Introduction GDPR requires
- Be easily accessible, intelligible, transparent, and concise
- Use clear and plain language, especially when information is directed at a child
- Be delivered on time
- Be available for free
It also enables customers to retain control over how their personal data is used. If they feel dissatisfied with the way their data is handled, they can query the company via a data subject access request (DSAR) and request that the processing of personal data be stopped.
Why are GDPR Privacy Policies Important?
The Irish data protection authority levied a massive €225 million fine on WhatsApp for failing to properly explain its data processing practices in its privacy notice. The company should have framed its privacy notice in easy-to-understand language and in an easily accessible format.
When you state “legitimate interest” as your lawful basis for data processing, you should explain what those interests are with respect to each relevant processing operation.
In another instance, the Spanish data protection authority fined Caixabank €6 million for giving inconsistent and vague information about its data processing practices in its privacy notice. The company was also relying on “legitimate interests” as its lawful basis for processing personal data without giving proper justification for it. It had also failed to meet GDPR’s transparency requirements in Articles 13 and 14.
The GDPR consent aims to help EU citizens understand how cloud-hosted companies use their personal data and allow them to file complaints if they feel that their data is being misused in any way.
Thus, cloud-hosted companies can ensure that their cookie information is up-to-date.
GDPR is as much for the data protection of EU citizens as it is for cloud-hosted companies to protect themselves from legal action.
- Contact details
If you have appointed a data protection officer (DPO) and/or UK/EU representative, article 13(1) (b) requires you to include their contact information.
- Types of personal data you process
The definition of personal data in the GDPR is quite broad–everything from cookie data to IP addresses is considered a type of personal data. Thus, you have to be specific and detailed about every type of personal data you process, and why you need to do so.
You could be processing personal data from people who may never contact your cloud-hosted company.
- Data you provide to us
- Data collected by our website
These are further broken down into more detailed sections.
All this information is provided in an easy-to-understand manner and by avoiding legalese.
- Lawful basis for processing personal data
Article 13 (1) (c ) requires cloud-hosted companies to state the specific purpose for processing personal data. They cannot do so under the GDPR if they don’t have a lawful basis for it.
In Article 6, the GDPR establishes six legal bases for processing someone’s personal data:
- You have their consent to do it
- You need to process their personal data due to a statutory or contractual requirement
- You are obligated by law to process their personal information
- You are executing a task in the public interest or have the legal authority
- You have a lawful interest in collecting their personal information
- You could put their life or someone else’s life at risk by failing to process personal data
- How you process personal data
The principles of purpose limitation and data minimization dictate that cloud-hosted companies must have a good reason for processing the personal data they have collected.
The GDPR doesn’t require companies to publish a list of names of companies with which they share personal data, but only the types of companies like mail carriers or payment processors.
- How long you’ll keep the data
According to the principle of storage limitation, cloud-hosted companies can retain personal data for as long as the legal basis for processing data remains valid. For instance, data processed to fulfill statutory or contractual requirements should be kept for as long as a cloud-hosted company performs the task to which the statute or contract applies.
- Data subject rights
- Right to be informed: Cloud-hosting companies must inform individuals about the data being collected, how it will be used, how long it will be kept, and whether it will be shared with third parties.
- Right of access: Individuals have the right to request a copy of the information that a cloud-hosted company possesses about them.
- Right to rectification: Individuals have the right to request the correction of inaccurate data or incomplete data.
- Right to be forgotten: In certain circumstances, individuals have the right to be forgotten and they can request that their personal data be erased by cloud-hosted companies.
- Right of portability: Individuals have a right to request that a cloud-hosted company transfer any personal data it has on them to another company in certain circumstances.
- Right to restrict processing: Individuals have a right to request that a cloud-hosted company limit the use of their personal data under certain circumstances.
- Right to object: Individuals have a right to express disapproval if they feel their personal data is being misused.
- Rights related to automated decision-making, including profiling: Individuals have the right to object to having decisions made about them by automated processes or profiling in most circumstances.
- Mobile app
- Other communications
You can use automated platforms like Sprinto to become GDPR compliant quickly because it enables you to avoid tedious manual evidence-gathering, resolves issues fast, and helps you obtain GDPR compliance easily.
Would you like to see the platform in action? Get your free demo here.
- Make the language simple and format the document to make it easier to understand
- Include additional clauses and information such as your lawful basis for processing data, GDPR data subject rights, contact information for your DPO and EU representative, and how you ensure the safety of any international data transfers.
Failure to comply with the GDPR requirements can lead to heavy fines or even prosecution.
- Cloud-hosted company’s name and contact information
- Name and contact information for DPO and/or EU representative
- The types of personal data you process
- Your legal bases for processing data
- How long do you retain personal data
- The categories of third parties with which you share personal information
- GDPR data subject rights
- It must be easy to understand and clearly written.
- It must include your legal basis for processing personal data.
- It must disclose GDPR data subject rights.
- It must inform customers how long their personal data will be retained.
- It must address in detail any international transfers of data and data security measures.
- Is concise, transparent, intelligible, easily accessible, in clear and plain language, and free of charge.
- Outlines the GDPR-granted data subject rights.
- Addresses the legal basis for processing data.
- Discloses who is processing the data.
- States the purposes of collecting data.
- Discloses which types of personal data are being collected.
- States how long the data will be retained and whether the data is used in automated decision-making.