A privacy policy (privacy policy) is a written presentation of all the measures applied by a company or organization to guarantee the security and lawful use of user or customer data collected in the context of the business relationship. The web privacy policy also details how data is collected, this data is stored and used, as well as if it is sent to third parties and, if so, in what way.
¿When is it mandatory to have a web privacy policy??
Approved in 2016, but applied de facto Since May 2018, theGeneral Data Protection Regulation (RGDP) reinforces at European level the rights of the consumer regarding the control of their privacy. The Regulation establishes a legal framework that affects all member states of the Union. To adapt to the new European requirements, the Organic Law for the Protection of Personal Data and guarantee of digital rights (LOPD-GDD), which thus replaced the LOPD of 1999.
For a time the legal situation regarding the IP addresses it was not clear. However, the Court of Justice of the European Union has ruled that establish an association between IP addresses and actual personal data through the Internet provider. Therefore, IP addresses are also considered personal data.
Nowadays it is practically impossible to manage a website without collecting data. That's why everything website should have its privacy policy. In this way, you will not only avoid possible sanctions, but you will also be providing an important service to your visitors.
Although, while the collection of data and therefore the writing of a policy of privacy, are easily justifiable for an online store, the situation changes if it is another type of services. Every minute data is automatically collected and stored –a often without the owner of the website realizing it – such as, for example: the IP addresses that web servers save in the log files, the personal data linked to the use of the social buttons and the cookies that store information about the users and their browsing habits. Another sensitive topic is the Analysis tools Web Such as Google Analytics, which are responsible for recording web traffic. This tool of Google is especially problematic in terms of data protection standards, since the Users' IP addresses are stored on servers located in the United States.
To reduce the severity of this problem, those in charge of managing web pages can reduce a IP address to the last range of digits, thereby allowing it to lose the link to any personal information.
What are the consequences of not having a privacy policy?
The RGPD not only limits the field of action of companies in terms of the obligation to dispose and formulate a privacy policy, but rather increases the amount of penalties for breach up to 20 million euros or four percent of the volume of annual global business in the case of a company (the highest value will apply).
What should a privacy policy include?
In theory, every web administrator should inform their users about the collection and protection of their data and personal information before starting any type of activity. In practice, it is a little complicated, so it is common for users to be informed at the same time of collection of your data. As in the case ofLegal warning, the policy of privacy must be clear and accessible from any page , so you need to create a single page exclusively for this purpose. Also note that links to the privacy policy are not hindered by banners or any other action advertising and that can be viewed correctly with any browser and on all devices.
Likewise, it is crucial to pay attention to the wording: it must be exact, precise and clear, avoiding, for example, the use of very technical or legally complicated terms. Depending on the profile of the clients or the group of users of your website, you can write the privacy policy in several languages so that it is also accessible to visitors who do not speak Spanish. pay attention to what indicated in the article 12 of the GDPR is very important. Also, You can use design elements such as lists or tables to make the content easier to understand.
If until now it was not very clear what aspects could not be missing in a privacy policy, the Regulation listed in the article 13 ("Information to be provided when the personal data is obtained from the interested party"), the information that those in charge of the web pages must present their privacy policy (it is also indicated in the article 11.2 of the LOPD-GDD). Basically, understands the identity of the person in charge of processing the personal data, the reason why that this data is collected and for how long and the user's right to claim them or to cancel its use.
We explain these rights more fully below.
Contact details of the controller or his representative
In accordance with the RGPD, it is necessary to indicate in the privacy policy the contact information of the company or of their representatives. In addition to the name, the addresses postcards Current and electronic information, as well as a phone number. If the The headquarters of the company or of the main person in charge is located outside the territory of the EU, indicate the contact details of your official representative. This paragraph could be worded as following form:
Template for contact information
The responsible for the processing of personal data in accordance with the GDPR is:
Name of the company/responsible/representative
Calle Principal, 1
12345 Villarriba
España
Tel.: 123456789
E-mail:
email@ejemplo.es
Contact details of the data protection officer (DPD)
If there are at least 20 employees regularly involved in the automated processing of data or the core of the company's activity is made up of the commercial transfer of personal data, a delegate of protection data (art. 37, RGPD; art. 34 LOPD-GDD). The same can be said when working with special categories of personal information such as political opinions, religious convictions or ethnic background. In this case, it is also necessary to show in the privacy policy the contact details of this person.
