The General Data Protection Regulation (GDPR) is a legal framework that aims to protect the privacy and personal data of individuals in the European Union (EU). For startups operating in the EU, GDPR compliance is essential. A privacy policy is a crucial document that outlines how an organisation collects, processes, and stores personal data.
Introduction GDPR requires
The GDPR privacy policy template, known as the GDPR privacy notice, is a crucial legal obligation for all websites serving EU citizens, regardless of the company’s location. Websites use browser cookies to process personal data for statistical, functional, or marketing purposes.
Under the EU GDPR, companies are required to develop a privacy policy that informs customers about how their personal data is managed. This enables customers to make informed decisions about the processing of their personal information. Failure to comply with the GDPR can result in substantial fines or even suspension.
For instance, Google incurred a €150,000 fine from the French data protection authority due to a privacy policy that failed to adequately inform users about the processing of their personal data. In a similar vein, Spain imposed a €90,000 fine on Google for a privacy policy that did not meet expectations.
Consequently, Google made substantial revisions to its privacy policy, particularly regarding the utilisation of information from cookies and Google account data.
This article explores the vital elements of a privacy policy and provides guidance on developing a GDPR-compliant privacy policy for your cloud-hosted company.
What is GDPR Privacy Policy?
The GDPR privacy policy serves as a public document that details how your cloud-hosted company handles the personal data of users and other pertinent parties, while upholding the principles of data protection.
Articles 12, 13, and 14 of the GDPR provide comprehensive guidelines on creating a privacy policy, which the EU terms as a ‘privacy notice.’
As per the GDPR, a privacy policy for cloud-hosted companies should:
- Be easily accessible, transparent, and concise
- Use clear and straightforward language, especially when addressing children
- Be provided in a timely manner
- Be available at no cost to user
A GDPR-compliant privacy policy establishes trust between cloud-hosted companies and their customers by eliminating any ambiguity about how personal data will be utilised.
Moreover, it empowers customers to retain control over their personal data. If they are unsatisfied with how their data is handled, they can submit a data subject access request (DSAR) to the company, requesting the cessation of personal data processing.
Key Points
- The GDPR mandates that cloud-hosted companies handling the data of EU citizens must communicate their data processing principles and procedures to customers through a privacy policy.
- The GDPR privacy policy should be extensive, inclusive, and incorporate explicit clauses pertaining to the GDPR, including data subject rights and contact information for the Data Protection Officer (DPO) and/or EU/UK representative.
Why are GDPR Privacy Policies Important?
If your website collects personal data from customers, it is mandatory under the GDPR for your cloud-hosted company to have a privacy policy. Not only does a privacy policy fulfil legal obligations, but it also fosters trust with customers. In certain cases, other parties may also require you to maintain a privacy policy.
Failure to comply with GDPR privacy policy requirements can result in fines of up to 4% of your global revenue or €20 million, whichever is higher. Even for less severe violations, fines can still reach up to 2% of your revenue or €10 million, whichever is greater.
WhatsApp encountered a significant €225 million fine from the Irish data protection authority for inadequately explaining its data processing practices in its privacy notice. The company should have presented the notice in clear and accessible language.
Similarly, the Spanish data protection authority fined Caixabank €6 million for providing inconsistent and ambiguous information about its data processing practices in its privacy notice. The company had also relied on ‘legitimate interests’ as the legal basis for processing personal data without sufficient justification. Moreover, it failed to meet the transparency requirements outlined in Articles 13 and 14 of the GDPR.
In the event of a legal dispute regarding your data privacy practices and policies, the contents (or lack thereof) in your GDPR-compliant privacy policy will be subject to scrutiny.
What is the Role of GDPR Compliant Privacy Policy?
The purpose of GDPR consent is to enable EU citizens to understand how cloud-hosted companies utilise their personal data and provide a mechanism for them to lodge complaints if they believe their data is being mishandled.
The GDPR compliance checklist stipulates that communication regarding data usage must be specific and accurate. While the privacy policy may remain static, the section pertaining to browser cookies should be regularly updated, and individual users of a website should grant their permission. This information must be accurately conveyed to the website owner and prominently displayed to users through cookie banners or pop-ups.
In this manner, cloud-hosted companies can ensure that their cookie-related information remains current and up-to-date.
GDPR Privacy Policy Requirements For Your Website
GDPR serves to protect both EU citizens’ data and cloud-hosted companies from legal action.
To draft a comprehensive privacy policy, you can utilise a GDPR privacy policy generator, example, or template provided by data protection experts. These resources assist in creating customised documents for your website and app, ensuring compliance with GDPR requirements.
