Most companies collect and store personal data about other people. If you do this then you need a privacy policy. Read this guide to learn more about how to draft a privacy policy.
Disclaimer (16 October 2020): The information on this page is not intended as legal advice and shouldn’t be considered as such. We strongly recommend that you seek legal advice if you’re unsure as to how to become compliant. Please also keep in mind that this guide is not exhaustive and that more requirements might be applicable.
The majority of websites in the EU have a privacy policy on their websites. The reason is that almost all companies - no matter their size - have data about other people, e.g., their name and email. If your company has this type of information, you need a privacy policy. Read this guide to learn more about how to draft a privacy policy, and what you need to include.
In the following guide, you can learn about how to draft your privacy policy. However, in light of this legal document's importance, we recommend that you either get help from your attorney or find a solution that can help you.
We will cover the following topics in this guide:
The privacy policy is also often referred to as a "privacy notice" or "privacy information". Here we use the term "privacy policy". All of these documents refer to information about why you need people's personal data, what you are using it for, how long you're going to keep it for, and whether you'll share it with anyone else.
Copying a privacy policy from another website isn't a good idea.
The reason is that the privacy policy is an essential document. The document describes to your website visitors, users, customers, etc., how you process their personal information, for what purposes, for how long, and what security measures you have in place.
You are legally required to tell your users about how you process their personal information. When you copy the document from some else, the privacy policy is unlikely to match how you handle data - and make you in violation of the GDPR.
Therefore, you should spend some time on this to make sure that you get it right.
Before you begin drafting your privacy policy, start by figuring out the following:
Here you need to think about each of the types of people you collect data from. For example, your website visitors aren't providing the same data as your customers. There is a difference, and you need to make sure that you have an overview of each of these groups. Many companies have the following groups they collect data from:
You need to find out what data you collect about the different types of people.
As an example, normally, you would collect the following information in regards to your customers: name, email, telephone number, address, country, title, when they signed up for your service, what company they are working for, etc.
For website visitors, you could, e.g., collect this type of data: the computer's Internet Protocol (IP) address, the user's browser type and version, the user agent, the pages the user visited, the time and date of their visit, the time spent on each page, and other details.
You are probably using personal data for many different things. It's very important that you look at how data flows in your company and think about what you use it for.
Here you also need to remember that you use the different group's data for different things. The data you collect when people visit your website is used for different things compared to when they contact your support team. So take some time describing the different purposes.
Here's an example of what you could write in regards to the purposes of data collected about your customers:
"If you contact our support team, we'll also collect the data you provide us when you contact us, e.g., what's wrong, how we can help you, and when a complaint was filed. We do that in order to, handle your complaint and provide you with support."
This section should be about the lawful bases you rely on for the processing of the personal data. The different types of lawful bases are described in the General Data Protection Regulation (GDPR).
Here are some examples:
Remember, if you are processing data on the basis of consent, you also need to tell people that they can withdraw their consent and also explain how they can do this.
You need a data retention policy for all personal data you collect. This means that you need to have an overview of how long you are keeping the different data. This overview is called a data retention policy. Your privacy policy should contain information about the data retention of the types of data that you mention in your privacy policy.
Additionally, the GDPR outlines that you can only keep data for as long as there is a "need to have" it, a "nice to have" is not enough.
Safety and security of the personal data that you process needs to be described in your policy. So tell how you are storing the data and how you intend to securely destroy or dispose of it.
You can consider describing your security practices in a security white paper or a data practices & security document. This white paper should be placed on your website so your users can read about your security and data practices.
You need to include information about who you share the data with in the privacy policy
The privacy policy also has to include information about people’s rights.
These rights include:
Remember that you need to respond to the user within a month.
Your privacy policy has to contain information about how people can complain about the data processing activities.
This section needs to include information about how they can contact you and also which data protection agency that they can complain to. The information about the data protection agency should be with both their address, phone number and a link to the agency’s website.
You should insert your business’ contact details. This includes your company, address, email address, phone number and web address.
You need to include the date you completed the privacy notice.
Also remember that you need to:
An example of a link to a privacy policy in Openli's consent solution:
Your company's privacy policy should be available on your website. You need to make sure that it is available in all the places where you collect personal data, e.g., sign-up forms, newsletter pop-ups, etc.
You need to be able to prove that you gave your users the option to read the privacy policy through when their consent was given.
Want to learn more about GDPR and compliance? We have compiled an in-depth article about website compliance, where you can find out more about the compliance elements and legislation you need to comply with as a website owner.
