What is a Privacy Policy
A privacy policy is a document drawn up by an organization that processes personal data, setting out how user data is handled. More specifically, this policy sets out how data is collected, used, or stored, and the rights of individuals regarding their data. It also sets out how the organization will meet its legal obligations, and how people sharing their data can exercise their rights of recourse if the organization fails to meet its obligations.
Thus, the privacy policy reinforces the trust between the user and the organization that collects and uses his or her personal data. It also enables us to identify organizations that attach the greatest importance to protecting their users’ data, from those that do not. For example, a website that does not inform its users that it collects data, or that conceals its privacy policy, is likely to be seen as lacking in reliability.
Is it mandatory to have a privacy policy?
Although most websites resort to a privacy policy, the GDPR does not require the data processor to provide legal information in the form of a charter. The privacy policy was developed as a result from experience. Regulations usually imposes on any organization that processes personal data an obligation to transmit a certain amount of information, without requiring any specific way of presenting such information.
Indeed, the data processor is subject to an obligation to provide information, as introduced by Articles 13 and 14 of GDPR1. This obligation applies regardless of the organization’s size or sector of activity. The list of information to be shared is exhaustive, and the scope of the obligation depends on whether it is collected directly or indirectly. This means that the content of the information is not the same whether the data has been collected directly from the user or via a third-party.
What is the purpose of a privacy policy?
The GDPR has introduced a number of principles that any organization processing personal data must abide by. Many obligations arise from these principles. Compliance with such obligations usually requires the definition of an action plan and a set of processes. Among those principles is the obligation to guarantee the transparency of processing. To ensure effective transparency, information must be communicated in a way that is accessible and easy to understand.
A privacy policy must be drawn up, enabling data subjects to make informed decisions about whether to disclose their data. Thus, based on the information provided, data subjects can see what steps have been taken to ensure data protection and, to a certain extent, the organization’s level of compliance.
This principle of transparency also enables data subjects to decide whether they wish to exercise any of the rights conferred on them by the regulations. So, for example, he or she can decide to object to processing.
What information should be included in your privacy policy?
The information to be included is almost identical for both direct and indirect data collection.
In the case of data collected from the data subject, the information concerns:
- the identity and contact details of the data controller or its representative
- contact details of the Data Protection Officer, where applicable
- the purposes of the processing
- the legal basis for processing
- the recipients or categories of recipients of personal data
- the fact that the data controller intends to transfer the data to a country outside the EU, and the reasons for this transfer, as well as the means of obtaining a copy of the data
- the legitimate interests pursued by the data controller or by the third party where the legal basis for processing is legitimate interest
- the data retention period or the criteria for determining it
- the rights to which individuals are entitled
- whether data collection is mandatory or optional, and the possible consequences of not providing data
- the existence of any automated decision-making, including profiling, and the underlying logic.
If the data has not been collected from the data subject, additional information are required:
- the categories of personal data concerned
- the source of the data
How to present your privacy policy
There is nothing in the regulations that specifies how the information must be communicated. However, it is mandatory to comply with a certain number of requirements linked to the way information is presented. Thus, under Article 122 of the GDPR, information must be transmitted “in a concise, transparent, comprehensible and easily accessible manner, in clear and simple terms”. These obligations imply adapting the form of presentation used to consider the recipient of the information, “in particular for any information specifically intended for a child“.
For example, it is important to consider the difficulties one might encounter when reading the information displayed on an electronic medium. The user should not have to make an effort to assimilate all the information, and the data processor should ensure that the content is effectively understood.
What are the risks of not having a privacy policy?
In principle, any organization that processes and collects personal data is required to provide users with a document explaining how their data is processed.
In certain limited cases, the data processor is not obliged to display this information. For example, when data has been retrieved from a third party and the data subject already has this information, or when providing the information proves impossible or would require disproportionate effort, the organization is not obliged to provide the data subject with any information. In such cases, appropriate measures to protect the rights of individuals must be put in place. Other exceptions concern cases where obtaining or communicating information is provided for by EU regulations or the law of a Member of the EU to which the data processor is subject.
Failure to comply with this obligation can result in fines of up to 20 million euros, or up to 4% of worldwide annual revenues in the case of a company.
1 GDPR article 13 and article 14
2 GDPR article 12