Contact Details:
Article 13(1)(a) necessitates including the name, address, email address, and phone number of your cloud-hosted company, known as the ‘data controller,’ responsible for deciding how and why personal data is processed. If you have appointed a Data Protection Officer (DPO) and/or UK/EU representative, their contact information should also be provided as per Article 13(1)(b).
Types of Personal Data:
Clearly specify and detail every type of personal data your company processes, including cookie data and IP addresses. Even if individuals may never directly contact your cloud-hosted company, it is crucial to be specific about the data collected and the reasons behind its collection. This section can be further organised into subsections such as ‘Data you provide to us’ and ‘Data collected by our website,’ all presented in plain and understandable language, avoiding complex legal jargon.
Lawful Basis for Processing Personal Data:
In compliance with Article 13(1)(c), state the specific purpose(s) for processing personal data, ensuring you have a lawful basis for doing so under one of the six legal bases established in Article 6 of the GDPR. These include obtaining consent, fulfilling statutory or contractual obligations, legal requirements, public interest tasks, legitimate interests, and protecting vital interests.
Processing of Personal Data:
Explain in your privacy policy how personal data is processed, adhering to the principles of purpose limitation and data minimisation. Transparency is vital when sharing personal data, and it should be clearly outlined in your privacy policy. While listing specific company names is not mandatory, disclose the types of companies involved, such as mail carriers or payment processors. If personal data is transferred from the EU to a non-EU third country, detail the mechanisms employed for international transfers.
Data Retention Period:
In accordance with the principle of storage limitation, specify how long personal data will be retained. The duration can be determined based on the validity of the legal basis for data processing or the specific timeframe required for data purposes.
Data Subject Rights:
Include the eight rights granted to individuals under the GDPR in your privacy policy:
- Right to be informed
- Right of access
- Right to rectification
- Right to be forgotten
- Right of portability
- Right to restrict processing
- Right to object
- Rights related to automated decision-making, including profiling.
By incorporating these rights, individuals can be informed of their data rights and exercise control over their personal information.
Where to Display Your Privacy Policy GDPR?
To comply with GDPR requirements, it is essential to prominently display your privacy policy in areas where user data is collected, such as your website, mobile app, and other relevant locations.
Website:
Consider displaying your privacy policy in the following sections on your website:
Header menu: Place your privacy policy in the header menu for easy access from any page, ensuring visitors can quickly navigate to it.
Footer: Many websites feature the privacy policy in the footer, making it accessible from any page.
About Us: Display your privacy policy in the main menu under the ‘About Us’ section, providing convenient access to visitors from any page.
Checkout forms: Ensure visitors encounter your privacy policy during the checkout process by incorporating a checkbox with a statement like, ‘I have read and agreed to the privacy policy of this website.’ The transaction can only proceed if the checkbox is selected. Include a link to the privacy policy document for further guidance.
Mobile App:
For cloud-hosted companies with mobile apps, prominently display a clear link to your privacy policy within the app or on the app store listing.
Other Communications:
Include a link to your privacy policy in the footer of every automated email you send, particularly for direct marketing communications. This ensures recipients can easily access and review your privacy policy.
Conclusion
Creating a privacy policy is a vital legal obligation according to the GDPR. Even if not obligated, having a GDPR-compliant privacy policy is advisable. Nowadays, numerous privacy laws worldwide align with the GDPR, mandating cloud-hosted companies to inform customers about data privacy and processing principles through a privacy policy or notice.
FAQs
How to update your privacy policy for GDPR?
If you have an existing privacy policy, you can follow these steps to ensure GDPR compliance: Simplify the language and format of the document to enhance readability and comprehension. Obtain GDPR-compliant consent for your privacy policy if you have not done so already. Include additional clauses and information, such as specifying the lawful basis for processing data, outlining GDPR data subject rights, providing contact details for your Data Protection Officer (DPO) and EU representative (if applicable), and explaining the measures taken to safeguard international data transfers.
What is the GDPR privacy policy?
If your cloud-hosted company handles the data of EU citizens, it is mandatory to create a transparent and detailed privacy policy in accordance with the GDPR. Non-compliance with GDPR requirements can result in significant fines or even legal action.
How to create a privacy policy for a website for GDPR?
A privacy policy for a GDPR-compliant website should include the following sections: Cloud-hosted company's name and contact details Name and contact information of the Data Protection Officer (DPO) and/or EU representative Types of personal data that are processed Legal bases for processing personal data Data retention period for personal data Categories of third parties with whom personal information is shared GDPR data subject rights
Other Important Topics:
