You are currently viewing Privacy Policy: The Βasics

Privacy Policy: The Βasics

Welcome to Tilderist’s series of guides! Here you will find all the necessary information for any subject you might be interested in. Today we will focus on the concept of privacy policy. Have a good read!

What will we see in this post?

What is the Privacy Policy?

It is a legal document that defines how the personal data of both customers and employees of your company/organization is collected, processed and used.

It’s also a “living” document that evolves with your business and adapts to its needs. This is why you need to keep your privacy policy up to date when there are changes in laws and regulations, when new products and services are introduced, when there is a corporate change, when platform data processing has changed or when a lot of time has passed since its formulation.

More in our article “Privacy Policy Amendments”.

Most businesses are free to have the privacy policy they adopt, always within the protective scope of Regulation (EU) 2018/1725, which concerns the protection of the personal data of the subjects participating in your company/organization.

In any case, however, compliance with this protective regime lies with one person, the data controller of the respective electronic service, who is a person designated by the respective company/organization.

Here’s an example of Google’s Privacy Policy:

The contents of Google's Privacy Policy
An example from Google’s Privacy Policy

What is the purpose of a Privacy Policy?

The purpose of the privacy policy beyond protection is to limit the collection of personal data to the information necessary for the fulfillment of their activities, which must be covered by a legitimate purpose.

Of course, through the privacy policy, the user/visitor of your website can be informed about what data is collected, why and how it will be used.

However, this happens after the user completes a document with which he gives his consent to access their data.

Why is a Privacy Policy necessary?

Having a privacy policy is required by law, which companies should respect in order to avoid potential sanctions and penalties. A privacy policy also fosters trust between the company and its customers, while also protecting the company/organisation from heavy fines that may be imposed In case it’s missing.

Moreover, search engines recognize the importance of data protection and are more likely to prioritize websites that have a privacy policy in place, as it indicates a commitment to user privacy and security.

This is why the adopted privacy policy should be in a prominent place that is easily accessible to users, such as on the website’s footer.

Learn more in our article “Why you need a Privacy Policy”.

Who is a Privacy Policy for?

It mainly concerns companies/organizations for the use of which it is necessary to register certain personal information of their users. This could also include NGOs.

At the same time, it plays a special role for companies whose activities rely heavily on the processing of personal data.

How to enforce a Privacy Policy?

The privacy policy must include some specific elements in order to be complete and to cover all the needs of your company. The most important of these are:

  • which company/organisation will process the data of the privacy policy
  • what information is gathered
  • how the site uses them
  • why personal data is collected
  • information in the event that the information is disclosed to third parties
  • the protection guests have in the event of a breach of their personal data

If your company does not share this information, there is a great risk of a personal data breach. In this case, your company or organisation should notify the appropriate supervisory authority without undue delay as well as the data subject who suffered the breach within 72 hours after being aware of it.

Afterwards, according to Article 58 (2) of Regulation 2018/1725, if there is only a possibility that the intended processing operations violate the personal data, then the supervisory authority gives a warning to the controller, but in case it is certain that the processing operations violate the GDPR Regulation, then the attributes reprimand to the controller of the company, prohibiting the processing of data and imposing fines of up to 20 million euros or up to 4% of the total turnover of the business

You can read more in our article about personal data breaches.

Who is responsible for a company’s Privacy Policy?

Each company has the responsibility to appoint a Data Controller, whose duties include determining not only the purposes but also the means of processing personal data (find out more on this subject in our post about data processing).

Furthermore, the Processor is under the control of the Controller, who processes personal data on behalf of the Controller. The Processor is likely to be a third party outside the company/organization. Of course, when there is a group of enterprises, one enterprise may act as a processor on behalf of another enterprise.

The tasks of the processor should be specified in each case in a contract (in written or electronic form) signed between the Processor and the Controller. Furthermore, the Processor may delegate the performance of some of its tasks to another processor only if it has received prior permission from the Processor.

The Data Controller together with the Processor appoint a Data Protection Officer in the event that:

  1. Processing is carried out by a public authority or body, with the exception of the courts.
  2. The main responsibilities of the controller and the processor are related to the processing and necessitate the systematic and regular monitoring of the data subjects.
  3. The main responsibilities of the controller or processor include the processing of special categories of data or personal data relating to criminal convictions and offences.

Learn more about the data controller and their responsibilities in our introductory article on personal data.

What are the Data Protection Officer’s duties?

The Data Protection Officer should:

  • inform and advise the Controller and the Processor on their obligations under the GDPR or other provisions of the respective Member State.
  • monitor whether the employees of the processing carried out comply with the GDPR, other Union or Member State provisions on data protection as well as the policies of the controller or processor in relation to the protection of personal data. These include delegation of responsibilities, awareness-raising and training of employees involved in processing operations, and related controls.
  • give advice, when requested, on the impact assessment and its implementation.
  • cooperate with the supervisory authority and maintain frequent contact with it regarding the processing.

The supervisory authority is an independent public authority tasked with monitoring the application of the GDPR in order to protect the fundamental rights and freedoms of natural persons with regard to the processing of their personal data and to facilitate the free movement of personal data in the Union.

At the same time, the DPO is in direct contact with the Data Protection Authority, being an intermediary between it and the users.

What is the GDPR?

We have talked a lot about the GDPR until now. What is it really?

The General Data Protection Regulation (GDPR)  also known as EU Regulation 2016/679, is a crucial part of the personal data protection legislation. Its core purpose is to shield both companies and users from unwarranted breaches of personal data.

So, the GDPR applies to any business that processes personal information and is based in an EU Member State, regardless of whether the processing actually takes place within the Union.

Failure to comply with this legislative framework results in severe fines. At the same time, the additional imposition of corrective measures is at the discretion of the Data Protection Authority (you can find out more about the GDPR in the relevant article).

What does the GDPR include?

The General Data Protection Regulation offers data subjects who have provided their personal data to your company/organization some very important rights regarding the management of that data.

Some of these rights include the right to erasure or the right to be forgotten, the right to rectification of personal data and the right to restriction of processing.

We invite you to head over to our article “Rights of the data subject” where we further explain these rights.

Besides all this, the GDPR establishes age limits for minors deserving of extra protection. This protection concerns specifically minors under 16 years old. Additionally, EU member states have the flexibility to set a younger age, as long as it remains above 13 years.

If you’d like to learn when processing minors’ data is lawful, you can check out our article “Minors and GDPR”.

To end with, Article 35 of the GDPR describes the formulation of a Data Protection Impact Assessment, in order for your company to adhere to the principle of transparency when publishing Personal Data. In this way, you will be able to take into account the potential risks posed by each publication and will suggest solutions to eliminate or at least limit them.

Learn more about this subject in our article “Posting Personal Data”.

Let’s see some examples…

A brewery signs a contract with a payment company for the payment of wages to its employees.

The brewery informs the payment company when the wages should be paid when an employee leaves or gets a raise and provides all the information necessary for the pay slip and payment. The payment company stores employee data.

The brewery is the data controller and the payment company is the data processor.

Conclusions

A well-crafted privacy policy fosters a relationship of transparency and trust between your company and its customers. By clearly outlining data usage practices, your customers feel secure, knowing their data is treated with utmost care. Unlock the potential of your privacy policy and unlock the trust of your customers. Embrace transparency, protect personal data, and thrive in the digital world!

If you’d like to know more about your online presence, you only have to read our other guides about personal data, terms of use and cookies!

Authors

Eleni-Kostakoglou
Eleni Kostakoglou
Lawyer
Efi-Kostopoulou
Efi Kostopoulou
Lawyer