GDPR Privacy Policy

Bhuvesh Lal

Bhuvesh Lal

Aug 31, 2023

Key Points

  • The GDPR requires any cloud-hosted company processing EU citizens’ data to inform its customers about its data processing principles and processes via a privacy policy.
  • The GDPR privacy policy should be detailed, comprehensive, and include GDPR-specific clauses like data subject rights and contact information for your DPO and/or EU/UK representative.

Introduction GDPR requires

The GDPR privacy policy template or GDPR privacy notice is a crucial legal requirement for every website that caters to EU citizens, irrespective of where the cloud-hosted company is located. Websites use browser cookies to process personal data for statistical, functional, or marketing purposes. 

The EU GDPR requires that companies create a privacy policy to inform their customers about the handling of their personal data. It helps customers make informed decisions about the processing of their personal information. Failure to comply with the GDPR attracts heavy fines or even suspension. 

For instance, Google was fined €150,000 by the French data protection authority because its privacy policy did “not sufficiently inform its users of the conditions in which their personal data are processed, nor of the purposes of this processing.” Spain also levied a fine of €90,000 on Google for having a less-than-satisfactory privacy policy. 

As a result, Google made extensive changes to its privacy policy in two areas: how information from cookies is used and how Google account data is used. 

In this article, we will look into what constitutes a privacy policy and how you can craft a GDPR-compliant privacy policy for your cloud-hosted company. 

What is GDPR Privacy Policy?

GDPR privacy policy is a public document that states how your cloud-hosted company processes the personal data of its users and other interested parties,  and how data protection principles are applied.

Articles 12, 13, and 14 of the GDPR have detailed guidelines about how to craft a privacy policy. There are specific requirements for what should be included in a privacy policy and the EU calls it a “privacy notice.”  

According to the GDPR, cloud-hosted companies must create a privacy policy that should:

  • Be easily accessible, intelligible, transparent, and concise
  • Use clear and plain language, especially when information is directed at a child
  • Be delivered on time
  • Be available for free

A GDPR-compliant privacy policy establishes a level of trust between cloud-hosted companies and their customers. It removes any uncertainty about how the company intends to use personal data.

It also enables customers to retain control over how their personal data is used. If they feel dissatisfied with the way their data is handled, they can query the company via a data subject access request (DSAR) and request that the processing of personal data be stopped. 

Why are GDPR Privacy Policies Important?

The GDPR requires your cloud-hosted company to have a privacy policy if your website is collecting personal data from customers. Not only does a privacy policy help meet legal requirements, but it also builds trust with customers. Sometimes, other interested parties require you to have a privacy policy. 

Fines for not complying with GDPR privacy policy requirements could be up to 4 percent of your global revenue or €20 million, whichever is more. Even if the offense is found to be less severe, you can expect a fine of up to 2 percent of your revenue or €10 million, whichever is greater. 

The Irish data protection authority levied a massive €225 million fine on WhatsApp for failing to properly explain its data processing practices in its privacy notice. The company should have framed its privacy notice in easy-to-understand language and in an easily accessible format. 

When you state “legitimate interest” as your lawful basis for data processing, you should explain what those interests are with respect to each relevant processing operation. 

In another instance, the Spanish data protection authority fined Caixabank €6 million for giving inconsistent and vague information about its data processing practices in its privacy notice. The company was also relying on “legitimate interests” as its lawful basis for processing personal data without giving proper justification for it. It had also failed to meet GDPR’s transparency requirements in Articles 13 and 14. 

In the event that you’re required to go to court to defend your data privacy practices and policies, you will be held accountable for the contents of your GDPR-compliant privacy policy (or what’s missing from it).

What is the Role of GDPR Compliant Privacy Policy?

The GDPR consent aims to help EU citizens understand how cloud-hosted companies use their personal data and allow them to file complaints if they feel that their data is being misused in any way.

GDPR compliance checklist requires that data use communication should be both specific and accurate. This means that while the privacy policy may be a static document, the section on browser cookies should be regularly updated and permission sought from individual users of a website. This information should be accurately sent to the website owner and comprehensively displayed to site users as cookie banners or pop-ups.

