedad de la información y de comercio electrónico, electronically sending advertising or promotional communications that have not previously been requested or expressly authorized by the recipients thereof is prohibited. There is an exception if you have a contractual relationship with the data subject. Nonetheless, the service/good being promoted must be sufficiently similar to that of the original contract and the data subject must be given the opportunity to oppose such promotion both when the data is first collected and each time promotional communications are sent.
Your privacy policy is an excellent opportunity for you to make clear both to yourself and to your clients/users exactly what data you are processing and why you are processing it, as well as what your obligations are and what your data subjects rights are. This fosters a more transparent and trusting relationship between yourself and your clients/users, and protects all of our personal data more generally.
If after reading this article, you still feel a little overwhelmed by the concept of the GDPR and its resulting obligations, we can help you. We offer advice on how to implement the GDPR in Spain.
Get in touch here: