Getting a privacy policy for your website

A privacy policy is a document that details how a company or or­gan­isa­tion handles any in­form­a­tion it gathers. It should reveal the in­form­a­tion it plans to collect such as site visitor name, address, credit card number, etc. If data is to be left on a user’s computer (such as cookies), this should be specified alongside in­form­a­tion on whether the customer’s data will be shared or sold to third parties.

The General Data Pro­tec­tion Reg­u­la­tion (GDPR) is a reg­u­la­tion in EU law on data pro­tec­tion and privacy, which affects those within the European Union (EU) and the European Economic Area (EEA). The main goal of this reg­u­la­tion is to give citizens and residents more control over their data and what happens to it. With all EU countries adhering to the same reg­u­la­tions, it makes business between countries a lot easier. All companies doing business in the EU or EEA must store personal data using pseud­onymisa­tion or full an­onymisa­tion, as well as the highest privacy settings possible. The data cannot be made publicly available without the customer giving prior consent. If a data breach occurs, busi­nesses must report it within 72 hours of it happening in case customer data is at risk.

Although the GDPR was adopted on 14^th April 2016, it wasn’t enforced until 25^th May 2018. Since it is a reg­u­la­tion, it doesn’t require a national gov­ern­ment to decide on any le­gis­la­tion. In the UK, the Data Pro­tec­tion Act 2018 was granted royal assent on 23^rd May 2018, which ensures alignment with the EU on data pro­tec­tion after Brexit. The Data Pro­tec­tion Act 2018 also tailors the UK-GDPR, the UK’s own version of the GDPR, which came into effect on January 31^st, 2020.

The act is es­sen­tially the UK’s im­ple­ment­a­tion of the GDPR. Its aim is to modernise data pro­tec­tion laws to make sure they are effective in upcoming years. The GDPR is quite re­strict­ive on member states, whereas the DPA 2018 covers more in addition to applying GDPR standards:

• It contains a part on pro­cessing that doesn’t fall within EU law, e.g. relating to im­mig­ra­tion. The GDPR standards still apply, but those that are un­suit­able for the UK have been amended.
• One part trans­poses the EU Data Pro­tec­tion Directive 2016/680 (Law En­force­ment Directive) into domestic UK law. It lists the re­quire­ments for pro­cessing personal data for criminal law en­force­ment purposes.
• In­tel­li­gence services must comply with in­ter­na­tion­ally re­cog­nised data pro­tec­tion standards. Therefore, pro­vi­sions based on Council of Europe Data Pro­tec­tion Con­ven­tion 108 apply to them.
• There are parts covering the ICO, duties, functions, and powers plus the en­force­ment pro­vi­sions. The Data Pro­tec­tion Act 1998 is being repealed therefore these changes are necessary for dealing with the in­ter­ac­tion between FOIA/EIR and the DPA.

Firstly, all UK-based online companies are required to be open with any users about how their personal data will be used. ‘Personal data’ is here defined as any data that ‘relates to a living in­di­vidu­al who can be iden­ti­fied from that data’. This extends to any data relating to a person in a private or pro­fes­sion­al capacity. Meanwhile, there is a separate defin­i­tion for ‘sensitive personal data’, which includes in­form­a­tion about racial or ethnic origin, political opinions, religious beliefs, trade union mem­ber­ship, physical or mental health, sexual life, and in­form­a­tion about any crimes committed. If any personal or sensitive personal data is to be processed, it is mandatory for the website owner to display a privacy policy. This must explain what cookies will be used and for what purpose. A recent change in le­gis­la­tion has also meant that websites now cannot use cookies on a user’s computer without first asking for that user’s consent.

The In­form­a­tion Com­mis­sion­er’s Office (ICO) also has the power to impose fines or bring about criminal pro­ceed­ings if any mis­lead­ing practices are detected. The most common offences involve gathering, dis­clos­ing, or procuring dis­clos­ure of personal data without users’ consent, causing sig­ni­fic­ant damage or distress to the user. Further pun­ish­able offences include selling personal data that has been obtained illegally, pro­cessing data secretly, failing to comply with an en­force­ment notice, or au­thor­ising any of these activ­it­ies in a ma­na­geri­al position. Website owners can also be punished for failing to take steps to prevent breaching the DPA.

