There is no way around writing privacy policies today. Whether it is for your website, for client agreements or in preparation for signing the contract with a new employee. As a result of the GDPR companies now have to inform people the moment they directly use their personal data or also when they receive it as a third party.
The following steps will help you write any kind of privacy policy. But the examples will refer to the policy of a website since all of you will most definitely need that one at some point (As well as a cookie banner, but let’s save that for another time. For now just take note that you will have to link your policy in the cookie banner).
If you still feel partly confused after following these steps, it’s helpful to simply look at other websites because there is no need to reinvent the wheel here. Take a look at how big and established companies such as Porsche did it for instance. Such companies must have a data protection officer by law who will make sure the policy is correct and up-to-date.
Before getting straight into it please be aware that is by no means comprehensive legal advice. But you can be sure to be on a very good path towards GDPR compliance if you follow these minimal requirements. Also, make sure to check-out this great source for a downloadable version of a sample policy.
14 steps for writing a privacy policy
e.g. Welcome to NextUnicorn GmbH (hereinafter “NextUnicorn”, “We” or “Us”) website. This privacy policy will explain how our organization uses the personal data we collect from you when you use our website.
e.g. NextUnicorn collects the following personal data:
- Personal identification information (Name, email address))
- Online identifiers (IP address, cookies, pixel tags)
e.g. We and the service providers acting on our behalf legally process personal data for the following purposes:
- To reply to user inquiries that come in through our contact form.
Legal basis: Legitimate interest in direct marketing on our part and in the enhancement of our website.
- For self-promotion and promotion by others as well as market research and reach analysis.
Legal basis: Consent or legitimate interest on our part in direct marketing if in accordance with data protection and competition law
e.g. NextUnicorn securely stores your data at [enter the location and describe security precautions taken].
NextUnicorn will keep your [enter type of data] for [enter time period]. Once this time period has expired, we will delete your data by [enter how you delete users’ data].
e.g. Through our newsletter NextUnicorn would like to send you information about products and services of ours that we think you might like.
If you have agreed to receive a newsletter, you may always opt out at a later date.
e.g. NextUnicorn would like to make sure you are fully aware of all of your data protection rights. Every user is entitled to the following:
The right to access – You have the right to request Our Company for copies of your personal data.
The right to rectification – You have the right to request that Our Company correct any information you believe is inaccurate. You also have the right to request Our Company to complete the information you believe is incomplete.
The right to erasure – You have the right to request that Our Company erase your personal data, under certain conditions.
The right to restrict processing – You have the right to request that Our Company restrict the processing of your personal data, under certain conditions.
The right to object to processing – You have the right to object to Our Company’s processing of your personal data, under certain conditions.
The right to data portability – You have the right to request that Our Company transfer the data that we have collected to another organization, or directly to you, under certain conditions.
If you make a request, we have one month to respond to you. If you would like to exercise any of these rights, please contact us at:
Phone:
Email:
e.g. There are a number of different types of cookies, however, our website uses:
- Functionality – NextUnicorn uses these cookies so that we recognize you on our website and remember your previously selected preferences. These could include what language you prefer and location you are in. A mix of first-party and third-party cookies are used.
- Advertising – NextUnicorn uses these cookies to collect information about your visit to our website, the content you viewed, the links you followed and information about your browser, device, and your IP address. NextUnicorn sometimes shares some limited aspects of this data with third parties for advertising purposes. We may also share online data collected through cookies with our advertising partners. This means that when you visit another website, you may be shown advertising based on your browsing patterns on our website.
- Conversion tracking – NextUnicorn uses tracking tools that place a cookie on your computer if you accessed our website via an advertisement of a respective partner. Please note that using the tools might include transfer of your data to recipients outside of the EEA where there is no adequate level of data protection pursuant to the GDPR (e.g. the USA). For more details in this respect please refer to the following description of the individual marketing tools:
Facebook Pixel
Provider: Facebook Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland
Function: JavaScript code excerpt that enables to track the activities of visitors on the website.
Privacy policy: https://pixel.facebook.com/about/privacy/
You may opt out from conversion measurement with the Facebook pixel at any time. To do so, please click on the following link: https://www.facebook.com/settings/?tab=ads
Google Ads
Provider: Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland
Function: Placement of advertisements, remarketing, conversion tracking.
Privacy policy: https://policies.google.com/privacy
Google Tag Manager
Provider: Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland
Function: Administration of website tags via a user interface, integration of program codes on our website.
Privacy policy: https://policies.google.com/privacy
e.g. You can set your browser not to accept cookies, and the above website tells you how to remove cookies from your browser. However, in a few cases, some of our website features may not function as a result.
e.g. The information generated by all of Google’s cookies about your use of this website is usually transferred to a Google server in the USA and stored there. Google relies on the standard contractual clauses for data transfers.
The European Commission (EC) has approved the use of standard contractual clauses as a means of ensuring adequate protection when transferring data outside the European Economic Area (EEA). By using standard contractual clauses in a contract between the data transmitters, personal data will be considered protected when transferred from the EEA or the United Kingdom to countries that are not covered by an adequacy decision. Se more information about the EC standard contractual clauses here https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc
Google offers these standard contractual clauses to customers who use Google’s business services, including Google Ads and Google Analytics. For detailed information on Google’s use of the standard contractual clauses please visit https://business.safety.google/compliance/?hl=de
If you apply automated-decision-making systems such as profiling, you have to explain the logic behind it as well as the consequences for the people concerned. According to GDPR profiling refers to any form of automated processing that analyzes a person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, movement or location. Generally, profiling is prohibited unless you have a user’s consent or if it’s necessary to perform a contract that you have with the user.
e.g. Should you wish to report a complaint or if you feel that NextUnicorn has not addressed your concern in a satisfactory manner, you may contact the Berliner Datenschutzbeauftragte:
Email: [email protected]
Address: Friedrichstr. 219, 10969 Berlin
e.g. The NextUnicorn website contains links to other websites. Our privacy policy applies only to our website, so if you click on a link to another website, you should read their privacy policy.
e.g. NextUnicorn keeps its privacy policy under regular review and places any updates on this web page. This privacy policy was last updated on XX.XX.XXXX.
e.g. If you have any questions about NextUnicorn’s privacy policy, the data we hold on you, or you would like to exercise one of your data protection rights, please do not hesitate to contact us:
Address:
Phone:
Email:
* It is generally prohibited for any company to process personal data unless you can provide at least one of the following six reasons.
- Vital interest: To protect someone’s life.
- Public task: To perform a task in the public interest.
- Contract: Because the processing is necessary to perform a contract
- For compliance with legal obligations.
- Due to the legitimate interest of the company.
If you can’t attest for any you can ask for informed consent. Generally, ‘legitimate interest‘ is the most flexible legal basis.
** Never forget to inform about the right to withdraw consent where applicable.
*** The EU provides a list of countries outside of the EU which officially offer an adequate level of data protection. If you share data with any of these listed countries you don’t need to take further safeguards.
Take special note of the fact that the US privacy shield is not valid anymore and that therefore the US is not part of the adequacy list which means that you need to inform about this in your privacy policy.
The most common solution used by US tech giants is to provide the so-called ‘standard contractual clauses’. These offer sufficient safeguards on data protection for the data to be transferred internationally. You just need to mention it as done in this example.
The High-Tech SeedLab’s 10-month acceleration program is designed to help early-stage teams to test their idea and business model, build or finalise a minimum viable product, and successfully launch their business.
This program is financed by the European Social Fund (ESF), as well as the State of Berlin.