Thus, cloud-hosted companies can ensure that their cookie information is up-to-date.

Source: Showpad

GDPR Privacy Policy Requirements For Your Website

GDPR is as much for the data protection of EU citizens as it is for cloud-hosted companies to protect themselves from legal action. 

You can take the help of a GDPR privacy policy generator or a GDPR privacy policy example to help you draft customized and comprehensive documents to use on your website and app. You can also use a GDPR privacy policy template written by data protection experts. These free templates usually have annotations to help you meet GDPR requirements

Contact details

Article 13(1) (a) requires your privacy policy to have the name, address, email address, and phone number of your cloud-hosted company i.e. the “data controller” or the entity that decides how and why personal data is processed. 

If you have appointed a data protection officer (DPO) and/or UK/EU representative, article 13(1) (b) requires you to include their contact information. 

Types of personal data you process

The definition of personal data in the GDPR is quite broad–everything from cookie data to IP addresses is considered a type of personal data. Thus, you have to be specific and detailed about every type of personal data you process, and why you need to do so. 

You could be processing personal data from people who may never contact your cloud-hosted company.

Usually, companies break down this section of the privacy policy into subsections like:

  • Data you provide to us
  • Data collected by our website

These are further broken down into more detailed sections. 

All this information is provided in an easy-to-understand manner and by avoiding legalese. 

Lawful basis for processing personal data

Article 13 (1) (c ) requires cloud-hosted companies to state the specific purpose for processing personal data. They cannot do so under the GDPR if they don’t have a lawful basis for it. 

In Article 6, the GDPR establishes six legal bases for processing someone’s personal data:

  • You have their consent to do it
  • You need to process their personal data due to a statutory or contractual requirement
  • You are obligated by law to process their personal information
  • You are executing a task in the public interest or have the legal authority
  • You have a lawful interest in collecting their personal information
  • You could put their life or someone else’s life at risk by failing to process personal data

How you process personal data

The principles of purpose limitation and data minimization dictate that cloud-hosted companies must have a good reason for processing the personal data they have collected.

You must establish the specific purpose(s) for processing personal data in your privacy policy.

Under the GDPR, you can share personal data as long as you have a valid lawful basis for it and you’re transparent about it in your privacy policy.

The GDPR doesn’t require companies to publish a list of names of companies with which they share personal data, but only the types of companies like mail carriers or payment processors.

You must also explain in your privacy policy if you’re transferring personal data from the EU to a non-EU third country and which mechanisms you use for these international transfers.

How long you’ll keep the data

According to the principle of storage limitation, cloud-hosted companies can retain personal data for as long as the legal basis for processing data remains valid. For instance, data processed to fulfill statutory or contractual requirements should be kept for as long as a cloud-hosted company performs the task to which the statute or contract applies. 

The privacy policy should have details of how long the personal data will be retained. It may not necessarily be a time period. It could be decided by the time for which the data is required. 

Data subject rights

The GDPR Certification gives individuals eight rights over their personal data, which you should include in your privacy policy:

  • Right to be informed: Cloud-hosting companies must inform individuals about the data being collected, how it will be used, how long it will be kept, and whether it will be shared with third parties.
  • Right of access: Individuals have the right to request a copy of the information that a cloud-hosted company possesses about them.
  • Right to rectification: Individuals have the right to request the correction of inaccurate data or incomplete data.
  • Right to be forgotten: In certain circumstances, individuals have the right to be forgotten and they can request that their personal data be erased by cloud-hosted companies.  
  • Right of portability: Individuals have a right to request that a cloud-hosted company transfer any personal data it has on them to another company in certain circumstances. 
  • Right to restrict processing: Individuals have a right to request that a cloud-hosted company limit the use of their personal data under certain circumstances.
  • Right to object: Individuals have a right to express disapproval if they feel their personal data is being misused.
  • Rights related to automated decision-making, including profiling: Individuals have the right to object to having decisions made about them by automated processes or profiling in most circumstances.