If the In­form­a­tion Com­mis­sion­er brings an offence to the Ma­gis­trates’ Court, it’s possible for website owners to incur a fine of up to £5,000, which can rise to an unlimited amount if the case is tried on in­dict­ment and heard by the Crown Court.

If any part of the GDPR is breached, the company can be fined up to 4% of their global turnover or €20 million (£17.7 million), whichever is greater. This is the most a company can possibly be fined; there are also smaller fines which are given if the company doesn’t have their records organised properly or they don’t report a data breach.

If you are required to have a privacy policy on your website, you should ensure it is as ac­cess­ible as possible. The privacy policy used by IONOS can be easily found on the website under Terms and Con­di­tions, or you can simply jump straight to the privacy policy statement. You should present the statement as a separate page with a clearly marked link on the main menu. It is also essential that the privacy policy is easy to un­der­stand, so it is advisable to use simple language and avoid complex legal or technical terms. In terms of content, it is vital that the in­form­a­tion is accurate and un­am­bigu­ous. This is also the case if you have an imprint on your website if you do business in Germany, Austria, or Switzer­land. Ensure that the links set for this purpose are not obscured by other elements such as banners and that the privacy policy is visible in different browsers and on all end devices (PC, tablet, smart­phone, etc.).

You can’t expect your customers to trust you if you aren’t being honest with them when it comes to what data is being collected and the reasons for it. Make sure you answer these points when compiling a privacy notice:

• What in­form­a­tion is being collected?
• Who is col­lect­ing it?
• How is it being collected?
• How will it be used?
• Who will it be shared with?
• How will this affect the in­di­vidu­als concerned?
• Is there a chance the intended use will cause in­di­vidu­als to complain?

The ICO’s website has even more detailed in­form­a­tion on the privacy in­form­a­tion you need to provide.

It is also important to include the following in­form­a­tion in your privacy policy:

• A summary of the technical data collected and/or passed on (i.e. IP addresses, email addresses, etc.)
• A summary of the personal data collected and/or passed on (i.e. name, address, etc.)
• Data trans­ferred from browsers (e.g. browser history)
• In­form­a­tion about special features, like sweepstakes, online ad­vert­ising, etc.
• If required, in­form­a­tion on the use of web analytics tools such as Google Analytics
• Actions taken to ensure the security of data
• In­form­a­tion about the user’s right of objection

Just because the Data Pro­tec­tion Act 1998 has now been updated to the Data Protect Act 2018 and GDPR law, it doesn’t mean you have to re-write your website’s privacy policy. There are six legal grounds to rely on for pro­cessing personal data: content, contract, legal ob­lig­a­tion, vital interests, public interest, and le­git­im­ate interests. If you asked users for consent before the laws came into place, it doesn’t ne­ces­sar­ily mean you have to ask for it again. Any existing consent that is still in line with the GDPR re­quire­ments doesn’t need to be renewed. Sending customers emails asking if they still want to hear from you could actually have a det­ri­ment­al effect since it fills their inboxes with spam and could mean they build up a negative attitude towards your company.

Some state le­gis­la­tion may require your privacy policy to provide contact in­form­a­tion should a customer have a query regarding the policy or their data use. Despite this not being a federal law, it is becoming more and more common and con­sidered best practice to include a point of contact. Privacy policies may include the name, postal address, email address or telephone number of the privacy policy rep­res­ent­at­ive. Here is a sample of what the relevant paragraph in your privacy de­clar­a­tion may look like:

Sample contact details:

Name of the in­di­vidu­al(s) re­spons­ible

120 High St

London

E1 7AW

Tel: (telephone number)

Email: sample@email.com

Many free online solutions help with gen­er­at­ing privacy policies for websites. Existing templates are available and it is easy to find one that is suitable online. Pre­writ­ten templates are another option. These include valuable in­form­a­tion on the pro­tec­tion of user data and can be applied to social networks, cookies, or news­let­ters. This gives users the added advantage of receiving data pro­tec­tion state­ments from Google Analytics or other analysis tools. These are delivered in filled-out forms and include links for users who object to their data being delivered to third parties.

In addition to the many templates that are available, some websites also offer free privacy policy gen­er­at­ors which assemble sample texts to produce a final statement. The result is usually given as an HTML code.

