Privacy policy

Nowadays, virtually every company needs a privacy policy. The General Data Protection Regulation (GDPR) obliges every company that processes personal data to do so.

 

Almost every company processes personal data. Because personal data is every type of data that can indirectly be traced back to persons. And almost every action that a company can perform with it is considered processing within the meaning of the GDPR. If you have a contact form on your website in which visitors are requested to fill in their name and e-mail address, this already counts as processing personal data.

​

What should be included in a privacy policy?

 

 What must  be included in the privacy policy as required by GDPR is in any case:​

​

- the name and contact details of the company responsible for the processing of personal data;

- which types of personal data are processed;

- with which types of companies the personal data is shared and whether data is provided to

recipients outside the European Economic Area (EEA);

- what kind of cookies are used and the purpose of these cookies;

- how long personal data is kept;

- what legal basis there is for processing personal data;

- what the rights are of the person whose personal data is processed and how that person can file a complaint.

​

Write a privacy policy

 

It is difficult for most companies to draft a privacy policy that fully meets these requirements. This is because it is necessary to know exactly what is meant by them. This requires a good understanding of the GDPR and relevant explanations of this law.

​

For example, there are only a few legal bases for processing, which in turn must meet certain specific conditions.

 

If personal data is provided to a recipient outside the European Economic Area (EEA), it must be stated to which country that is and whether that country has been declared adequate by the European Commission. If that country has not been declared adequate, sufficient appropriate safeguards must be taken. For example, many companies use servers in America. Until recently, you only had to check whether the company with which data was shared had joined the Privacy Shield, to which reference could be made in the privacy policy. But recently, the Privacy Shield has been declared invalid by the European Court of Justice. Therefore, additional measures have to be taken now for the processing of personal data to companies in the US to be allowed.

 

Sometimes the personal data that is processed is considered sensitive data. Sensitive data is, for example, data about a person's race, religion or health. Additional requirements apply for this type of data under the GDPR. Additional requirements must also be met in special circumstances, such as profiling of persons or automated decision-making or profiling.

 

Finally, the information included in the privacy statement must be concise, transparent and understandable .

​

Drafting a customised privacy policy

​

If you do not have a privacy policy, if your privacy policy does not meet the requirements or if the privacy statement is difficult to find, you could be fined. It is therefore advisable to have the privacy policy drafted by a specialized Dutch lawyer.

​

I am very experienced in drafting tailor-made privacy policies for all kinds of companies. If you have me draft your privacy policy, you can be sure that it will meet all GDPR requirements. As a side note, having a processing agreement is also often mandatory under  GDPR. I wrote this blog about that.  

​

It doesn't have to be expensive to have me draft your privacy policy (or processing agreement). Do you want to know how much it costs? Do not hesitate to to get in touch .

​