- To be transparent
- Because the law says so
What type of personal data do you collect?
Be clear what type of personal data you collect from the visitors.
These data may include name, address, email address, IP address, phone number, etc. that can be used to identify an individual, with our without additional data.
How do you collect personal data?
There are several ways you can collect personal data from the users. Some of them include cookies, forms, newsletters, surveys, payment gateway, etc. Mention about it so that the users are aware of it.
Why and how will you use the personal data?
To be transparent about your processing methods, you need to explain why you want to collect personal data. Users must be aware of what purpose will their personal data serve you.
You must inform the users of how you are going to use the collected data. i.e., be clear about your processing methods.
If you are sharing the information with third-party services, you must clearly mention it too.
If the users have any questions about the way you deal with their personal data, they must be able to ask you. For that, you should provide details of the site administrator or any contact point.
Contact details may include name, address, email address, or phone number.
- The contact details of the website owner or the data protection officer (if appointed).
- The purpose of processing personal data. If there any lawful basis of processing the data.
- If there is any legitimate reason for processing the data by you or any third party.
- Any recipient or categories of recipients of the users’ personal data.
- If the data needs to be transferred to a third country or international organization, and if so, what are the safeguard measures taken by you to protect the data?
- How long you will store the data and the criteria used to determine the retention period.
- The rights of users that they can exercise.
- The right to withdraw consent at any time, if applicable.
- The right to lodge a complaint with a supervisory authority that monitors the implementation of GDPR.
- If the processing of personal data is necessary for completing a contract or required by law. If so, what will be the possible consequences of not providing the data?
- Automated decision-making, including profiling involved, and in such a case, what is the significance and consequences of such a setup?
Apart from these:
- All the above details must be provided in a concise, transparent, intelligible, and easily accessible form.
- The language of the policy must be clear and plain, especially if it is addressed to a minor.
- Any updates to the policy must be made clear with the date when it was modified.
Some Examples of GDPR-Complying Privacy Policies
Here are links to some of the well-written privacy policies that you can refer to: