GDPR Privacy Policy

Template
Mar 11, 2019

The EU General Data Protection Regulation (GDPR) came into force

in May of 2018. One of the reasons that the EU introduced the law
is to give people more control over their personal data.

To prepare for the GDPR, companies have had to think carefully

about their data protection and privacy practices.

One of the most important requirements for companies that fall

under the scope of the GDPR is that they provide transparent and
accessible information about the personal data they’re
processing. The way to do this is by having a clear and
comprehensive Privacy Policy.

Contents

1 What’s Covered by the GDPR?

2 Does the GDPR Apply Outside of the EU?

3 How to Comply with the GDPR

4 Creating a GDPR-Compliant Privacy Policy

4.1 Your Company’s Contact Details

4.2 Your Purposes and Legal Basis for Processing

4.3 Whether You’ll Be Sharing Your Users’ Personal Data

4.4 Whether You’ll Be Transferring Personal Data To a

Third Country

4.5 How Long You’ll Store Your Users’ Personal Data

4.6 Your Users’ Rights

5 GDPR-Compliant Consent

5.1 Freely Given and Affirmative

5.2 Granular

5.3 Easily Withdrawn

6 Summary of GDPR Compliance for Privacy Policies

What’s Covered by the GDPR?

The GDPR covers the “processing” of “personal data.” Article 4 (1)
of the GDPR defines personal data as information that can be used
“directly or indirectly” to identify a person. This is a very broad
definition. Aside from the obvious things like a person’s name, it can
also include a person’s:

Email address

Cookie data

IP address (even where it’s a dynamic IP address)

“Processing” is a broad term. The GDPR covers any sort of

automated data processing activity or filing (electronic or
otherwise). This might include:

Asking your customers to fill out a contact form on your

website

Storing a list of phone numbers

Sending direct marketing emails

According to Article 3 of the GDPR, the regulation applies to any

person or organization that:

Offers goods and services in the EU (whether they’re charged

for, or provided for free);

Monitors the behavior of people in the EU.

So, your company might not be “offering goods and services” in the
EU. But you will still fall under the GDPR if you:

Target EU residents with advertising cookies, or

Store your EU users’ IP addresses in your log files

Does the GDPR Apply Outside of the

EU?
The GDPR covers all processing of the personal data of people in
the EU – whether the actual act of processing is performed in the
EU or not. Not only EU companies have to comply. Companies
based anywhere else in the world – for example the United States,
Canada, Russia – must comply, too.

While some laws, like the upcoming California Consumer Privacy

Act, only apply to certain types of companies, the GDPR could
apply to anyone that falls within its scope – including individuals,
charities, public bodies and businesses.

How to Comply with the GDPR

If the GDPR applies to you, you’ll want to know how you can avoid
infringing it.

EU data protection authorities can impose fines and other penalties

on companies that breach the GDPR. It’s not entirely clear how this
will be enforced against non-EU businesses. But even the threat of
a sanction will create a huge headache for your company.

The good news is that compliance is not all that difficult.

To comply with the GDPR:

Create a GDPR-compliant Privacy Policy,

Abide by the principles of the GDPR, and

Only process your users’ personal data in a lawful way

Creating a GDPR-Compliant Privacy

Policy

Having a Privacy Policy is one of the ways that you can comply with
a key principle of the GDPR – transparency.

Your Privacy Policy must be:

Written in clear and simple language that your users can

easily understand,

Comprehensive, so that it covers all aspects of your personal

data processing activities, and

Easily accessible, particularly at the point that you’re

collecting your users’ personal data or soon after if you’ve
received it from elsewhere.

You likely already have a Privacy Policy. It’s required under other
privacy laws such as:
 The California Online Privacy Protection Act (CalOPPA);

Canada’s Personal Information Protection and Electronic

Documents Act (PIPEDA);

The EU’s Data Protection Directive (the GDPR’s predecessor).

However, you likely need to update your Privacy Policy to ensure

that you’re compliant with the GDPR as well.

Here’s what your GDPR-compliant Privacy Policy should contain.

Your Company’s Contact Details

Article 13 (1)(a) of the GDPR requires that you provide your users
with:

“the identity and the contact details of the controller and, where
applicable, of the controller’s representative”

“The controller” refers to a “data controller” – someone who

decides how and why personal data is processed.

Here’s how cereal company Kellogg provides this information:

Article 13 (1)(b) of the GDPR also requires you to provide:

 “the contact details of the data protection officer, where applicable”

Some organizations of a certain size, or those that routinely process

sensitive personal data, need to have a Data Protection Officer
(DPO).

Here’s some information from the European Commission about

appointing a DPO:

Here’s how the UK’s Bar Council provides information about

contacting its DPO:

Your Purposes and Legal Basis for Processing

Article 13 (1)(c) of the GDPR requires that you provide information
about:

“the purposes of the processing for which the personal data are
intended as well as the legal basis for the processing”

You can’t process personal data unless you have a specific

purpose for doing so. And for every type of data processing you
do, you need to make sure you have a legal basis for doing it.

Think of it this way: your personal data belongs to you. Businesses

aren’t allowed to collect it or use it in any way – unless they have a
lawful basis for doing so.

The GDPR sets out six legal bases at Article 6.

You can only process a person’s personal data if at least one of the
following apply:

a. You have their consent to do it

b. You need to process their personal data in order to fulfill or

enter into a contract with them

c. You’re legally required to process their personal data

d. Failing to process their personal data would put their life or

someone else’s life at risk

e. You’re carrying out a task in the public interest or with legal

authority

f. You have a legitimate interest in processing their personal

data
In your Privacy Policy, you should link your purposes for processing
people’s data with your legal basis for doing so.

Here’s how not-for-profit DACS does this:

If you think that processing personal data is in your legitimate

interests (point “f”, above), you’re required to undertake a
Legitimate Interests Assessment. The UK’s data protection
authority, the Information Commissioner’s Office, provides some
guidance on this.

Article 13 (1)(d) of the GDPR requires that if you’re relying on

legitimate interests for an act of data processing, you must provide
information about what your legitimate interests are.

The next section of the DACS Privacy Policy does this:

Whether You’ll Be Sharing Your Users’ Personal
Data

Article 13 (1)(e) requires you to provide information about:

“the recipients or categories of recipients of the personal data, if

any”

Note that you aren’t required to necessarily provide the specific

names of the companies with whom you share personal data – just
the types of organization you might be sharing data with.

You might be sharing personal data in more ways than you realize.
For example, if you use:

A third-party database like Microsoft’s SQL Server

Shopping cart software like Shopify

An automated email service like MailChimp

Here’s how travel gear company Wayks explains this to its

customers:
Whether You’ll Be Transferring Personal Data To
a Third Country

Article 13 (1)(f) of the GDPR requires that you provide information

about:

“the fact that the controller intends to transfer personal data to a

third country or international organisation and the existence or
absence of an adequacy decision by the Commission”

A “third country” means a country outside of the EU. If you’re

hosting your website in the US, for example, and you’re processing
the personal data of people in the EU via that website, you’re
transferring personal data to a third country.

The European Commission has a list of countries that it has decided

have “adequate” data protection standards. If you’re transferring
data to a third country, you need to state whether this country is on
the list.

You can see that the data protection situation in the US isn’t
considered “adequate” except for where the Privacy Shield
framework is used. You can apply to join Privacy Shield if you’re a
US-based company and you meet the criteria. One of the criteria is
having a GDPR-compliant Privacy Policy.

SendGrid is part of the Privacy Shield scheme. Here’s how it

explains this in its Privacy Policy:

There are other GDPR-compliant ways to transfer data to third

countries, set out in Article 46. One example is using “binding
corporate rules.”

This is the method used by pharma company GSK and explained in

its Privacy Policy:

How Long You’ll Store Your Users’ Personal

Data

Article 13 (2)(a) of the GDPR requires that you inform your users:
 “the period for which the personal data will be stored, or if that is
not possible, the criteria used to determine that period”

Under the GDPR, it’s important that you don’t store personal data
for longer than you need it.

Here’s how the Chartered Institute of Management explains how

long it stores different types of personal data in its Privacy Policy:

Your Users’ Rights

Chapter 3 of the GDPR sets out the eight rights that people have
over their data. The GDPR requires that you not only facilitate your
users’ access to these rights, but that you also make them aware
of their rights in your Privacy Policy.

