The Guide to Drafting a GDPR Privacy Policy
.png)
Drafting a GDPR-compliant privacy policy is a key step in an organisation’s compliance process. While it is true that a website serves as a public-facing showcase of what you offer, it is equally accurate to consider it as the first step in an assessment of your GDPR compliance by supervisory authorities, as well as by your future clients.
For this reason, DPO Consulting wishes to provide you with the key elements needed to carry out this exercise.
To answer this question, reference must be made to Article 13 of the General Data Protection Regulation (GDPR), which lists all the information that must be provided at the time personal data are collected. The following elements must therefore be included:
These elements will form the different sections to be completed in your privacy policy and therefore constitute its structure. Before addressing each point in detail, it is first necessary to discuss the initial work required: collecting the relevant information.
As seen in the previous section, a significant amount of information is required in order to draft a GDPR-compliant privacy policy.
We therefore strongly recommend clearly defining the scope of application of the policy. Do you want this policy to apply only to data processing carried out via the website? If so, does it also apply to commercial prospecting? Up until the signing of a contract? Does the policy also apply to an application you have developed? Does it extend to the recruitment process as well? Etc.
Once the scope has been defined, you will need to audit the departments responsible for these data processing activities. The primary objective of these audits will be to list the processing activities and then collect all the elements required under Article 13 of the GDPR. An example is provided below:
Processing No. 1: Management of Commercial Prospecting
This audit can also be an opportunity to verify the compliance of the departments involved. Once this exercise has been carried out for all departments, you will finally be ready to draft your GDPR privacy policy for your website.
Below is a section-by-section focus on the elements to be completed.
Here, it is sufficient to use wording similar to that used in the legal notice, stating that “Company X, registered with the Trade and Companies Register under number XX, whose legal representative is XX, is considered the controller for all processing activities listed in this privacy policy.”
The DPO must be easily reachable by data subjects so that they can ask questions about the use of their personal data and, in particular, submit requests to exercise their rights. A dedicated email address and a postal address will be sufficient. A generic contact address should therefore be avoided, as only the DPO, or the person responsible in the absence of a formal appointment, should have access to these requests.
Data subjects must understand the purposes for which their personal data will be processed. These purposes may include:
This list must be exhaustive and reflect both the findings from the audit interviews and the scope initially defined.
We recommend making the legal basis public for each processing activity listed. The legal bases are set out in Article 6 of the GDPR.
The GDPR specifies that you may either list individual recipients or categories of recipients. Each option has advantages and disadvantages, and a choice must therefore be made. This information should also emerge from the audit interviews. Importantly, it is not necessary to list recipients by processing activity; a single global list will suffice.
In most cases, transfers within the meaning of Chapter V of the GDPR will exist. If this is the case, you are not required to specify which personal data processing activities are concerned. However, it is mandatory to clearly indicate that transfers are carried out and to describe the safeguards implemented to secure them. These safeguards are set out in Articles 45 to 49 of the GDPR.
If no transfers are carried out, this should also be stated. However, we recommend adding wording specifying the methodology that would be implemented should you decide to carry out such transfers in the future, for example relying on adequacy decisions or, failing that, implementing the European Commission’s standard contractual clauses.
DPO Consulting’s privacy policies specify the applicable retention periods for each processing activity. It is therefore important to ensure, before publication, that the retention periods in place and collected during the audits comply with the applicable legislation. If you find that retention periods are missing or excessive, corrective actions will be required to bring them into compliance with the legal framework.
Where certain processing activities are based on the consent of the data subjects, it must be specified how consent can be withdrawn. For simplicity, we recommend stating that consent may be withdrawn at any time and without justification by contacting the DPO or by clicking on the consent management tool, where available.
You will need to determine the location of your main establishment in order to identify the competent supervisory authority. Once this analysis has been carried out, you must inform data subjects that they may contact the supervisory authority (for example, the CNIL) at any time to lodge a complaint, and provide the authority’s contact details.
If you are unable to identify your supervisory authority, you may invite data subjects to exercise their rights with the authority of their country of residence.
This section covers specific situations where the provision of personal data is mandatory due to a regulatory or contractual requirement, or where such provision conditions the conclusion of a contract. If this is the case, you must specify the consequences of failing to provide the data, such as the impossibility of entering into a contract.
If any of your processing activities involve automated decision-making, you must inform data subjects accordingly. This information must be accompanied by the possibility for data subjects to request human intervention to review the decision.
To provide comprehensive information, it is recommended to add a section listing the categories of personal data intended to be processed (identification data, location data, etc.).
In addition, a privacy policy drafted by DPO Consulting will include a paragraph affirming the controller’s commitments regarding the security of the personal data entrusted, while providing examples of concrete measures (data pseudonymisation, backups, etc.).
Finally, users of the website should be given access to a presentation of all the rights available to them and what they entail.
Drafting a GDPR-compliant privacy policy for a website can prove complex if the initially defined scope is broad and/or if the number of personal data processing activities is significant.
We therefore hope that this guide will help you draft it easily. We naturally remain at your disposal should you wish us to draft it for you or review your work. Do not hesitate to book an appointment here: https://www.dpo-consulting.com/contact-us
To give you 100% control over the design, together with Webflow project, you also get the Figma file. After the purchase, simply send us an email to and we will e happy to forward you the Figma file.
Yes, we know... it's easy to say it, but that's the fact. We did put a lot of thought into the template. Trend Trail was designed by an award-winning designer. Layouts you will find in our template are custom made to fit the industry after carefully made research.
We used our best practices to make sure your new website loads fast. All of the images are compressed to have as little size as possible. Whenever possible we used vector formats - the format made for the web.
Grained is optimized to offer a frictionless experience on every screen. No matter how you combine our sections, they will look good on desktop, tablet, and phone.
Both complex and simple animations are an inseparable element of modern website. We created our animations in a way that can be easily reused, even by Webflow beginners.
Our template is modular, meaning you can combine different sections as well as single elements, like buttons, images, etc. with each other without losing on consistency of the design. Long story short, different elements will always look good together.
On top of being modular, Grained was created using the best Webflow techniques, like: global Color Swatches, reusable classes, symbols and more.
Grained includes a blog, carrers and projects collections that are made on the powerful Webflow CMS. This will let you add new content extremely easily.
Grained Template comes with eCommerce set up, so you can start selling your services straight away.
To give you 100% control over the design, together with Webflow project, you also get the Figma file.
.png)
.svg)
