Who we are ?
Indicate the name and contact details of the data controller. This will usually be your business or you, if you are a sole trader. Where applicable, you must include the identity and contact details of the controller's representative and/or data protection officer.
What information do we collect?
Specify the types of personal information you collect, for example names, addresses, usernames, etc. You must include specific details about:
how you collect data (for example, when a user registers, purchases or uses your services, fills out a contact form, subscribes to a newsletter, etc.)
what specific data you collect through each of the data collection methods
if you collect data from third parties, you must specify the data categories and source
whether you process personal data or sensitive financial information, and how you handle it
You can provide the user with relevant definitions regarding personal data and sensitive personal data.
How do we use personal information?
Describe in detail all the service and commercial purposes for which you process the data. For example, this may include items such as:
personalization of content, commercial information or user experience
account creation and administration
ensure marketing and event communication
carrying out polls and surveys
for internal research and development purposes
provide goods and services
legal obligations (e.g. fraud prevention)
meet internal audit requirements
Please note this list is not exhaustive. You will need to register all the purposes for which you process personal data.
What legal basis do we have for processing your personal data?
Describe the relevant processing terms contained in the GDPR. There are six possible legal grounds:
consent
CONTRACT
legitimate interests
vital interests
public task
legal obligation
Provide detailed information on any grounds that apply to your processing, and why. If you rely on consent, explain how people can withdraw and manage their consent. If you rely on legitimate interests, clearly explain what they are.
If you process special category personal data, you will need to satisfy at least one of the six processing conditions, as well as additional requirements for processing under the GDPR. Provide information on any additional grounds that apply.
When do we share personal data?
Explain that you treat personal data confidentially and write down the circumstances under which you might disclose or share it. For example, when necessary to provide your services or conduct your business operations, as set out in your processing purposes. You must provide information on:
how you will share the data
what guarantees you will have in place
with which parties you can share the data and why
Where do we store and process personal data?
If applicable, explain whether you intend to store and process data outside the data subject's country of origin. Describe the steps you take to ensure that the data is processed in accordance with your privacy policy and the applicable law of the country where the data is located.
If you transfer data outside the European Economic Area, write down the measures you put in place to provide an appropriate level of data privacy protection. For example, contractual clauses, data transfer agreements, etc.
How do we secure personal data?
Describe your approach to data security and the technologies and procedures you use to protect personal information. For example, these could be measures:
to protect data against accidental loss
to prevent unauthorized access, use, destruction or disclosure
to ensure business continuity and disaster recovery
restrict access to personal information
to conduct privacy impact assessments in accordance with the law and your company's policies
former data security staff and contractors
to manage third party risks, through the use of contracts and security reviews
Please note this list is not exhaustive. You must record all mechanisms you rely on to protect personal data. You should also indicate whether your organization meets certain accepted standards or regulatory requirements.
How long do we keep your personal data?
Provide specific information on how long you will retain the information in relation to each processing purpose. The GDPR requires you not to keep data for longer than reasonably necessary. Include details of your data or records retention schedules, or link to additional resources where they are published.
If you cannot indicate a specific period, you must define the criteria you will apply to determine the retention period of the data (for example, local laws, contractual obligations, etc.)
You should also describe how you securely dispose of data when you no longer need it.
Your rights regarding personal data
Under the GDPR, you must respect the right of data subjects to access and control their personal data. In your privacy notice, you should describe their rights with respect to:
access to personal information
correction and deletion
withdrawal of consent (if data processing subject to consent)
data portability
limitation of processing and opposition
file a complaint with the Office of the Information Commissioner
You must explain how individuals can exercise their rights and how you plan to respond to requests for subject data. Indicate whether any relevant exemptions may apply and define the identity verification procedures you can rely on.
Include details of the circumstances in which the data subject's rights may be limited, for example if responding to the data subject's request may expose personal data about another person, or if you are asked to delete data that you are required to keep by law.
Use of automated decision making and profiling
When you use profiling or other automated decision-making, you must disclose this in your privacy policy. In such cases, you must provide details of the existence of any automated decision-making, together with information about the logic involved, and the significance and likely consequences of the individual's processing.
How to contact us?
Explain how the data subject can contact you if they have questions or concerns about your privacy practices, their personal information, or if they wish to file a complaint. Describe all the means by which they can contact you – for example online, by e-mail or by post.
If applicable, you may also include information about:
Use of cookies and other technologies
You may include a link to additional information or describe in the policy whether you intend to set and use cookies, tracking technologies and similar to store and manage user preferences on your website, make advertising, enable content or analyze user and usage data. Provide information about the types of cookies and technologies you use, why you use them, and how someone can control and manage them.
Link to other websites/third party content
If you link to external sites and resources from your website, please clarify whether this constitutes an endorsement and whether you take any responsibility for the content of (or information contained in) any linked website.