Templates and gen­er­at­ors make it easy to draft a suitable privacy policy for your website. However, it is important to be diligent to ensure that the results are relevant to your specific website. Templates can provide a great basis for your statement, although there are often details that need changing or elab­or­at­ing on. If you are unsure whether your privacy policy is correct, it is advisable to seek advice from a legal expert.

The General Data Pro­tec­tion Reg­u­la­tion (GDPR) is a reg­u­la­tion in EU law on data pro­tec­tion and privacy and affects those within the European Union (EU) and the European Economic Area (EEA). The main goal of this reg­u­la­tion is to give citizens and residents more control over their data and what happens to it. With all EU countries adhering to the same reg­u­la­tions, it makes business between countries a lot easier. All companies doing business in the EU or EEA must store personal data using pseud­onymisa­tion or full an­onymisa­tion, as well as the highest privacy settings possible. It cannot be publicly available without the in­di­vidu­al giving prior consent. If a data breach occurs, busi­nesses must report it within 72 hours in case customer data is at risk.

Although the GDPR was adopted on April 14^th, 2016, it wasn’t enforced until May 25^th, 2018. Since it is a reg­u­la­tion, it doesn’t require a national gov­ern­ment to decide on any le­gis­la­tion.

The 54,000-word document can be sum­mar­ised into these points:

• Companies must obtain users’ per­mis­sion in much more detail before using any of it for marketing or ad­vert­ising purposes.
• Users must be able to download their own data in a format that they can take to a competing service. This is known as ‘data port­ab­il­ity’.
• Users must be able to inspect all the data collected by the company and amend anything if needed as well as having the option to delete it if they don’t want the company to possess it anymore.
• Users are now able to challenge al­gorithmic decisions that affect them and request that humans make these decisions instead.

It is your duty to inform uses of the legal basis for col­lect­ing and pro­cessing personal data. To do this, at least one of the following con­di­tions must be fulfilled in ac­cord­ance with Article 6 of the GDPR:

• The subject has given their consent
• Pro­cessing data is necessary to fulfil a contract with the subject or for carrying out pre-con­trac­tu­al op­er­a­tions
• The con­trol­ler fulfils a legal ob­lig­a­tion to which they are subject
• The purpose of pro­cessing is to protect the vital interests of the data subject or another person
• The data pro­cessing is in the public interest
• It is necessary to safeguard the le­git­im­ate interests of the con­trol­ler or of a third party (provided that the fun­da­ment­al rights and freedoms of the subject are not infringed).

Sample of providing a legal basis

Insofar as we have obtained the consent of the subject for the pro­cessing of personal data, Article 6(1)(1a) of the GDPR applies as the legal basis.

Where the pro­cessing of personal data is necessary to fulfil a contract with the subject or for pre-con­trac­tu­al measures initiated by the data subject, Article 6(1)(1b) of the GDPR provides the legal basis.

If the data pro­cessing is the result of a legal ob­lig­a­tion to which we are subject, we refer to Article 6(1)(1c) of the GDPR as the legal basis.

Where personal data is processed in order to protect the vital interests of the subject or another natural person, Article (6)(1)(1d) of the GDPR serves as the legal basis.

If the data pro­cessing as a task serves the public interest or takes place in exercise of official authority, we refer to Article 6(1)(1e) of the GDPR as the legal basis.

Insofar as the pro­cessing of personal data is necessary in order to safeguard the le­git­im­ate interests of the controller or a third party without jeop­ard­ising these interests, fun­da­ment­al rights or fun­da­ment­al freedoms of the subject, Article 6 (1)(1f) shall apply as the legal basis.

In addition to the legal basis, you must list the purposes for pro­cessing the relevant data-related in­form­a­tion in your privacy statement. In order to achieve trans­par­ency, we recommend that you disclose any com­pon­ents of your website that collect this data, including:

• Contact forms
• News­let­ter sub­scrip­tion
• Input fields (e.g. for entering bank details in a shopping basket)
• Tracking codes
• Third-party plugins (e.g. social buttons)
• Third-party content (e.g. YouTube videos)
• Com­pet­i­tions
• Cookies

If the pre­vi­ously mentioned Article 6(1)(1f) of the GDPR is relevant to your website, you should also reveal your le­git­im­ate interests in your privacy policy. When doing this you should check whether you are pro­tect­ing the interests and rights of your website’s users in the best possible way. Typical purposes are, for example, analysing visitor behaviour to optimise the website, to deliver per­son­al­ised content for marketing purposes.

