The Privacy Policy: your rights and your data explained

The purpose of the privacy policy is to inform individuals about the processing of their personal data. In short, anyone whose personal data is processed must be aware of the following information: what data is collected, for what purpose it is used, how long it is kept, and what rights they have concerning this data.

This document must be accessible to anyone whose personal data is processed, whether users, employees, clients, prospects or candidates. It can be applied to different contexts where personal data is processed, such as websites, digital platforms, chatbots or personnel management.

It is important for this legal document to be comprehensible to non-lawyer readers. 

It is therefore essential to use language that is accessible to all. The CNIL (National Commission for Information Technology and Civil Liberties) ), which is the supervisory authority for personal data protection, could criticize the document's lack of clarity.

How to write your GDPR privacy policy?

The policy is part of the most important part of the GDPR : informing people.

The personal data policy must contain the following information:

• Policy recipients: Who is this policy intended for?
• Data processing purposes and legal basis: Why do we process your data and on what basis?
• Data processed and duration of Data retention : What data do we process and for how long?
• Individual rights: What rights do you have to control the use of your data?
• Data access: Who can access your data?
• Data security: How do we protect your data?
• International data transfers : Can your data be transferred outside the European Union?
• Contact for more information: Who can you contact for more information?
• Contact the CNIL (National Commission for Information Technology and Civil Liberties) : How can you contact the CNIL CNIL (National Commission for Information Technology and Civil Liberties) ?
• Policy changes: Can the policy be changed?

The document is made up of several sections. In this article, we explain what should be in each of these sections. in this article.

It's important to note that, to ensure a website's compliance, the privacy policy is not the only obligation in terms of informing individuals. It is also necessary to set up a cookie policy and to mention mandatory information such as the web host and the site editor (responsible for publishing the site).

To what extent is the privacy policy mandatory?

Under the GDPR, any company or organization that collects, processes or stores personal data from EU residents must comply with certain obligations, including providing a clear and understandable privacy policy. Here are the key points to remember:

Transparency: Organizations must provide data subjects with clear, concise and transparent information on how their personal data is collected, used, shared and protected.

Informed consent: In most cases, organizations must obtain explicit consent from individuals before collecting their personal data.

Individuals' rights: Data subjects have enhanced rights under the GDPR, such as the right to access their data, the right to rectification, the right to erasure, the right to data portability, etc. The privacy policy must explain how to exercise these rights.

Data transfers: If an organization transfers personal data outside the EU, it must ensure that appropriate transfer mechanisms are in place.

Penalties for non-compliant privacy policies

Data protection authorities, such as France's CNIL (National Commission for Information Technology and Civil Liberties) , have the power to impose administrative and financial penalties on organizations that fail to comply with data protection provisions.

This can include warnings, administrative fines or injunctions to comply with legal obligations.

Non-compliance with the privacy policy can also lead to a loss of trust on the part of clients, users and the general public. This can have a negative impact on the organization's reputation and lead to a reduction in clientele, business partnerships and opportunities.

It is therefore essential that companies and organizations operating in the EU comply with the GDPR and provide a privacy policy in line with the requirements of this regulation.