GDPR Privacy Policy Template
The General Data Protection Regulation (GDPR) is an EU legislation that aims to give the residents of the EU more control over their data. One of the key requirements of the GDPR is that you have a Privacy Policy.
This article will get you better acquainted with the GDPR and show you what your Privacy Policy agreement should look like with the GDPR in mind.
Need a Privacy Policy? Our Privacy Policy Generator will help you create a custom policy that you can use on your website and mobile app. Just follow these few easy steps:
- Click on "Start creating your Privacy Policy" on our website.
- Select the platforms where your Privacy Policy will be used and go to the next step.
- Add information about your business: your website and/or app.
- Select the country:
- Answer the questions from our wizard relating to what type of information you collect from your users.
-
Enter your email address where you'd like your Privacy Policy sent and click "Generate".
And you're done! Now you can copy or link to your hosted Privacy Policy.
- 1. What is the GDPR and Why are You Required to Comply With it?
- 2. Your GDPR-Compliant Privacy Policy
- 2.1. Who Your Data Controller is and Contact Information
- 2.2. Who your DPO is and Contact Information
- 2.3. Whether You Use Data to Make Automated Decisions
- 2.4. Inform Users of the 8 Rights They Have Under the GDPR
- 2.5. Whether You Transfer Data Internationally
- 2.6. What's Your Legal Basis for Processing Data
- 3. How to Get Consent for Your GDPR Privacy Policy
- 4. Conclusion
What is the GDPR and Why are You Required to Comply With it?
The GDPR is a data and privacy security legislation which was developed by the European Parliament and Council for the protection of data rights of the EU citizens. Companies (including websites, mobile, and desktop apps etc.) that do business transactions with EU citizens are going to be affected by this regulation.
On May 25, 2018, the GDPR replaced the existing data protection law i.e. the Data Protection Directive that has been in effect since 1998. If your company collects or processes the data of EU citizens, you are required to comply with this regulation. Non-compliance can result in hefty fines of up to €20 million or four percent of annual revenues, whichever is higher.
One of the key aims and requirements of the GDPR is to keep EU citizens informed of how businesses collect, use, share, secure and process their personal data.
Under the GDPR, you are required to inform your customers about why you are processing their data and for how long will you store it. You must tell them in plain and clear words how you use their data.
One of the easiest ways to stay transparent and inform your users is through your Privacy Policy.
Your GDPR-Compliant Privacy Policy
Under the GDPR, you are required to draft a comprehensive yet simple Privacy Policy and make it accessible to your users.
Before the GDPR, it was accepted and expected that most Privacy Policies have the following information:
- What personal information you collect
- How you collect it
- What you use it for
- How you keep it secure
- Whether you share it with third parties
- Any controls users have over any of this
Now, however, the GDPR has increased requirements for what your Privacy Policy must contain.
Let's take a look at some GDPR-specific updates and clauses that your Privacy Policy should have.
Who Your Data Controller is and Contact Information
If you control the personal information of your customers or you process it for some other company, inform your customers about it. Tell them who you are and what your role is when it comes to their data.
In this example, Slack - a cloud-based company - informs its users that its Irish-based company controls and processes authorized user's information of customers outside the US and Canada. It also mentions that its US-based company controls and processes authorized user's information of customers in the US and Canada.
Here is how Towergate does it in its Fair Processing Notice. You can include a similar clause in your Privacy Policy:
Towergate clearly tells its users that it controls their data. Any information users give is held with Towergate.
Who your DPO is and Contact Information
Not every business is required to have a Data Protection Officer (DPO) under the GDPR.
However, if you are, you will need to include information about this in your Privacy Policy, as well as contact information for the DPO.
GitHub has a table within its Privacy Statement in a Resolving complaints section that gives the contact information of the DPO.
Whether You Use Data to Make Automated Decisions
If you use automated decisionmaking (for example for credit scoring or for profiling users) to provide services/products to your users, disclose this.
This is how Towergate does this:
Inform Users of the 8 Rights They Have Under the GDPR
The GDPR requires you to tell your users about their 8 rights under the GDPR, which are:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights related to automated decision making and profiling
You can address these rights in one long clause within your Privacy Policy, like Direct Travel does here in its Policy:
Or, you can address each right in a separate clause with more personalized details.
Here's an example of a clause from uSwitch that addresses user rights under the GDPR:
uSwitch tells its customers about their right to stop the processing of their personal information for marketing purposes. This right can be exercised by the user by ticking or unticking boxes in forms when their data is collected, or later via email.
Here's a look at how GameStop notifies their users about their right of access via their Privacy Policy:
Note that it's very important that you handle privacy access requests appropriately.
In its Privacy Policy, Twitter has a Portability clause that explains that users can follow a set of linked instructions in order to download the information they've shared through the website.
Twitter also has a separate clause for accessing and rectifying personal data that instructs users how to rectify their personal data directly through the account settings page.
As long as each of the 8 rights are addressed somewhere in your Privacy Policy, you have options with how you do this.
Whether You Transfer Data Internationally
If you transfer data internationally, you will have to mention it in your Privacy Policy agreement. Also, mention any "privacy safeguards" your business falls under.
Debenhams illustrates it in this way:
Debenhams informs its users that it transfers user data to a third-party located outside European Economic Area (EEA). It also tells its customers that it will comply with the Data Protection Act 1998 in such transfers.
What's Your Legal Basis for Processing Data
The GDPR requires you to give a legal basis for processing personal data of customers. There are 6 legal bases, which are as follows:
- The data subject has given consent to the processing
- Processing is necessary for performance of a contract between the two parties
- Processing is necessary for compliance with a legal obligation
- Processing is necessary to protect the data subject's vital interests
- Processing is necessary in order to protect a public interest or exercise official authority
- Processing is necessary for the purpose of legitimate interests, so long as fundamental rights and freedoms aren't infringed
The number 6 reason is a common legal basis as what counts as a "legitimate interest" is very broad.
This information will typically be in a clause about "How we use information we collect" such as in this example from Trello:
Trello also has a clause dedicated specifically to the Legal bases for processing (for EEA users):
Your legal bases will likely include legitimate interests such as providing customer support, customer service and other common business interests. Mention this in your Privacy Policy so users know why you need to collect their data.
How to Get Consent for Your GDPR Privacy Policy
If you use consent as your legal basis to collect personal information, it's recommended that you use "I Agree" checkboxes and clickwrap. This will help make sure you get adequate affirmative consent. You must ask for and obtain clear consent in cases where the information collected is of a very sensitive nature, such as health data or religious affiliation.
Here are some examples that demonstrate how to obtain user consent.
Sainsbury's uses a checkbox to ask for users' consent and also links to its Terms and Conditions page. It also asks permission for sending other information to the user with a simple yes/no radio button.
The Data Protection Network displays the Terms and Conditions of the website in a scroll down page with a checkbox to obtain user consent placed directly below it. It uses a tick/cross intuitive button to seek user's consent for sending them emails. It also provides a link to its Privacy Policy on the same page.
This works for apps as well. Here's how the Adobe ID app uses clickwrap to get users to agree to its Privacy Policy at sign-up:
Conclusion
While you likely already have a Privacy Policy for your business, website or app, the GDPR calls for you to revisit it and update it to make it more informative, concise and with some specific information that wasn't required before.
You'll also need to make your consent requests more robust with checkboxes, Agree buttons and clear text surrounding these features that informs users what exactly they're agreeing to.
