PROCESSING SITUATIONS
A waterproof privacy policy
Your privacy policy is the instrument through which you inform your (contacts at) existing and potential customers, clients, suppliers, website visitors, prospects, employees and job candidates how you will use and protect their personal data.
​
Consequently, the privacy policy must be available to these persons for them to be able to acknowledge the policy.
Ideally, you work with (at least) two different privacy policies:
-
an internal privacy policy, for your employees, internal consultants and anyone who provides services within your company,
-
a public privacy policy, for anyone who has no access to your internal documents, such as suppliers, prospects, customers, job candidates, etc.
It is of course possible to have more different policies, if your activities would require so.
Every privacy must contain many mandatory mentions, adapted to the persons whose data you are processing and to the ways you process their data.
You can find a template privacy policy via this link.
The privacy policy must obligatorily contain the following information:
​
-
the (categories of) personal data that you process
-
the use you make of that data
-
how you protect and safeguard that data
-
how you collect that data
-
which legal basis you rely to process data
-
which third parties receive such data
-
the places (countries) where those data are processed
-
the rights which can be exercised by the persons concerned (e.g. right of access, right of forgetting, right of rectification, etc.)
-
who your company is and how it can be reached, including by e-mail
-
how long data is kept (retention policy)
-
the right of data subjects to file complaints with the data protection authority
-
that you are using cookies, pixels, or other tracking technologies
-
if you have a data protection officer, how it can be reached
A Privacy Policy is sometimes also called a privacy statement or a privacy notice, but we recommend to use “privacy policy” because the other definitions can also refer to the short informational pieces of text that inform the persons concerned of the existence of a privacy policy and some specific aspects of the intended processing.
Details and readability
​
Your privacy policy should be sufficiently specific and detailed to allow the persons concerned to actually understand what happens with their data and what they can expect.
​
On the other hand, the GDPR also prescribes that the information you provide should be “concise” and “legible”.
Therefore, it is recommended to have a so called “layered” privacy policy:
-
The first “layer” is a very short overview of the principles you apply which allows the persons concerned to establish “in the blink of an eye” what major principles you apply when processing their personal data.
-
The second “layer” contains all information. This can be a different document, or this additional information can (for example) appear by clicking on a “read more” button under the short description of the first layer.
​
To enhance readability, it is also strongly recommended to design your policy in a way that
-
it can be easily read. Avoid for example to use a small font and arrange the text in a logic way, that enhances a comfortable readability.
-
to add icons, symbols and/or images to the policy to visually support and show the content of the privacy policy.
Location of and references to your privacy policy
It is not enough to “have” the required privacy policies, it is also required to make sure that the persons concerned are informed of the existence of it before you start processing.
​
-
The internal privacy policy that applies to your employees will have to be communicated to them in accordance with your local employment law. It may be required that reference is made to such “employee privacy policy” in your work rules and/or employment contracts. You will also need to communicate it to any other inhouse service providers to whom the privacy policy applies.
-
The external/public privacy policy is ideally put on your website, with fixed link referring to it in (at least) both the footer of your website and in your cookie banner.
​
Furthermore, you will need to refer to your public privacy policy each time you obtain personal data of someone and each time you use such personal data to communicate. This means that you should have a link or url in (for example) all your outgoing emails, below forms (webforms and paper forms), job announcements, etc.
Finally, it is not sufficient to just refer to the privacy policy. When you obtain personal information of a person, you must also briefly describe what you will do with it.
A form to subscribe to a newsletter can, for example, look like this:
“If you wish to (stay updated on similar offers/our product range/receive our news letter/ …), please fill in your personal details below:
​
-
E-mail address (obligatory):
-
Gender: man/woman/other/I wish to not give this info
-
Name (obligatory):
-
Surname (obligatory):
-
Company
-
Sector
-
…
-
​
( ) I wish to receive the (name company) newsletter / e-mails customized to my profile / information and I therefore give permission to process my data and e-mails automatically.
​
( ) I give my permission to transfer my data to third (commercial) partners, which were carefully selected by (company), in order to receive additional information, based on my interests.
Send/confirm/subscribe [button]
​
You can unsubscribe from these e-mails or modify your preferences at any time.
We respect your privacy and do not disclose your data to third parties. For more information, please find our Privacy Policy in this link (insert link).
And the footer of your emails can, for example, look like this:
​
“Your privacy is important to us; we process your data in accordance with the relevant privacy rules. This e-mail was sent to (e-mail address) because you are a registered user of our website (…). If you wish to no longer receive our e-mails, you can unsubscribe at any moment by clicking on this link (insert link). Please find more information on how we process your data in our Privacy Policy (insert link).
​
© [year] – [name and legal form of your company] – [address of your company], [VAT number and/or company registration number]
Time for action
Use our template privacy policy to draft your internal and public privacy policies.
Once you have drafted your privacy policies, you can verify their completeness via the SMOOTH platform.
​
Template from IAPP (in English)