10 Elements Every GDPR-Compliant Privacy Policy Should Have

Published: May 29, 2019 Updated: June 5, 2019 Author Category GDPR

Gone are the days when privacy policies were so vague that only lawyers could understand them. In Europe, at least, we owe it to GDPR.

One of the reasons the EU introduced GDPR was to make people more informed and put them in control of how businesses collect, use, share, secure and process their personal data. Making privacy policies clear and comprehensive became one of the key requirements of the new law. Failure to comply with this provision can result in hefty fines or even prosecution.

If you haven’t done so already, it’s high time for you to review the contents of your privacy policy. In this post, we’ll show you how to write one that meets GDPR requirements.

A short disclaimer: Creating a consumer-friendly privacy policy is just one part of a larger strategy towards GDPR compliance. Here you can read more about how to adapt your processes to the requirements of the EU law.

GDPR privacy policy good practices

In GDPR, the main source of guidance regarding privacy policies is Article 12. Among other things, it tells us that communication regarding data processing must be:

  • concise
  • transparent
  • in clear and plain language
  • intelligible
  • easily accessible
  • free of charge

So, in other words, to comply with those provisions, you need to make sure that your privacy policy is:

  • written in simple language and presented in an accessible form – so that your users can easily understand it
  • comprehensive – so that it covers all aspects of your personal data processing activities, and
  • easily accessible – so it’s good to provide a link to the privacy policy both in the consent form (if you use one) and somewhere on your main page

Privacy policy: the 10 most important things to address

Now that you know how the document should be written, let’s see what it should included to meet legal requirements. We’ll also give you some real-life examples from our very own privacy policy to make things even clearer. Let’s go!

1) Who is processing the data

The first important thing to establish is who is actually collecting and processing visitors’ data.
Article 13(1)(a) of GDPR requires that you provide your users with:

“the identity and the contact details of the controller and, where applicable, of the controller’s representative”

That can be the name of your company, location, and contact information. We decided to address this requirement by disclosing the following data:

The data controller for (1) Marketing and Sales and (2) Piwik PRO product-related activities is: Piwik PRO group, that includes Piwik PRO Sp. z o.o. (ul. Św. Antoniego 2/4, 50-073 Wrocław, Poland), Piwik PRO GmbH (Lina-Bommer-Weg 6, 51149 Cologne, Germany) and Piwik PRO LLC (222 Broadway, 19th Floor, New York, NY 10038, United States). Learn more about the Piwik PRO group at https://piwik.pro/about/.

The data controller for (3) Recruitment is: Clearcode group, that includes Clearcode SA (holding company, ul. Św. Antoniego 2/4, 50-073 Wrocław, Poland), Clearcode LLC (222 Broadway, 19th Floor, New York, NY 10038, United States), Piwik PRO Sp. z o.o. (ul. Św. Antoniego 2/4, 50-073 Wrocław, Poland), Piwik PRO GmbH (Lina-Bommer-Weg 6, 51149 Cologne, Germany) and Piwik PRO LLC (222 Broadway, 19th Floor, New York, NY 10038, United States). Learn more about the Clearcode group at https://clearcode.cc/about/.

Overview and scoring of how websites have adapted to data privacy regulations

Download FREE Report

As you can see, we had to make a distinction between the data gathered for marketing and sales purposes and information used in recruitment processes. If your company’s structure is as complex as ours, you should provide the details of each entity that has access to such data.

A good rule of thumb is also to include details for contacting your DPO (if you have appointed one). In our privacy policy, it looks like this:

If you feel something is not addressed in this Privacy Policy or have further questions, our Data Protection Officer (DPO) can be reached at gdpr@piwik.pro.

2) What legal basis allow you to collect user data

Article 13(1)(c) of GDPR requires that you provide information on:

“the purposes of the processing for which the personal data are intended as well as the legal basis for the processing

There are six different legal bases for processing personal data. Two of them are particularly important for businesses – consent and legitimate interest.

In your privacy policy you should clearly state the chosen ground(s) for processing personal data and explain the reasoning behind each ground. Also, you should inform users about their rights to object to a certain type of processing and provide them with a way to do so (we’ll discuss this later on).

Want to learn more about the legal grounds for processing personal data? Read this: A Practical Guide to Acquiring Consent in the Age of GDPR.

As for our data processing, we decided that consent would be the best fit. Here’s how we present it to visitors:

We process personal data based on consent according to Art. 6(1)(a) GDPR, which you are free to give or refuse. You’ll see consent options when you visit our website for the first time. You can change your decisions at anytime by clicking the button below. If you change your decision it will not affect the lawfulness of processing based on consent before its withdrawal.

