What is a privacy policy and what should it contain?
Briefly, a Privacy Policy is a statement that specifies how a data controller collects, stores, processes the personal data provided by the users of a website. As required by the EU General Data Protection Regulation (GDPR) data controllers should provide certain information to individuals whose personal data is held and used for specific purposes.
The definition of personal data includes names, addresses, IP addresses, telephone numbers, date of birth, and financial information, such as debit or credit card details. The GDPR emphasizes that you should be clear about how you collect, process, and use personal data by providing detailed information through the Privacy Policy contained in your business’ website.
There are some types of information that must always be included in the Privacy Policy, while the provision of other types of information is dependent on the specific circumstances of your business and how and why you process personal data.
You will see below a basic list of information that you need to provide and what to tell people as part of the Privacy Policy published on your website:
What information do you need to provide? | What should you tell people? |
The name and contact details of your organisation
|
You should tell who you are and how individuals can contact your organisation.
|
The contact details of your data protection officer
|
Certain organisations are required to appoint a DPO, if your organisation has a DPO, you should tell individuals how they can contact your data protection officer.
|
The type of personal information you collect
|
You should tell people the type of personal information you collect. (as an example, customer names, addresses, financial information, website user stats).
|
The purposes of the data processing
|
You should explain why you use personal data. This may include different reasons such as marketing and order processing.
|
The lawful basis for the processing
|
You should clearly state which lawful basis you are relying on, in order to use personal data. The lawful bases for processing are set out in Article 6 of the GDPR, including but not limited to the Consent, Contract, Public task.
|
The recipients, or categories of recipients of the personal data
|
If you are sharing personal data with third parties, you must have consent from the individual. You should provide the details of those 3rd parties to the individuals.
|
The retention periods for the personal data
|
You should specify the period you keep the personal data you collected.
|
Individual’s rights in respect of the processing | You should state which rights individuals have in relation to your use of their personal data, e.g. access, rectification, erasure, restriction, and the right to withdraw consent. |
Please note that the above is an exemplary list, and the exact content of a Privacy Policy is dependent on the website that it relates to, the information collected, and how it is processed.
The businesses that collect and process data are responsible for complying with the GDPR. You must be able to demonstrate compliance with data protection principles. Please feel free to contact us to take appropriate technical and organisational measures and to ensure your personal data related actions are carried out compliant with the data protection legislation.
If you would like any more information relating to this article then please feel free to contact me: Telephone – 020 8221 8057, via email: ozgecan.sozeri@bowlinglaw.co.uk or visit my profile.
This is not legal advice; it is intended to provide information of general interest about current legal issues.