If you simply copy the document from somewhere else, then you are likely to be non-compliant Why? Because you are legally required to tell your users about how you process their personal information.
Therefore, you should spend some time on this to make sure that you get it right.
Here you need to think about each of the types of people you collect data from. For example, your website visitors aren't providing the same data as your customers. There is a difference, and you need to make sure that you have an overview of each of these groups.
Many companies have the following groups they collect data from:
You need to find out what data you collect about the different types of people.
As an example, normally, you would collect the following information in regards to your customers: name, email, telephone number, address, country, title, when they signed up for your service, what company they are working for, etc.
For website visitors, you could, e.g., collect this type of data: the computer's Internet Protocol (IP) address, the user's browser type and version, the user agent, the pages the user visited, the time and date of their visit, the time spent on each page, and other details.
You are probably using personal data for many different things. It's very important that you look at how data flows in your company and think about what you use it for.
Here you also need to remember that you use the different group's data for different things. The data you collect when people visit your website is used for different things compared to when they contact your support team. So take some time describing the different purposes.
Here's an example of what you could write in regards to the purposes of data collected about your customers:
"If you contact our support team, we'll also collect the data you provide us when you contact us, e.g., what's wrong, how we can help you, and, e.g., when a complaint was filed. We do that in order to, e.g., handle your complaint and provide you with support."
This section should be about the lawful bases you rely on for the processing of the personal data. The different types of lawful bases are described in the General Data Protection Regulation (GDPR). Here are some examples:
Remember, if you are processing data on the basis of consent, you also need to tell people that they can withdraw their consent and also explain how they can do this.
Additionally, the GDPR outlines that you can only keep data for as long as there is a "need to have" a "nice to have" is not enough.
Safety and security of the personal data that you process needs to be described in your policy. So tell how you are storing the data and how you intend to securely destroy or dispose of it.
You can consider describing your security practices in a security white paper or a data practices & security document. This white paper should be placed on your website so your users can read about your security and data practices.
Remember that you need to respond to the user within a month.
You should insert your business’ contact details. This includes your company, address, email address, phone number and web address.
You need to include the date you completed the privacy notice.
Also remember that you need to:
Disclaimer: Depending on your line of business, country, industry and customer type (e.g. children, consumers etc.) you might need other documents and information so please note that this list is not exhaustive.
To sum it up, these are the main website legal requirements, which will make your online project GDPR compliant.
We also compiled an in-depth article about website compliance, where you can find out more about the compliance elements and legislation you need to comply with as a website owner.