• explain the purpose of a privacy policy

    A privacy policy is a legal statement outlining the purpose of collection and use of personal data by an organisation. The purpose of privacy policy is to ensure transparency by disclosing certain information and obtain informed consent of the users whose data is being collected.

    The Importance of a privacy policy

    The right to privacy and data protection is the hallmark of a democratic society. Since the introduction of GDPR, organisations are becoming more aware of the rights of individuals. Businesses who collect and use personal data need to be transparent about their motives.

    The privacy policy is increasingly more important than ever before, and organisations are now required to ensure that their data collection practices are compliant with the GDPR. An organisation that does not publish a privacy policy is non-compliant with Article 13 and 14 of the GDPR hence in danger of facing legal action.

    Why do you need a privacy policy?

    Now a days, organisations collect a whole range of personal information, both personal and non-personal. The data items, for example, names, addresses, email addresses contact information etc. satisfy the definition of personal data and hence fall under the scope of GDPR.

    If you are operating your business within the EU and have clients, users or members in the EU, you must comply with provisions of the GDPR to avoid violations of the law.

    The GDPR requires companies to be transparent as to what they do with this data, how the data is gathered and make sure that it is processed in fair and transparent manner. This gives the imperative to publish a privacy policy so that visitors and users of the website can make informed decision while providing their personal data.

    What is the GDPR compliant website privacy policy?

    The GDPR has created a whole range of privacy rights and protections for individuals and consequently the organisations are obliged to become compliant or face legal action.  A GDPR compliant privacy policy is one that fulfils all the requirements of Article 13 and 14. These requirements are presented in detail in the coming sections of this post.

    What, When and How of a privacy policy

    What

    You need to assess your data processing operations and decide on the following crucial factors forming the heart of privacy policy as laid out in Article 13 and 14 of the GDPR.

    1. The identity and contact details of your organisation
    2. The identity and contact details of your Data Protection Officer, if you have one
    3. The categories of personal data involved
    4. The purpose of processing each category of personal data
    5. The legal bases for each stated legal purpose
    6. If you rely on “legitimate interest” as the lawful basis of processing, clearly state those legitimate interests.
    7. The fact that you share or intend to share personal data with other entities, or affiliate organisations in your group
    8. The likely retention period of the data
    9. The existence of the rights of data subjects and how they can exercise their rights
    10. If you rely on “consent” as the legal basis of processing, the existence of the right to withdraw consent at any time
    11. Whether you use personal data for profiling and automated decision making. Provide detailed reasons behind such processes, and their importance and consequences.
    12. Clarity regarding the personal data of the children, how the consent will be taken.
    13. Explicitly state about the use of third-party website links.
    14. Confirm the details regarding cookies, if used on your website. How it works and what information is extracted.
    15. Clear advise to the data subjects about “right to complain” to the Data Protection Authority.

    When

    Article 13(1) and (2) of the GDPR states that the data controllers need to publish the necessary information at the time the data is being collected. In case of a website, the visitors must be able to easily access and comprehend the privacy policy before you ask them to provide any personal information.

    You need to regularly update your privacy policy if any change happens in the scope and extent of your data processing activity, for example:

    • Categories of personal data expand to include more data items and/or include the gathering of special categories of personal data.
    • If you find out that the information is being used for unanticipated, unintended purpose
    • You intend to share information with any third-party that users
    • You intend to transfer personal data outside the EU
    • You employ a third party data processor

    How

    Article 12 of the GDPR requires the organisations to present their privacy policy in the following manner

    • Transparent
    • Easy to understand
    • Concise and of clear language
    • Easily accessible
    • Free of charge
    • Adopting a clear strategy for communication between parties
    • Avoiding the use of false or misleading information

    What to do now?

    • Organisations need to understand the importance of having a privacy policy. If you do not have a privacy policy, we strongly advise you to put one in place. Assess your data processing operations and draw up a GDPR compliant privacy policy.
    • If you already have a privacy policy, review and update it in accordance with the requirements of Article 12, 13 and 14 of the GDPR. Refer to “What, When and How” section of this post for detailed guidance.

    Seers also provide expert advice, GDPR consultation and guidance in drafting privacy policies. If you seek any help or guidance about the privacy policy, then feel free to contact us.

    Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

    Free Cookie Audit

    Make sure you’re legally Compliant.
    Scan & audit your Cookies with Cookie X-Ray.

    Protect yourself by simply entering your domain and email below.