Workflow

A how-to guide for writing your privacy policy

Written by Camilla Lassen on .

The majority of websites in the EU have a privacy policy on their websites. The reason is that almost all companies - no matter their size - have data about other people, e.g., their name and email. If your company has this type of information, you need a privacy policy.

The privacy policy is also often referred to as a "privacy notice" or "privacy information". Here we use the term "privacy policy". All of these documents refer to information about why you need people's personal data, what you are using it for, how long you're going to keep it for, and whether you'll share it with anyone else.

In the following guide, you can learn about how to draft your privacy policy. However, in light of this legal document's importance, we recommend that you either get help from your attorney or find a solution that can help you.

Can I copy a privacy policy from somewhere else?

Copying a privacy policy from another website isn't a good idea.

The reason is that the privacy policy is an essential document. The document describes to your website visitors, users, customers, etc., how you process their personal information, for what purposes, for how long, and what security measures you have in place.

If you simply copy the document from somewhere else, then you are likely to be non-compliant Why? Because you are legally required to tell your users about how you process their personal information.

When you copy the document from some else, the privacy policy is unlikely to match how you handle data - and make you in violation of the GDPR.

Therefore, you should spend some time on this to make sure that you get it right.

What you need to include in a privacy policy

Before you begin drafting your privacy policy, start by figuring out the following:

1. Who do you collect data about?

Here you need to think about each of the types of people you collect data from. For example, your website visitors aren't providing the same data as your customers. There is a difference, and you need to make sure that you have an overview of each of these groups.

Many companies have the following groups they collect data from:

  • website visitors
  • customers / users / clients
  • candidates

2. What data do you collect about the groups?

You need to find out what data you collect about the different types of people.

As an example, normally, you would collect the following information in regards to your customers: name, email, telephone number, address, country, title, when they signed up for your service, what company they are working for, etc.

For website visitors, you could, e.g., collect this type of data: the computer's Internet Protocol (IP) address, the user's browser type and version, the user agent, the pages the user visited, the time and date of their visit, the time spent on each page, and other details.

Free cookie policy template from Legal Monster

3. What do you use the data for?

You are probably using personal data for many different things. It's very important that you look at how data flows in your company and think about what you use it for.

Here you also need to remember that you use the different group's data for different things. The data you collect when people visit your website is used for different things compared to when they contact your support team. So take some time describing the different purposes.

Here's an example of what you could write in regards to the purposes of data collected about your customers:

"If you contact our support team, we'll also collect the data you provide us when you contact us, e.g., what's wrong, how we can help you, and, e.g., when a complaint was filed. We do that in order to, e.g., handle your complaint and provide you with support."

4. Your legal grounds for processing the personal data

This section should be about the lawful bases you rely on for the processing of the personal data. The different types of lawful bases are described in the General Data Protection Regulation (GDPR). Here are some examples:

  • your consent
  • we are contractually obligated
  • we need to perform a public task
  • we have a legitimate interest
  • to defend us against legal claims

Remember, if you are processing data on the basis of consent, you also need to tell people that they can withdraw their consent and also explain how they can do this.

5. For how long do you keep the data?

You need a data retention policy for all personal data you collect. This means that you need to have an overview of how long you are keeping the different data. This overview is called a data retention policy. Your privacy policy should contain information about the data retention of the types of data that you mention in your privacy policy.

Additionally, the GDPR outlines that you can only keep data for as long as there is a "need to have" a "nice to have" is not enough.

6. How do you keep the data safe and secure?

Safety and security of the personal data that you process needs to be described in your policy. So tell how you are storing the data and how you intend to securely destroy or dispose of it.

You can consider describing your security practices in a security white paper or a data practices & security document. This white paper should be placed on your website so your users can read about your security and data practices.

7. Who do you share the data with?

8. The data protection rights

The privacy policy also has to include information about people’s rights. These rights include:

  • the right to access
  • the right to restriction of the data processing
  • the right to rectification / edits
  • the right to data portability

Remember that you need to respond to the user within a month.

8. Who can people complain to?

Your privacy policy has to contain information about how people can complain about the data processing activities. This section needs to include information about how they can contact you and also which data protection agency that they can complain to. The information about the data protection agency should be with both their address, phone number and a link to the agency’s website.

9. Your contact details need to be included

You should insert your business’ contact details. This includes your company, address, email address, phone number and web address.

The date of your privacy policy

You need to include the date you completed the privacy notice.

Privacy policy checklist

You need to have a privacy policy that contains the following:

  • Your company name, address, email, and other contact details as data controller
  • When did you complete your privacy policy (date stamp)
  • Who do you collect personal data about
  • What personal data is collected from your users (the purposes) and what you are using this data for
  • The legal grounds for processing the personal data
  • Who you are sharing the data with
  • Your security measures
  • The data retention periods for the specific data collected
  • How to file a complaint and to whom
  • How the user can exercise their right to request:
    • Data access
    • Data deletion
    • Data edits

Also remember that you need to:

  • Make sure your privacy policy is accessible when collecting your users information
  • Make sure your privacy policy is easy to read and understand
  • Make sure you can prove that you gave your users / customers the option to read the privacy policy through when their consent was given

Where do you need to include your privacy policy?

Make sure that the privacy policy is available on your website and that it's available in all the places where you collect personal data, e.g., sign-up forms, newsletter pop-ups, etc.

Privacy policy proof

Make sure you can prove that you gave your users the option to read the privacy policy through when their consent was given.

Disclaimer: Depending on your line of business, country, industry and customer type (e.g. children, consumers etc.) you might need other documents and information so please note that this list is not exhaustive.

Further reading

To sum it up, these are the main website legal requirements, which will make your online project GDPR compliant.

We also compiled an in-depth article about website compliance, where you can find out more about the compliance elements and legislation you need to comply with as a website owner.

Get a free cookie solution

  • Automatic Cookie Detection
  • Local laws, Local setup
  • Developer-friendly
  • Full audit-trail
Learn more

Get started with our free location based cookie consent solution that looks good and is easy to implement

Use Legal Monster to collect and record consent for all cookies used on your site without bothering people when the law says it's okay.

Get started with our free cookie solution
image