Template for in­dic­at­ing the purposes of data pro­cessing

In order to make your visit to our website as user-friendly as possible, and to provide you with all the available features, we collect specific data from the device you used to access our website. This data includes your:

• IP address
• Operating system
• Browser type and version
• Date and time of access

An eval­u­ation of this data for marketing purposes will not take place.

If you pass personal data along to third parties, you must also inform your users of this as part of the data pro­tec­tion de­clar­a­tion. For example, if you run an online shop, you are very likely to include other service providers such as suppliers or payment services in your business process.

This segment also includes im­ple­ment­a­tions of third-party cookies and ex­ten­sions, the use of which has always been linked to the dis­clos­ure of personal in­form­a­tion. These include tracking codes and social media buttons. In both cases, you can indicate a le­git­im­ate interest to justify the use – however, it is advisable to also obtain the visitors’ consent (in the case of social media buttons, the use of a data pro­tec­tion compliant procedure like the two-click solution is a good idea).

You should also include ad­vert­ising services like Google AdSense or AdWords as re­cip­i­ents if you use them for Internet users to find your website.

Sample of spe­cify­ing embedded third-party vendors (example: ‘Facebook Plugin’)

This website uses a Facebook social plug-in developer by Facebook Inc. (1 Hacker Way, Menlo Park, Cali­for­nia 94025 USA) and is re­cog­nis­able by the Facebook logo. The plugin es­tab­lishes a direct con­nec­tion between your browser and the Facebook servers once it has been activated. This requires a click on the ap­pro­pri­ate button. We have no influence what­so­ever on what kind and to what extent your data is trans­mit­ted to Facebook Inc. A statement by the social media company on this topic can be found via the following link.

In order to make data pro­cessing as fair and trans­par­ent as possible, you should also disclose how long personal data will be stored for. If no clear value can be for­mu­lated for this, you can instead present the criteria that influence the period of data storage. As a rule, for example, you can provide concrete in­form­a­tion for the storage of an­onymised IP addresses in the log-files if you have con­figured automatic deleting after a certain period of time. If, on the other hand, you work with cookies that make the visitor iden­ti­fi­able for the duration of the session, the length of that data storage is linked to each in­di­vidu­al session duration.

Sample of a data storage duration spe­cific­a­tion

All personal data that we have collected during your visit through the use of session cookies is auto­mat­ic­ally deleted as soon as the purpose for its col­lec­tion has been fulfilled. The session data is therefore stored until you end your session (by leaving or closing the website).

All EU users from whom you collect personal in­form­a­tion have several rights, also known as ‘data subject’s rights’. For example, the right of access specified in Article 15 GDPR grants detailed in­form­a­tion on pro­cessing purposes, possible re­cip­i­ents, storage period and origin. In addition, users have the right to rectify personal data under Article 16 GDPR and – under certain con­di­tions – the right to delete personal data under Article 17 GDPR.

Sample of reference to data subject’s rights

According to the GDPR, you are con­sidered a data subject if you are an EU visitor to our website and personal data con­cern­ing you is processed by us. For this reason, you can make use of various data subject rights which are laid out in the General Data Pro­tec­tion Reg­u­la­tion. These are the right to access in­form­a­tion (Article 15 GDPR), the right to erasure (Article 18 GDPR), the right to object (Article 21 GDPR), the right to lodge a complaint with a su­per­vis­ory authority (Article 77 GDPR) and the right to data port­ab­il­ity (Article 20 GDPR).

To the extent that the provision of personal data is required by law or contract or is in­dis­pens­able to com­plet­ing a contract, you must inform your users ac­cord­ingly. It is also necessary for you to provide in­form­a­tion about the con­sequences of not providing such in­form­a­tion.

Sample of cla­ri­fy­ing data col­lec­tion ob­lig­a­tions

The col­lec­tion of your personal data is in­dis­pens­able for com­plet­ing a contract, as well as ful­filling con­trac­tu­al ob­lig­a­tions and services. If you do not provide us with the requested in­form­a­tion, neither a suc­cess­ful con­clu­sion of a contract, nor further con­trac­tu­al services are possible.

