Privacy policy: The essentials

This document is part of the most important part of the GDPR : informing people.

What is a privacy policy?

The aim of the privacy policy is to inform people about the processing of their personal data. In short, the person whose personal data is processed needs to know what that data is, for what purpose it is processed, how long it is kept, what his or her rights are in relation to the data...

It is a document that must be made available to the people whose personal data is processed. These may be users, employees, clients, prospects or applicants.

And cover any type of case where personal data is processed: website, digital platform, Bot, personnel management.

This legal document must be comprehensible to non-lawyer readers. It is essential to use language that is accessible to all. The CNIL (National Commission for Information Technology and Civil Liberties) ), which is the supervisory authority for personal data, could criticize you for not being clear enough.

the policy is part of the most important part of the GDPR : informing people.

Please note that this is not the only obligation in terms of informing people about a website's compliance. You'll also need to set up a cookies policy, as well as compulsory information such as who hosts the site and who is responsible for publishing it.

In 2023, the privacy policy is mandatory. It is, above all, one of the pillars of the website's General Data Protection RegulationGDPR) compliance.

Privacy policy GDPR

GDPR is:

• Giving people the opportunity to know what is being done with their data
• Sharing the Accountability of personal data between players
• Ensure that the company has full control over its cartography

The aim of the GDPR is to make companies understand the importance of processing personal data. All data transfers within the EU or to countries outside the EU must be well supervised, including the personal data that a structure sends to its accountant, lawyers, URSSAF, etc. it allows companies to secure themselves should there ever be a data leak.

To establish a GDPR privacy policy, you need to look at all data processing. Data inputs and data outputs (lawyer, accountant, URSSAF, IT). These data transfers must be supervised.

Examples

1. An employee of company "A" must have easy access to the company's personal data policy. It is located on the user's central work tool and can be transmitted when the employee arrives.
2. Users of the "B" site should easily find a link to the privacy policy, often in the footer. This policy covers the personal data processed when visiting site B.
3. Employees of company "C" use a mobile app to book appointments with occupational physicians or psychologists. A policy must be available on the mobile app to inform them about the processing of their personal data.

The content of a privacy policy

The personal data policy must contain the following information:

• Who is this policy aimed at?
• Why do we process your data and on what basis?
• What data do we process and for how long?
• What rights do you have to control the use of your data?
• Who can access your data?
• How do we protect your data?
• Can your data be transferred outside the European Union?
• Who can you contact for more information?
• How can you contact the CNIL (National Commission for Information Technology and Civil Liberties) ?
• Can the policy be changed?

This document is divided into several sections. We explain what should be in each section.

1. Explain the purpose of the policy

This section should inform the user of the reason why this document has been produced and is available.

Website privacy policy: This policy aims to inform people about how and why companies collect and process personal data from its clients and users in the course of their business. 

On a website, this document is mandatory. It represents a guarantee of seriousness and trust towards users, as it is the best way to inform them. It is important to respect the rules governing users' personal data and to protect them. 

It's also proof for everyone who consults it that the applicable data protection rules and the General Data Protection RegulationGDPR are being complied with.

2. To whom does it apply?

A privacy policy can apply to a client, potential client, visitor, employee or candidate, regardless of where they live. In practical terms, it applies to all those whose data is processed, as well as to all those who use and process personal information. Much depends on the context in which the privacy policy is implemented.

3. Specify the reasons for processing personal data

It is necessary to explain why and on what principles users' personal data is processed. On a website, for example, this is done in order to benefit from a service such as creating a client account or organizing an appointment, or to respond to a user request.

This part of the policy also informs users that their data will be processed to send them promotional offers by email, SMS, and via a telephone number. This is only valid if users have given their consent in a B2C context. In B2B, it's more flexible.

To comply with the GDPR, you need to draw up a data processing, or even processing register. For this, it is necessary to go through a data protection delegate. Processing users' personal data makes it possible to guarantee and enhance the security and quality of the services (data security, statistics, ...) that a structure offers. 

It is also important to mention whether Cookies are installed on the terminal.

4. Information on the processing of personal data and the duration of Data retention

This is an important part, because you need to define all the categories of personal data collected via all the channels used. This may involve direct collection from users, via a database of potential clients, etc. Data retention periodsimplemented by the General Data Protection RegulationGDPR) must be respected.

Here are some examples of data processed by Dipeeo:

Data type	Example	Data retention retention period
Professional identification and contact data	Last name, first name, business e-mail address, telephone number, business address, etc.	5 years
Economic and financial data	credit card number, verification code, etc.	Between 5 and 10 years
Data for commercial prospecting purposes	e-mail address, etc.	3 years
Cookies	-	13 months

Data must be deleted once the Data retention periods have expired. This can be done either manually or through automated tools.

5. Inform people whose data is processed of their rights, so that they can control how their data is used.

Before drafting a GDPR privacy policy, make sure you have the necessary technical and legal knowledge.

All users have specific rights that they can use at any time and free of charge to control the use of their personal data. These rights are granted by applicable data protection regulations.

A person's rights are as follows:

1 - Right to access and copy personal data: Each user has the right to request information on all processing of his or her personal data, provided that this request does not conflict with business secrecy, confidentiality or the secrecy of correspondence.

