Disclaimer (16 October 2020): The information on this page is not intended as legal advice and shouldn’t be considered as such. We strongly recommend that you seek legal advice if you’re unsure as to how to become compliant. Please also keep in mind that this guide is not exhaustive and that more requirements might be applicable.
We will cover the following topics in this guide:
Therefore, you should spend some time on this to make sure that you get it right.
Here you need to think about each of the types of people you collect data from. For example, your website visitors aren't providing the same data as your customers. There is a difference, and you need to make sure that you have an overview of each of these groups. Many companies have the following groups they collect data from:
You need to find out what data you collect about the different types of people.
As an example, normally, you would collect the following information in regards to your customers: name, email, telephone number, address, country, title, when they signed up for your service, what company they are working for, etc.
For website visitors, you could, e.g., collect this type of data: the computer's Internet Protocol (IP) address, the user's browser type and version, the user agent, the pages the user visited, the time and date of their visit, the time spent on each page, and other details.
You are probably using personal data for many different things. It's very important that you look at how data flows in your company and think about what you use it for.
Here you also need to remember that you use the different group's data for different things. The data you collect when people visit your website is used for different things compared to when they contact your support team. So take some time describing the different purposes.
Here's an example of what you could write in regards to the purposes of data collected about your customers:
"If you contact our support team, we'll also collect the data you provide us when you contact us, e.g., what's wrong, how we can help you, and when a complaint was filed. We do that in order to, handle your complaint and provide you with support."
This section should be about the lawful bases you rely on for the processing of the personal data. The different types of lawful bases are described in the General Data Protection Regulation (GDPR).
Here are some examples:
Remember, if you are processing data on the basis of consent, you also need to tell people that they can withdraw their consent and also explain how they can do this.
Additionally, the GDPR outlines that you can only keep data for as long as there is a "need to have" it, a "nice to have" is not enough.
Safety and security of the personal data that you process needs to be described in your policy. So tell how you are storing the data and how you intend to securely destroy or dispose of it.
You can consider describing your security practices in a security white paper or a data practices & security document. This white paper should be placed on your website so your users can read about your security and data practices.
These rights include:
Remember that you need to respond to the user within a month.
This section needs to include information about how they can contact you and also which data protection agency that they can complain to. The information about the data protection agency should be with both their address, phone number and a link to the agency’s website.
You should insert your business’ contact details. This includes your company, address, email address, phone number and web address.
You need to include the date you completed the privacy notice.
Also remember that you need to:
Want to learn more about GDPR and compliance? We have compiled an in-depth article about website compliance, where you can find out more about the compliance elements and legislation you need to comply with as a website owner.