Главная / Services / Drafting privacy policy in compliance with the GDPR

Drafting privacy policy in compliance with the GDPR

The vast majority of sites already have a document called “Privacy Policy”, but the mere presence of such document does not mean that all of its provisions comply with the GDPR. The activities of each company provide for a different amount of PD that are collected, different storage times for PD, different mechanisms for their processing, different markets in which the company operates, different cloud services used by the company – the list goes on. Your business is individual! Therefore, copying the Privacy Policy from the site of a company that works in an identical niche with you will only lead to risks that can materialize when an employee of the supervisory authority, a disgruntled client or competitor visits your site.

How to develop a privacy policy?

  1. How to start the process of developing a privacy policy? Of course, the initial task will be to study the regulations governing the protection of personal data and operating in those jurisdictions where your business will operate. The vastest in terms of territorial application and regulated subject is, of course, the GDPR, there is also an act on the protection of personal data adopted in California, Canada and the vast majority of countries. You need to highlight those provisions enshrined in regulations that concern you and which relate to processing and your obligations, determine what role you play in the framework of the GDPR.
  2. The next step is to determine the PD that you collect and use. The less personal data you request, process and store, the easier it will be to draft a privacy policy, and at this stage it is also possible to determine those personal data that are not really needed for your purposes and stop any interaction with them. It is also necessary to determine the goals and determine the legal grounds that are enshrined in the acts on the protection of personal data, to determine their applicability to each specific case of interaction with personal data. It is important to understand for what time the PD that you have collected is kept, because it must be adequate and correspond to the goals.
  3. The actual writing of the privacy policy should start with defining the structure. The first part of the policy should be general information regarding:

– your company,

– determining your role in the processing of personal data,

– norms on amendments, entry into force,

– principles of interaction with PD;

– the scope of the policy (which resources and types of interaction with PD subjects are covered by the policy).

The second part, as a rule, should contain the main provisions regarding interaction with PD, this list includes:

– rules regarding the transfer of PD to third parties

– actions taken to minimize the use of PD

– actions taken to protect PD from unauthorized access.

The third part is based on the results of the research undertaken on the basis of the second paragraph, in particular, you need to determine the personal data that is collected and processed, the purposes and legal grounds for processing, the time for which the PD is stored.

In the fourth part, it is necessary to indicate the rights that PD subjects have.

We do not make “templates”, because we know about the risks that they carry. Comprehensive work on the analysis of all mechanisms of interaction with PD that occur through the site is essential background work for drafting of policies for your site. Contact Legarithm if your goal is to obtain a document that will have legal value.