Get called
Demonstration
To process your request, we need to process your personal data. Find out more about the processing of your personal data here.
Introduction
In a world where our personal information is constantly circulating on the internet, privacy policies have become an essential part of our digital protection. Whether you are an individual concerned about your privacy or a professional managing clients data, understanding this legal document is crucial for navigating today's digital ecosystem with peace of mind.
Contents of this article:
- What is a privacy policy?
- What is the difference between a privacy charter and a privacy policy?
- Is it mandatory for a website?
- What should a privacy policy contain?
- Who is affected by this data protection charter?
- How to draft a privacy policy that is fully compliant?
- Is a free template sufficient to comply with regulations?
- Where should it appear on a website?
- Can you be penalized if it is missing or incomplete?
- How can you keep your charter up to date?
What is a privacy policy?
A privacy policy, also known as a confidentiality policy or data protection policy, is a legal document that explains how an organization collects, uses, stores, and protects its users' personal information. This transparent document sets out the rules between the company and its users regarding the processing of personal data.
The privacy policy is much more than a mere administrative formality. It represents a contractual commitment that defines the rights and obligations of each party. For users, it guarantees transparency regarding the use of their data. For companies, it demonstrates their compliance with current regulations and their seriousness when it comes to processing personal data.
What is the difference between a privacy charter and a privacy policy?
In reality, there is no fundamental difference between a privacy policy and a privacy statement. These terms are used interchangeably in the legal field and refer to exactly the same document.
Some organizations prefer the term "charter" because it evokes a solemn commitment and values, while others opt for "policy," which emphasizes the regulatory and procedural aspects. You may also encounter the terms "data protection policy" or "information notice." The important thing is not the name chosen, but the content and compliance of the document with legal requirements.
Is it mandatory for a website?
Yes, the privacy policy is a legal requirement for any website that collects personal data, even in a minimal way. Since the GDPR General Data Protection Regulation) came into force in May 2018, any site that collects, stores, or processes personal data must clearly inform its users (transparency requirement) of:
- What data is collected
- Why they are collected (the purposes)
- How long they are kept
- Who has access (internal staff or service providers)
- What are users' rights (access, rectification, deletion, etc.)?
- How to exercise these rights
This information must be presented in a clear, legible, understandable, and easily accessible manner on all pages of the website. It generally takes the form of a page called a privacy policy, privacy statement, or data protection policy.
Even if your website only collects email addresses, via a newsletter or browsing cookies, you must have an accessible privacy policy. This obligation applies to all types of websites: e-commerce, blogs, showcase websites, mobile applications, or service platforms.
What information should a privacy policy contain?
A comprehensive privacy policy must include several essential elements in order to comply with legal requirements:
1. Identification of the controller
Clearly indicate who is controller : name of the organization, full address, legal representative, and contact details and telephone number of the Data Protection Officer (DPO).
2.Types of data collected
List precisely all personal data collected: identity, contact details, browsing data, preferences, purchase history. Distinguish between mandatory and optional data.
3. Purposes of personal data processing
Explain the processing methods (why you collect this data): order management, service improvement, commercial prospecting, compliance with legal obligations, or statistical analysis.
4. Legal basis for processing
Specify the legal basis on which you base the processing: user consent, performance of a contract, legal obligations, legitimate interests, or public interest mission.
5. Recipients of the data
Specify who can access the data: internal departments, processors, business partners, competent authorities. Be thorough and precise.
6. Data retention duration rules
Define how long you keep each type of data in your databases and justify this period. Explain your automatic data deletion policy.
7. Information on user rights
Detail the GDPR rights GDPR access, right to rectification, erasure, data portability, objection, restriction of processing. Explain how to exercise them and mention the available rights of complaint.
8. Security measures for data confidentiality
Describe the safeguards in place to ensure data security: encryption, access controls, backups, staff training.
Who is affected by this data protection charter?
The privacy policy applies to a wide range of players in the digital ecosystem:
Businesses: Any company with a website, mobile app, or that collects clients data clients establish a policy. This includes VSB, SMB, large companies, startups, and even self-employed individuals who collect data via their website must implement compliance measures.
Associations and organizations: Associations , foundations, local authorities, and public bodies are also affected when they process personal data in the course of their activities.
Professional individuals: Consultants , freelancers, and independent professionals who collect clients data clients their website or digital tools must also comply with this obligation.
End users: Website visitors , clients, prospects, and subscribers are the direct beneficiaries of this protection. They have the right to access clear information about how their data is processed.
How to draft a privacy policy that is fully compliant?
Writing an effective privacy policy follows a specific methodology:
Analyze your current practices: Conduct a comprehensive audit of your data processing activities. Identify all points of collection: forms, cookies, analytics tools, payment systems, newsletters. Document data flows and processing purposes.
Use clear and accessible language: Avoid complex legal jargon. Use short sentences, concrete examples, and structure your document with explicit headings. Think about your audience: your users must be able to easily understand their rights.
Customize according to your business: Adapt your charter to your industry and actual practices. An e-commerce charter differs from a charter for a blog or showcase website. Describe your processes in concrete terms.
Include specific legal notices: Depending on your business, add specific notices: international transfers, profiling, automated decision-making, or sensitive processing.
Make navigation easy: Use a table of contents, anchor links, and clear formatting. Your users should be able to quickly find the information they are looking for.