For solid guidance on legitimate interest, check out this extremely helpful document by the Information Commissioner’s Office (ICO).

3) What are the purposes of collecting the personal data

Another requirement resulting from Article 13(1)(c) of GDPR is to present the purposes for which personal data is processed.

Information about every aspect of processing should be comprehensive, detailed and easy to understand. That’s why we decided to divide our purposes into two main groups – marketing, and sales and recruitment.

For each of them we provided a general description. This is what we wrote regarding our marketing and sales activities:

We work hard to find and introduce new people to our product as well as improve the quality of our website. We want to communicate clearly and directly with everyone that visits. To do this we need data.

Then, we went into more detail. We broke down each reason into smaller ones and presented a practical application of each type of data gathered by our tools. It looks like this:

Name of the purpose Description
Analytics improving site user interface, optimizing sales and marketing content
A/B testing and personalization A/B tests, content personalization, improving site user interface, optimizing sales and marketing content
Marketing automation sending marketing materials relevant to your interests
Retargeting displaying our advertisements on other websites

That way our visitors get thorough insight into how we use the data we gather about them. Of course, the same set of information is presented to them when we first ask for consent. Right now, our consent request looks like this:

In the past, we also asked our users for permission to process data for A/B tests and marketing automation. For this reason, both purposes are still listed in our privacy policy.

4) What types of personal data you collect

The mere statement that you collect personal data is not enough – you need to go in more depth. Another important thing to include in your privacy policy is the exact types of personal data that you collect and process.

We present this information in two different ways. The first time we write that:

We request processing of personal data of visitors, such as IP address, a cookie identifier and email address (but only in the case that visitors request information be sent by email). We also collect non-personal data to learn how visitors found our website, what kind of device they’re using, how long they stayed, which pages they visited, etc. This non-personal data is tied to a temporary identifier that is removed after the end of each browsing session.

Then, we provide our users with the full list of personal data collected for each purpose:

Name of the purpose Personal data used
Analytics browser cookies, browsing behavior on piwik.pro, device information, IP address
A/B testing and personalization browser cookies, browsing behavior on piwik.pro, device information, IP address
Marketing automation browser cookies, browsing behavior on piwik.pro, IP address, other data you give us will be added to your visitor profile
Retargeting browser cookies, browsing behavior on piwik.pro, IP address

If that wasn’t enough, we also present our visitors with separate documents describing our tracking data scope and the list of collected data cookies.

Not sure which types of information come under the scope of personal data? Here’s a great ebook to help you find out:
Free Cheat Sheet: PII, Personal Data or Both?

5) How long you’re going to store the data

Another important requirement comes from Article12(2)(a). It obliges you to inform your visitors about:

“the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period”.

This is how we wrote about it in our own privacy policy, in a section dedicated to the data collected during the recruitment process:

We collect and use personal information you have provided only for the purposes of recruitment process. Data that we collect throughout recruitment is used only for the communication with candidates, to evaluate their qualifications and to make a final hiring decision. During the recruitment process we use software from external partners such as Google Suite and Dropbox. The maximum time your data is held is 36 months.

Overview and scoring of how websites have adapted to data privacy regulations

Download FREE Report

6) Whether you transfer the data internationally

Article 13 (1)(f) of the GDPR requires that you provide information about:

“[…] the fact that the controller intends to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available.”

So in our privacy policy, we’ve included the following note:

Piwik PRO Analytics Suite Cloud is hosted on Microsoft Azure Netherlands and Microsoft Azure Germany. The older version of the platform is hosted by Leaseweb in the US and Germany.

Piwik PRO On-Premises is hosted on the client’s infrastructure.

Also, we’ve added information about the location of servers used by each third party we share visitor data with (we’ll say some more about that in a moment).

7) Whether you use the data in automated decision-making

If you use automated decision-making (for example, in credit scoring or user profiling) to provide services or products to your users, you have to disclose this. Article 12(2)(f) of GDPR says:

“the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.”

As a company, we don’t use profiling or automated decision-making, so we didn’t include this entry in our privacy policy. But this is how Phaidon International addresses this requirement:

8) With what third parties you share the data

Article 13(1)(e) requires you to provide information about: “the recipients or categories of recipients of the personal data, if any”.