If you use automated decision-making, including profiling, you are required to provide mean­ing­ful in­form­a­tion about the un­der­ly­ing logic. It is essential that you identify the desired impact and scope of this kind of data pro­cessing on the data subject. The back­ground is that, in principle, your users have the right ‘not to be subjected to a decision based ex­clus­ively on automated pro­cessing – including profiling’ as stated in Article 22 GDPR. However, this right does not apply if the re­spect­ive automated procedure is necessary to conclude or carry out the contract, is permitted by EU and member state le­gis­la­tion or is carried out with the express consent of the person concerned.

Sample reference to automated decision making or profiling on your website

Before con­clud­ing your contract, we will carry out a fully automated credit as­sess­ment to determine your credit wor­thi­ness…

The GDPR stip­u­lates that if your business deals with customers in the EU (including the UK despite Brexit), whether for business trans­ac­tions or data pro­cessing, you will need to comply with their Data Pro­tec­tion Officer (DPO) re­quire­ments. The job of the Data Pro­tec­tion Officer is to safeguard personal in­form­a­tion gathered through trans­ac­tions with EU customers. This includes any sensitive in­form­a­tion that could range from credit card in­form­a­tion to something that can help you identify a person’s ethnicity, location, religion, sexual ori­ent­a­tion, etc.

The GDPR stip­u­lates that all public au­thor­it­ies and private companies that are involved in large-scale, regular data pro­cessing of EU residents comply with these reg­u­la­tions. If you are unsure whether your company fits this de­scrip­tion, the best course of action is to seek legal counsel as the re­per­cus­sions for failing to adhere could be severe. More in­form­a­tion about data pro­cessing officers can be found here.

If you need to hire a DPO, you must include their contact in­form­a­tion in your website’s privacy policy. Here is a sample of what their contact in­form­a­tion could look like in your privacy policy:

The data pro­tec­tion officer of this company is:

Name of the in­di­vidu­al(s) re­spons­ible

15 Broad Street

POST CODE

Tel: (telephone number)

Email: sample@email.com

Many free online solutions provide as­sist­ance for gen­er­at­ing privacy policies for websites such as the solution from Rocket Lawyer. Existing templates are available, and it is easy to find one that is suitable for your needs with a simple Google search. Pre­writ­ten samples are a further option. These include valuable in­form­a­tion on the pro­tec­tion of user data, and can be applied to social networks, cookies, or news­let­ters. This gives users the added advantage of receiving data pro­tec­tion state­ments from Google Analytics or other analysis tools. These are delivered in filled-out forms and include links for users who object to their data being delivered to third parties.

In addition to the many templates that are available, some websites also offer free privacy policy gen­er­at­ors, which assemble sample texts to produce a final statement. The result is usually given as an HTML code.

Templates and gen­er­at­ors make it easy to draft an adequate privacy policy for your website. However, it is important to take care and ensure that the results are relevant. Samples can provide a great basis for your statement, although there are often details that need changing or elab­or­at­ing on. If you are unsure whether your privacy policy is correct, it is advisable to seek advice from a legal expert.

The new General Data Pro­tec­tion Reg­u­la­tion makes data pro­tec­tion in EU countries more trans­par­ent, un­der­stand­able and secure. The need for a complete, com­pre­hens­ive privacy statement is at the heart of this – es­pe­cially for website operators who have to deal with vast amounts of personal data. If you have already drafted a privacy statement in the past, you will have noticed the dis­clos­ure of legal bases and the reference to users’ rights as major in­nov­a­tions in the above points.

Of course, these two aspects are by no means the only things dis­tin­guish­ing the revised or newly created data pro­tec­tion state­ments following the GDPR standard from older versions. Now, more than ever, you have the re­spons­ib­il­ity of ex­plain­ing the purpose of data pro­cessing in a detailed, com­pre­hens­ive way that leaves no open questions for your users. If your users do have questions, however, you or your DPO must be available to answer them. The GDPR em­phas­ises that users must be informed as early as possible – always before data is collected.

It is important to make sure your privacy policy covers the GDPR reg­u­la­tions. As always, consult a legal pro­fes­sion­al so you know that your privacy policies are legally wa­ter­tight for the regions you interact with, and so that you don’t ac­ci­dent­ally break the law and incur con­sid­er­able legal penalties.

Please note the legal dis­claim­er relating to this article.