Is a free template sufficient to comply with regulations?
A free template can be a starting point, but it has significant limitations for your privacy policy:
Advantages of free templates: Templates provide a basic structure and cover the main mandatory information. They enable quick and cost-effective compliance for simple activities.
Disadvantages and risks: Generic templates do not reflect your actual practices. They may contain information that is inaccurate or unsuitable for your industry. The risk of non-compliance remains high, especially for complex activities.
When should personalized support be prioritized?
If you process sensitive data, carry out international transfers, or have a complex business, specialised legal support specialised recommended. Regulated sectors (health, finance, education) require particular expertise.
Practical recommendations: Use a template as a basis, but carefully adapt it to your situation. Have your charter reviewed by a data protection expert before publishing it.
To download an example, click here: example privacy policy.
Where should it appear on a website?
The privacy policy must be easily accessible at all times to visitors to your site. It cannot be hidden or difficult to find, as this would violate the transparency requirements imposed by the GDPR.
In the footer: The footer is the most common and recommended place to display a link to your policy. As it is visible on all pages, it guarantees permanent access for your visitors, without them having to search for it.
💡 Tip: Use a clear title, such as "Privacy Policy" or "Confidentiality Policy, " and avoid vague wording.
Near data collection forms: Whenever you collect personal data (contact form, registration, order, newsletter, etc.), you must inform the user about how their data will be used.
That's why it's important to add a link to your policy next to or below the form, usually accompanied by a checkbox (without pre-checking) to obtain consent.
In the cookie banner: When a website uses cookies or trackers, a consent banner must be displayed when the page is first loaded. This banner must contain a direct link to the privacy policy or to a dedicated page explaining the purposes of cookies and users' rights.
From the legal notices: It is also relevant to include the charter on the legal notices page. This allows all legal and compliance information to be grouped together in one place, which is often appreciated by both users and regulatory authorities.
Don't forget your emails: The privacy policy should not be limited to your website. In all professional or marketing emails you send, such as newsletters, confirmation emails, or promotional messages, it is strongly recommended that you add a link to the privacy policy in the footer.
Download a privacy policy template
Access a customizable GDPR template GDPR easily create your own privacy policy. Ideal for websites, blogs, e-commerce, or applications.
Can you be penalized if it is missing or incomplete?
Yes. The General Data Protection Regulation (GDPR), in force since May 2018, imposes a clear and comprehensive information obligation on any organization that collects personal data. Failure to comply with this obligation constitutes a breach of the regulation and may result in administrative, legal, or financial penalties.
The total absence of a charter is considered a serious violation of the duty of transparency. But an incomplete, overly vague, overly technical, outdated, or simply difficult-to-access charter can also be criticized. It is not just a question of presence, but also of quality, clarity, and readability.
The CNIL (National Commission for Information Technology and Civil Liberties) (Commission nationale de l’informatique et des libertés), which is the supervisory authority in France, has already sanctioned companies for failure to provide information, failure to mention users' rights, or lack of clarity on the purposes of processing.
How can you keep your charter up to date?
Publishing a privacy policy is not a one-time event. It must evolve along with your website and tools. A policy that is not updated can expose you to legal risks, even if it was well written originally.
As soon as you modify a collection or processing operation
If you add a new form, install a tracking tool, change providers, or offer a service that uses personal data (such as geolocation or user behavior), you must update your policy.
Even a seemingly minor change—such as activating Google Analytics, adding a chatbot, or integrating a CRM—requires a revision of the document if it involves a different way of processing data.
If no changes, perform an inspection every year.
Even if there are no technical or functional changes, it is a good idea to review your charter once a year. This allows you to identify any omissions, correct inaccuracies, check links, and ensure that the language remains clear and compliant with the requirements of the CNIL (National Commission for Information Technology and Civil Liberties).
For each revision or in the event of a change, here are some good habits to adopt:
- Indicate the date of the update: This detail shows that you are proactive and take your obligations seriously. Place this date in a visible location, at the top or bottom of the page.
- Archive old versions: this allows you to prove that you have fulfilled your obligations over time. Even a local backup or a dated PDF export is sufficient to constitute useful evidence in the event of an audit.
Good to know: If the update concerns a sensitive issue—such as a new Purpose processing, a change in Data recipient or a modification of rights—it is essential to inform your users. This can be done via a notification on the website, a banner, or an email.
Conclusion
The privacy policy is much more than a legal obligation: it is an essential tool for building trust in your relationships with your users. Its drafting and maintenance require special attention to ensure your compliance while strengthening your credibility.
Take the time to create a clear and transparent policy that is tailored to your business. Don't hesitate to call on experts to assist you in this crucial step for your digital presence. A well-designed privacy policy not only protects your users, but also your organization when it comes to the challenges of personal data protection.
Investing in a high-quality privacy policy means investing in the trust of your users and the sustainability of your digital business.
At Dipeeo, in addition to drafting your privacy policy, we handle GDPR compliance GDPR businesses from A to Z:
✓ An outsourced DPO outsourced with the CNIL (National Commission for Information Technology and Civil Liberties)
✓ Unlimited advice from your dedicated legal advisor
✓ All your legal documents provided
✓ A collaborative and intuitive platform
✓ A "GDPR " label
✓ Fixed monthly cost