Where to Display Your Privacy Policy GDPR?

In keeping with GDPR norms, your privacy policy should be displayed in a prominent position on your website, mobile app, or any other place from where you collect user data.

Website

You can display your privacy policy in the following areas on your website:

  • Header menu – The most prominent place to put your privacy policy is the header menu. It is available from any page on the website and visitors can easily navigate to reach the privacy policy. 
  • Footer – Most websites display their privacy policy in the footer as it is available from any page on the website. 
  • About Us – You could display your privacy policy in the main menu under “About Us,” which makes it really convenient and accessible to visitors. It is also available from any page on the website.
  • Checkout forms – A great way to ensure that visitors find your privacy policy is to include it in your checkout forms. You can add a checkbox next to a statement like “I have read and agreed to the privacy policy of this website.” Unless the checkbox is checked, the transaction cannot proceed. Include a link to your privacy policy to guide visitors to the document. 

Mobile app 

If your cloud-hosted company has a mobile app, it should display a link to your privacy policy clearly within the app or on the app store listing. 

  1. Other communications 

You can also display a link to your privacy policy in the footer of every automated email you send, especially when you’re sending direct marketing communications. 

Conclusion

Drafting a privacy policy is one of the most important legal requirements under the GDPR. Even if you’re not subject to the regulation, having a GDPR-compliant privacy policy is a good idea. Today, most privacy laws around the world mirror the GDPR and require cloud-hosted companies to inform customers about their data privacy and processing principles via a privacy policy or privacy notice.

You can use automated platforms like Sprinto to become GDPR compliant quickly because it enables you to avoid tedious manual evidence-gathering, resolves issues fast, and helps you obtain GDPR compliance easily. 

Would you like to see the platform in action? Get your free demo here

FAQ: GDPR Privacy Policy Templates

How to update your privacy policy for GDPR?

If you already have a privacy policy, you can take the following steps to update it for GDPR:

  • Make the language simple and format the document to make it easier to understand
  • Obtain GDPR-compliant consent for your privacy policy if you have not done yet
  • Include additional clauses and information such as your lawful basis for processing data, GDPR data subject rights, contact information for your DPO and EU representative, and how you ensure the safety of any international data transfers. 

What is the GDPR privacy policy?

If your cloud-hosted company processes the data of EU citizens, then the GDPR requires you to draft a clear and comprehensive privacy policy. 

Failure to comply with the GDPR requirements can lead to heavy fines or even prosecution. 

How to create a privacy policy for a website for GDPR?

A privacy policy for a GDPR-compliant website should have the following sections:

  • Cloud-hosted company’s name and contact information
  • Name and contact information for DPO and/or EU representative
  • The types of personal data you process
  • Your legal bases for processing data
  • How long do you retain personal data
  • The categories of third parties with which you share personal information
  • GDPR data subject rights

How to make a GDPR privacy policy template?

There are certain requirements for crafting a GDPR-compliant privacy policy apart from the standard clauses:

  • It must be easy to understand and clearly written.
  • It must include your legal basis for processing personal data.
  • It must disclose GDPR data subject rights.
  • It must inform customers how long their personal data will be retained.
  • It must address in detail any international transfers of data and data security measures.

How to add GDPR to my privacy policy?

To make an existing privacy policy GDPR-compliant, ensure it:

  • Is concise, transparent, intelligible, easily accessible, in clear and plain language, and free of charge.
  • Outlines the GDPR-granted data subject rights.
  • Addresses the legal basis for processing data.
  • Discloses who is processing the data.
  • States the purposes of collecting data.
  • Discloses which types of personal data are being collected.
  • States how long the data will be retained and whether the data is used in automated decision-making.
Bhuvesh Lal

Bhuvesh Lal

How useful was this post?

0/5 - (0 votes)

Found this interesting?
Share it with your friends

Get a wingman for
your next audit.

Schedule a personalized demo and scale business

Sprinto: Your growth superpower

Use Sprinto to centralize security compliance management – so nothing
gets in the way of your moving up and winning big.