Template for DPO contact details
The data protection delegate according to the RGPD is:
Name of the DPD
Main Street, 1
12345 Villarriba
España
Tel.: 123456789
E-mail: email@ejemplo.es
Lawfulness of data processing
It is the duty of the owners or managers of the web pages to duly inform the user of the lawfulness of the collection and processing of your personal data, which comes determined by the fulfillment of at least one of the conditions described in the article 6 of GDPR :
“[…]
-
the interested party gave their consent for the processing of their personal data
for one or more specific purposes;
-
the treatment is necessary for the execution of a contract in which the
The interested party is a party or for the application at the request of the latter of pre-contractual measures;
-
processing is necessary for compliance with an applicable legal obligation
to the data controller;
-
the processing is necessary to protectvital interests of the
interested party or another natural person;
-
the treatment is necessary for the fulfillment of a mission carried out in
interest
public
or in the exercise of public powers conferred on the person responsible for the
treatment;
- the treatment is necessary for the satisfaction of legitimate interests pursued by the data controller or by a third party, provided that said interests are not prevail the interests or the fundamental rights and freedoms of the interested party that require the protection of personal data, in particular when the interested party is a child. […]”
Template to report the legality of data processing
The person responsible for processing the personal data of the interested party informs you that these Data will be treated in accordance with the provisions of current regulations on data protection. personal data, Regulation (EU) 2016/679 of April 27, 2016 (RGPD) and the Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of rights digital, for which the following treatment information is provided:
As long as we have the consent of the interested party for the processing of personal data, governs section a) of point 1) of article 6 of the RGPD as a legal basis.
If the processing of personal data is necessary for the execution of a contract with the interested party or pre-contractual measures governs section b) of the point 1) of article 6 of the RGPD.
If the processing of personal data is a consequence of a obligation legal for our part, we refer to section c) of point 1) of article 6 of the GDPR.
If the processing of personal data is intended to protect the interests vital data of the interested party or of another natural person, we rely on section d) of the point 1) of article 6 of the RGPD.
If the processing of personal data is necessary to fulfill a task of interest public or in the exercise of a public obligation, we refer to section e) of point 1) of article 6 of the RGPD.
As long as the processing of the data is necessary to satisfy the interests legitimate of the person in charge or of a third party without putting at risk the interests, fundamental rights or freedoms of the data subject, the legal basis is established by the section f) of point 1) of article 6 of the RGPD.
Purposes of data processing
In the privacy statement of your project you must add the objectives what do you pursue when collecting and treat the data of your users. For this, and to show transparency, it is advisable to list all the components of your website that collect this type of information, such as:
- contact forms,
- register for the newsletter,
- data entry fields, for example, to indicate bank details at the end of a purchase,
- tracking codes,
- third-party
- plugins (social buttons),
- third party content (YouTube),
- contests,
- cookies.
When it comes to integrating foreign content, you have to be very careful, since the RGPD strengthens the need to inform the user before the data collection takes place. Google has already reacted by applying the extended data protection mode in the options of integration of videos from the audiovisual platform. If activated, a code is generated embed that only sends the data when the video starts.
If point 1.f) of article 6 of the RGPD mentioned above is relevant in your case, then you should specify what your legitimate interests are while checking if you are also protecting the interests and fundamental rights of the user. Some of the goals habitual linked to the treatment of the data are the analysis of the behavior in the page of the user for optimization, to design more personalized content or for marketing purposes.
Template to explain why personal data is processed
To make your visit as pleasant as possible and to offer you all the functions available, we collect a series of data about the device that you are using at the time of visiting us. Is about:
- IP address,
- operating system,
- browser type and version,
- date and time of visit,
- etc.
This data is not processed for marketing purposes.
Recipients or categories of recipients of the data
The privacy policy is also the context in which the user is informed if sent personal data to third parties . This would be the case of an online store that includes external contractors, such as suppliers or online payment platforms, in their processes commercial.
This is also the section where cookie implementations and extensions third parties , whose use is always linked to a delivery of personal data. It's time to name the tracking codes and the social buttons. In In both cases, the person in charge can justify its use with a legitimate interest, but it is advisable to do so with the explicit consent of the user. In the case of social buttons, it must be considered also the application of a procedure compliant with data protection as a solution in two clicks.
Some advertising services such as Google AdSense or AdWords must also be mention as recipients of data if they are used to finance the project.
Template to inform the recipients of the data (example: plugin of Facebook)
This website uses a Facebook social plugin developed and operated by Facebook Inc. (1 Hacker Way, Menlo Park, California 94025 USA) and that can be recognized by the Facebook logo. This plugin creates a direct connection between your browser and the facebook servers as soon as it is activated by pressing the button. On the type and amount of data that is sent to Facebook by this method does not we have no influence. In the following link you can read the explanation of the company to the respect: www.facebook.com/help/186325668085084.
If you intend to send personal data to a third country or to a international organization, this section is the place to indicate it.