Here’s how trade union Unison does this:

You also need to explain how your users can make a complaint to
their data protection authority.

Here’s how UK political party The Labour Party includes this

information in its Privacy Policy:

GDPR-Compliant Consent

In addition to the stricter requirements around Privacy Policies, the

GDPR also contains a new definition of consent. This means
users are able to make more informed choices about whether to
give you permission to process their personal data.

However, it also requires a little extra work on your part.

You don’t need consent for all aspects of personal data processing.
There are five other legal bases which might be more appropriate in
certain contexts.
However, for some activities, it’s usually best to seek consent.
Examples include:

Sending direct marketing emails to new customers

Using targeted advertising cookies

Storing sensitive personal data

Freely Given and Affirmative

Your users must have a genuine, free choice to either consent or

not consent. If you’re seeking their consent for something, you must
offer both options. It should be just as easy to refuse consent as it
is to grant it.

Your users must positively affirm that they consent to you

processing their personal data. It’s no longer acceptable to assume
consent from a person’s silence. In other words, consent must be
opt-in, not opt-out.

Don’t present your users with pre-ticked boxes, or use statements

like “by continuing to use our website, you consent to…”

Here’s a great example from the European Central Bank’s cookie

consent banner:

Granular
If you’ve obtained a user’s consent for one type of processing, this
doesn’t mean you’ve obtained consent for all types of processing.

Under the GDPR, you are supposed to offer your users “granular”
consent, i.e. the ability to opt into some types of processing but
not others.

Here’s how The Independent does this. When a user clicks “Show
Purposes” on the cookie consent banner, they’re taken to this form
where each purpose for using information is listed along with
additional information and a radio button to turn each purpose on or
off:

Easily Withdrawn

As well as being able to refuse consent, your users must be allowed

to withdraw consent once they’ve agreed to it. Article 7(3) of the
GDPR says: “it shall be as easy to withdraw as to give consent.”

Article 13 (2)(c) requires that you make your users aware of “the
existence of the right to withdraw consent at any time.”

Here’s how The Law Society does this in its Privacy Policy:
Summary of GDPR Compliance for
Privacy Policies

There are many benefits to having an up-to-date, GDPR-compliant

Privacy Policy.

You have a chance to review your data protection practices, so

you’re less likely to suffer a data breach or be subject to a
complaint.

If either of these things do happen, you can show data

protection authorities that you’ve done the right thing.

Your customers will feel that their personal data is safe and
 their rights are respected.

Most importantly, if you want to operate in the EU it’s legally

required.

Your Privacy Policy needs to include information about:

How your users can contact you

Your purposes and legal basis for processing their personal

data

Any intended third-party recipients of their personal data

Any intended transfers outside the EU

How long you intend to store their personal data

How users can exercise their rights under the GDPR

Our Privacy Policy Generator helps you create a custom Privacy

Policy for your website and mobile app. Just follow these few
simple steps and your Privacy Policy will be ready to display.

1. Start the Privacy Policy Generator, located at the top of the

website.

2. Select where your Privacy Policy will be used:

3. Answer a few questions about your business:

4. Add your website or app information:

5. Answer a few questions about what information you collect

 from your users:

6. Select options for how your users can contact you:

7. Select whether or not you wish to create a Professional

Privacy Policy that would include wording for GDPR and
CalOPPA:
8. Enter your email address where you’d like your new
Privacy Policy sent:

9. Click Create Privacy Policy and you’re done. Now you can
copy and paste your Privacy Policy code into your website,
or link to your hosted Privacy Policy.
 Create your own custom Privacy Policy in minutes. Start Now

Free Privacy Policy Sample | GDPR Privacy Policy Sample | Mobile App Privacy
Policy Sample | Privacy Policy for Google AdSense
CalOPPA | GDPR | PIPEDA

Copyright © 2008 - 2019 FreePrivacyPolicy, All Rights Reserved. The reproduction, distribution, display, or
transmission of the content is strictly prohibited, unless authorized by FreePrivacyPolicy. All other
company & product names may be trademarks of the respective companies with which they are
associated.

Read our Privacy Policy, Terms of Use and Security Policy | Contact | Reviews

Free Privacy Policy uses Trust Guard for our PCI Vulnerability Scanning, and Shopper Approved for our
Customer Review Software.