According to the CNIL (National Commission for Information Technology and Civil Liberties), here are all the elements elements that must be provided to a user when requesting right of access:

• Purpose of data use,
• Categories of data collected,
• Recipients or categories of recipients who may have had access to this data,
• Data retention period or the criteria that determine this period,
• Existence of other rights (right of rectification, deletion, limitation, opposition),
• Possibility of appealing to the CNIL (National Commission for Information Technology and Civil Liberties),
• Any information relating to the source of the data collected, if not directly collected,
• Existence of automated decision-making, including profiling, and the underlying logic, importance and consequences of such a decision,
• the possible transfer of data to a third country (non-EU member) or to an international organization.

2- Right to rectify personal data :

All users have the right to rectify, add to, update, lock or delete any personal data that may be incorrect, obsolete or incomplete.

3- Right to object to processing

personal data used for commercial prospecting: each user has the right to unsubscribe from a commercial prospecting campaign (Opt-out).

4- Right to request deletion

("Right to be forgotten") personal data that is not essential to the proper functioning of a structure's services.

5- Right to limit personal data

which makes it possible to photograph the use of data in the event of a dispute over the legitimacy of processing.

6- Right to data portability

which can be used to retrieve part of your personal data and store it or transmit it easily from one information system to another.

7- Right to give instructions on the fate of data

in the event of death, either through an intermediary, a trusted third party or a beneficiary.

To enable users to assert their rights, we need to set up an e-mail address, for example, to which they can send their requests.

6. Provide information on who has access to personal data?

As companies collect and process data from "people", it is essential to inform them that they can access their personal data. In general, personal data is communicated to those authorized to use it in order to implement a structure's services. In particular, staff responsible for service implementation, accounting, marketing and, where applicable, premises security.

Data may be passed on to public authorities, external consultants and practitioners, service providers or, possibly, business partners.

For each structure, this part can vary according to the activity, and it's not the only part that can have different information. It is therefore not advisable to copy a privacy policy from another structure. We advise you to seek professional advice. Click here to for your free audit.

7. Inform about the security measures in place to protect personal data

The purpose of this section is to provide information on the security measures in place to protect personal data.

Users' personal data must be absolutely protected. All the necessary technical and organizational resources must be put in place to guarantee this security on a daily basis, and to combat any risk of unauthorized destruction, loss, alteration or disclosure of data.

It is important to raise the awareness of all those who collect and process personal data within the organization, in order to limit the risks of data leakage.

For example, passwords must be changed frequently, and they must be of a high level (lower case letters, upper case letters, special characters, numbers, etc.). The Data Protection Officer (DPO) is responsible for raising awareness of this issue.

8. Information on data transfers outside the European Union

Personal data may be transferred to a country outside the EU , but appropriate safeguards must be implemented to ensure the confidentiality and protection of personal information.

To be compliant, structures that transfer personal data outside the European Union directly or through service providers outside the European Union must sign a specific contract that allows these data transfers. Consequently, service providers must be GDPR if they process the personal information of people within the EU.

For the major players, particularly in the US, the clauses are already available and do not require any additional drafting. However, verification is necessary.

9. Who to contact for more information?

This section highlights the structure's Data Protection Officer (DPO ), who is the conductor of the personal data processing orchestra. It is advisable to include a means of contacting the DPO via a dedicated "GDPR" email address.

10. Indicate how to contact the country's authority regarding personal data?

This section provides information on the supervisory authority regulating the processing of personal data, whether this be the CNIL (National Commission for Information Technology and Civil Liberties) or another body in a country outside the EU. Anyone can make a complaint to the CNIL (National Commission for Information Technology and Civil Liberties) anonymously.

For example:

You can contact the French data protection supervisory authority (the "Commission nationale de l'informatique et des libertés" or "CNIL (National Commission for Information Technology and Civil Liberties)") at the following address 

CNIL (National Commission for Information Technology and Civil Liberties) complaints department, 3 place de Fontenoy - TSA 80751, 75334 Paris Cedex 07 or by telephone on 01.53.73.22.22.

11. Inform about potential updates to the privacy policy

Before drafting a GDPR privacy policy, it's important to know that a structure is likely to evolve. The same applies to its policy, which must be adapted to new legal requirements as well as to new processing operations that may be implemented in the future. 

That's why it's a good idea to enlist the help of a data protection officer. He or she will ensure that all legal documents are kept up to date.

It is important to inform the persons concerned when changing or adapting the privacy policy.

 

Privacy policy for WordPress, Shopify or facebook platforms

There are several possible scenarios for these platforms. Either the privacy policy has already been drawn up and is available, since the platform is aware of all processing operations.

Or it provides a white-label policy that can be completed and implemented on the platform.

Privacy policy generator

There are many tools available for generating privacy policies. However, these tools propose "privacy policy templates" that are not always compatible with a structure's activity. In fact, these tools are not responsible for the information you enter to generate your document, nor do they guarantee its conformity. Which means it's highly likely that the policy won't be GDPR.

Dipeeo allows you to generate your policy in its unique all-inclusive external dpo offer. After filling in a questionnaire, your DPO will deliver your privacy policy along with instructions for integrating it into your website, platform, intranet, etc.

Privacy policy free template

You can download Dipeeo's privacy policy as an example. Be careful, however. You'll need to update the policy on the basis of your personal data processing, and this is highly dependent on your activity. We therefore do not recommend this.

Dipeeo can help you implement this policy with ease. Contact us via the "contact.