Are you wondering what kind of information should figure on your privacy policy page? We got you covered!

There are many good practices in the preparation of the privacy policy document which depend on different factors, including the target audience, the type of data collected and the sector in which your company operates. For example, you will not provide the same information if you collect and process medical data or sell clothing.

Continue reading for more tips on how to write a privacy policy page.

What is the purpose of a Privacy Policy?

The purpose of a privacy policy is to inform data subjects about the processing operations that are carried out with regard to their personal data.

In the context of this information, beyond questions related to content and form, one of the key principles of the European Data Protection Regulation (referred to as the “GDPR“) that will govern the writing of your policy must be kept in mind: the principle of transparency. This principle requires a company to provide full information about the processing operations that will be carried out. People need to know why and how their personal data will be used.

Methodology for clear and transparent information

In order not to forget anything, the idea is to work in stages by drawing up a checklist of the points that a privacy policy must respect, both in terms of content and form.

You can also group the information by theme.

1. The data controller

The first group concerns information related to the controller, i.e. the identity and full contact details of the person (natural or legal) processing the data, as well as, where applicable, the identity of their Data Protection Officer if they have appointed one.

2. Type of processing, legal basis and purposes of the processing operations

The second group of information concerns the types of processing, the legal bases for justifying them and the purposes, the “raison d’être”, of these processing operations.

It’s also necessary to add the specific details of each legal basis for processing.

  • In practice, if your company justifies the processing of personal data on the legal basis of consent, it should be specified that consent may be withdrawn at any time.

  • Similarly, if your company justifies processing on the legal basis of its legitimate interests, the privacy policy should indicate the various legitimate interests pursued by the company.

3. The rights of the persons concerned

The third group concerns the rights of data subjects. The privacy policy must contain an explanation of the existence of the various rights recognized by the GDPR.

In this group of information, it is important to remember to explain whether automated decisions, i.e. decisions made without any human intervention (for example, only through an algorithm), are made within your company. If your company makes this type of decision, it will be necessary to provide information on the underlying logic, importance and envisaged consequences of this processing operation for the data subjects.

A reference should also be added to the possibility of lodging a complaint in relation to the processing operations carried out before the competent supervisory authority.

4. Data transfers

The fourth group concerns data transfers by your organisation both within the European Union and outside the European Union.

Regarding transfers within the European Union, it must be specified who the recipients of the data are, i.e. “the natural or legal person, public authority, service or any other body receiving communication of personal data” (Article 4, point 9 GDPR).

Concerning transfers of data to a third country or international organisation, natural persons should be informed of the existence of an adequacy decision or the use of appropriate safeguards, or derogations when applicable.

5. Categories of collected data

The fifth group of information concerns data. Namely:

  1. Which type of data is collected, for example, identification data (surname, first name, address) or financial data (bank account number).
  2. The length of time for which these personal data are kept.
  3. Your company must inform the data subjects about the obligations to provide personal data as part of a contract. In this case, it should be explained whether or not the provision of personal data is conditional on a service and what the consequences are in the event of a failure to provide such data.
  4. Your company must specify the legal or regulatory obligations related to the provision of personal data.

How to communicate this information?

Information should be provided, in principle, in writing or electronically when appropriate.

  • Information should be provided in a concise, transparent, understandable, easily accessible and in clear and simple terms. Besides, it must also be adapted according to the target audience and the company’s activity. In addition, on a website, the privacy policy must be easily accessible from each page of the site and at all times.
  • The best way to proceed is to put yourself in the shoes of the people concerned by this policy: the people whose personal data your organisation collects and processes.
  • A good way to work is to combine different levels of information, leaving the possibility for the people concerned to click on a specific theme in order to get information. It is also possible to pass messages through the use of icons or pictograms.
  • You may also have the privacy policy tested by individuals to assess whether it is clear and easily understandable.

Is it completely done once finished?

Not quite. The ideal would be to review the privacy policy on a regular basis to be sure that it is complete, easily understandable and transparent.

During this review, your company will be able to take into account the various requests or comments that have been made on the clarity of the policy and, possibly, integrate developments in terms of data collection and processing.

Furthermore, if your company intends to carry out a processing operation for another purpose than that of the personal data were initially collected, the data subject must be informed in advance.

For example, if you first collected email addresses for the purpose of creating a personal account on your website (1st purpose) but then want to use the same email address to send newsletters (2nd purpose), you should inform the data subjects using clear information.

When do I have to provide the information when I collect personal data directly from individuals? This information must take place at the time of collection of this data by the controller.

Do I always have to inform the people concerned? No, you do not have to provide the information to the data subjects if they already have adequate information.

*

With a good checklist and an adapted methodology, you have everything you need to create an excellent privacy policy!

Want to know more about the GDPR?
Discover the 15 questions you’re still asking about the European Regulation.

This article has been brought to you by Frédéric DECHAMPS, Nathan VANHELLEPUTTE & Adeline BALZA, lawyers at Belgian Law Firm Lex4u.