In order to comply with the law, we’ve created a list of tools we use in our marketing and sales activities:

Name of the purpose Third parties involved
Analytics Hotjar, HubSpot, Google Ads (Conversion Pixel)
A/B testing and personalization VWO
Marketing automation HubSpot
Retargeting Facebook Ads, Google Ads, LinkedIn Ads, Twitter Ads

However, in our opinion, simply listing all the names of third parties involved in processing personal data is not enough. That’s why our privacy policy has another section called “Our partners – tools we use for Marketing and what we use them for”. In this part we present:

  • a description of each third-party
  • their data retention, location and storage policies
  • purposes of data processing and legal basis under which we process data using a given tool

This is how we describe VWO:

VWO is a testing and optimization platform we use to create A/B tests on our websites. VWO collects aggregate data for goals, tests, surveys, and website reviews. VWO is hosted on SSAE16-certified Bare Metal Servers. All production data is stored in IBM SoftLayer data centers spread across different locations. Data is retained for 45-90 days. (Purpose of processing data: A/B testing and personalization based on consent, Legal basis: Art. 6 (1)(a) GDPR)

Then, to make things even clearer, we added the following note:

We do NOT send collected data to other sub-processors or third parties nor do we use it for our own purposes.

In this part, it’s also good to address external links posted on your website and explain what happens after visitors click on them. Here’s how we did it:

Third-Party Websites

Links from our site to external websites do not operate under this Privacy Policy. For example, if you click on a referrer website link on our site, you may be taken to a website that we do not control. These third-party websites may independently solicit and collect information from you, including personal and financial data. We recommend that you consult the privacy statements of all third-party websites you visit by clicking on the “privacy” link typically located at the bottom of the webpage you are visiting.

Remember! Under GDPR, in order to give third-party access to your users’ data, you must sign a DPA with them. Here you can read more about creating a DPA aligned with EU data privacy regulations: Data Processing Agreement: 7 Elements Every DPA Should Have.

9) What are the data subject rights

In Article 13(2)(b) we can read that your privacy policy should also include information about:

“the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability.”

For the record, GDPR requires you to tell your users about their eight rights, which are:

  • the right to be informed
  • the right of access
  • the right to rectification
  • the right to erasure
  • the right to restrict processing
  • the right to data portability
  • the right to object

Along with the list of the rights, you should also provide your visitors with a way to exercise them. In the case of our own privacy policy, we’ve included widgets from our Piwik PRO GDPR Consent Manager.

One for data subject requests:

And another one for managing privacy settings:

Thanks to this, our visitors can not only get acquainted with their rights, but they can also actively exercise them without leaving our privacy page. In addition, we provide an email address to which visitors can send their subject requests:

You have a right to access your data, correct or remove it, or completely withdraw your consent for processing it at any time. Such requests should be sent to our DPO: gdpr@piwik.pro. The withdrawal of a consent does not affect the lawfulness of processing based on consent before its withdrawal.

Continuing with the topic of rights of data subjects – GDPR also requires that you include information about visitors’ right to lodge a complaint with a supervisory authority if they’re not satisfied with the content of your privacy policy or the way you process their data. In the case of our privacy policy, the information looks like this:

You have the right to lodge a complaint with a supervisory authority (in Poland, the President of the Data Protection Office).

Overview and scoring of how websites have adapted to data privacy regulations

Download FREE Report

10) How you’ll inform users that your policy has changed

The last thing to include is a description of the process for notifying users and visitors of changes or updates to the privacy policy. After all, users need to know if the document has changed since the last time they read it.

To keep our users informed, we have included the following message in our privacy police:

We will occasionally update this Privacy Policy. When changes to this Privacy Policy will be posted, the date at the top of this Privacy Policy will be revised. We recommend to check the website from time to time to inform yourself of any changes in this Privacy Policy or any of other policies.

As you can see, the most recent updates to our privacy policy were inserted in February this year.

GDPR privacy policy best practices – some conclusions

Writing a clear and understandable privacy policy requires the right approach. You want visitors to read and understand it without any struggle. Of course, such policies will vary across different organizations. Besides our guidelines, you need to take into account the particular needs and requirements of your organization.

We hope that this post comes in handy and makes it easier for you to draft your privacy policy. If you have further questions or need more advice, jest get in touch with our team and we’ll be glad to help you.

Author:

Karolina Lubowicka, Content Marketer

Content Marketer and Social Media Specialist at Piwik PRO. An experienced copywriter who takes complex topics of data privacy & GDPR and makes them understandable for all. LinkedIn Profile

See more posts of this author

Share