Data retention period
Other information with which you will be able to give transparency to your data processing is related to the time during which you will store the data. If you can't formulate it exactly, you can do reference to the criteria that impact the conservation period. You can, for example, do reference to the period that you have configured for the automatic removal of IP addresses (anonymised) from the log files. If you work with cookies that allow you to identify the user for the duration of their session, the period of conservation of their data will be closely linked to the duration of the session.
Template to inform about the term of conservation of the data
All personal data we collect through session cookies during your visit are automatically deleted as soon as the reason for such collection has been fulfilled. Of In this mode, the session data will be saved until you end your session leaving or closing the page.
If you store the personal data of your users on servers outside the EU, you have to indicate explicitly by referring to possible differences in the regulation of the data protection.
Reference to the rights of the interested party
The users or interested parties whose data is collected have rights over them. The right to information (or right to access as stated in article 13 of the LOPD-GDD) collected in the article 15 guarantees that the user can find out about the objectives of processing your data, its possible recipients, the term of its conservation and its origin. Users would also have the right to rectification, as stated in the article 16 and, even, depending on the circumstances, to the deletion of your data, with the right of deletion contained in the artículo 17.
Template to inform of the rights of the interested parties
In accordance with the RGPD, the person whose personal data is processed is considered interested, which is why you can benefit from the rights recognized by this fundamental directive on data protection, which are: the right to information (art. 15), of rectification (art. 16), of suppression (art. 17), to the limitation of treatment (art. 18), of opposition (art. 21), a presentaclaim in view of anauthority of control (art. 77) and the portability (art. 20).
Legal or contractual duty to collect data
If it is essential to have personal data due to legal imperative or because it is required by the execution of a contract, the user must be duly informed, as well as the consequences that would result from not having them.
Template to explain the obligation to collect personal data
The collection of your personal data is necessary in order to enter into a contract and comply with the obligations and benefits that this contract implies, so that if we do not have your consent we cannot enter into the contract or provide the services agreed.
Explanation on the use of automated individual decisions (including profiling)
If on your page you make decisions based on the automated processing of data that affect the interested, including the elaboration of user profiles, you are obliged to explain in detail the underlying logic . It is above all about explaining the effects and the scope that these processes have on the interested party, because your user has the fundamental right “not to be the subject of a decision based solely on automated processing, including profiling, that produces legal effects on him or significantly affects him similarly.”, as explained in the article 22. But this right does not apply when the automated process is necessary to enter into or perform a contract, is authorized by the Law of the Union or of the Member States or has the consent of the username.
Template to warn about automated decisions (profiling)
Before closing the contract we carry out a credit analysis to confirm your solvency.
¿Qué sacamos en claro del RGPD?
The General Data Protection Regulation provides transparency and security to the protection of personal information in the EU Member States while making it more understandable for the consumer. The main motivation for This is the need to have a complete and correctly described privacy policy, in especially for those website owners who are used to working with huge amounts of very diverse personal data.
If you already had a privacy policy in your project prior to the reform, surely you two points of those listed above as the greatest novelties will attract attention: the revelation of the licitness of the treatment and the explanations about the rights of the users .
Naturally, these are not by far the only aspects that distinguish the new policies from web privacy in accordance with the RGPD compared to the old model. Now more than ever, those responsible They have the mission of explaining why and for what purpose the data is processed and of make it clear enough to be easily understood and leave no questions unclear. Y If necessary, either the person in charge of the website or the person in charge of protection must attend to the Username. The Regulation also highlights that information should be provided as soon as before , specifically before collecting the data.
Are you an IONOS customer? Here is a list of requirements with all the information that website operators have to take into account so that their web pages comply with the GDPR.
This new regulation is more homogeneous and makes it easier for the courts to deal with hypothetical future offenses. Taking into account the anticipated penalties of up to twenty million euros , you should be careful when preparing a web privacy policy.
Web privacy policy: generators and online templates
On the Internet there is a large number of free tools with which it is possible to create a policy Of privacy. Here it is essential to find a template that adapts to the services offered by the website and the needs of users. It is common to find general templates for the collection of data and others for special categories, such as social networks (Facebook, Twitter, etc.), cookies, contact forms or sending newsletters. It is also possible to find templates outlining the requirements for pages that use web analytics tools such as Google Analytics and generally include a link to those users who are not in agreement with the collection and dissemination of your data.
In addition to templates, there are free privacy policy generators that they compile the necessary texts and give them the definitive form. The result is usually available as text or as HTML code.
Online templates and generators are of great help for writing the privacy policy own web pages. However, they should not be blindly trusted. Even though the models are usually correct, it is always necessary to complement or adapt small details to the needs own. If you are not sure whether your website's privacy policy complies with current law, it is It is recommended that you contact a lawyer or a data protection expert to avoid further Headaches.
Please note the legal notice relating to this Article.