Why isn't the privacy policy template right for you?

Copy and Generate Privacy Policy


Copying a template privacy policy or using generators (automatic compilation) is a very common practice. Indeed, in some cases, this can save time when it comes to copying repetitive information that is universal for many sites. But this is only true if you copy it from a reliable source or use a quality generator.

Copying


If you are still copying a template privacy policy, then you need to double-check the compliance of this document with Articles 13 and 14 of the GDPR (General Data Protection Regulation of the European Union), as well as change the points that are individual for each company:

  1. Processing objectives
  2. Legal grounds for processing
  3. Processing time

It is difficult to find a privacy policy that matches all processes in your company and at the same time GDPR. Most privacy policies, even of European companies, do not comply with the GDPR.

The copied privacy policy may contain the processing of personal data, which the company does not and cannot be. This creates major problems in the implementation of the rights of data subjects. For example, a user of your service will want to exercise its right to data portability, but you are not able to implement it.

Also note that many privacy policy templates are written under other laws. It is not uncommon for the word “GDPR” to be inserted instead of another legal act by means of an auto-replacement.

As a result, you spend more time to find and edit a template when it is much faster (and maybe cheaper) to write the policy yourself or contact a specialist.

Generators


Suppose you have found a quality privacy policy generator. In order for him to give a ready-made version, you still have to describe in detail your processes, formulate goals and paint the legal grounds. Usually, it is impossible to add to the privacy policy generators all the various information about personal data processing processes. In some, like the professional Signatu generator, this can be done, but in order to generate something, you have to answer dozens of complex questions that require deep knowledge of GDPR.

Privacy policy


If you compare the use of a platform with the purchase of drugs, then the privacy policy is an insert with instructions. With this instruction, users know how to properly use this medicine and not harm themselves.

Privacy policies should work in the same way. This document is primarily for users. Remember this when you connect your lawyer. Privacy policy should be written in a language understandable to the reader.

When making a privacy policy, first of all refer to the legislation applicable to your processing. There you will find the requirements and understand what information you need to specify in your document. In this article we are talking about GDPR.
The main requirements for the content of the privacy policy for GDPR are contained in Art. 13 and 14 of the Regulations, as well as in the explanation of “ Guidelines on transparency ” from Article 29 Working Party - a pan-European supervisory body. At the end of the document is a table by which you can check your privacy policy.

When drafting a policy, it is an error to disperse information about separate processing into different sections, when the compilers describe the categories of the data being processed separately from the goals, and the goals separate from the legal basis of the processing (agreement, legitimate interest, contract, law, etc.). It is forbidden to do this because it is not clear to a person (data subject) which of the data categories is processed for what purpose. This is the same if you came up to a passer in the street and asked for a phone. He has a reasonable question: “Why?” He will decide whether to give the phone depending on how you want to use it. Similarly, the user gives his consent to the processing of personal data depending on your goals.

In other words, it is better to structure the text of the privacy policy by individual processing.
For example, in early 2019, GOOGLE received a $ 50 million fine from the French supervisory authority CNIL. One of the violations was the fact that important information about the purposes of processing, storage periods, categories of personal data to be processed was scattered across different documents. As a result, the data subject needed 5-6 actions to obtain the necessary information.

It is worth noting that the privacy policy itself is only the tip of the iceberg. Before drawing up a privacy policy, you need to go through a series of steps:

  1. compiling a registry of personal data processing (art. 30 of the Regulations).
  2. formulation of processing objectives. For example, you ask the responsible departments for which they process certain data. It may turn out that they took some data “for the future”, not having a specific goal now;
  3. selection of the legal basis for processing (Article 6 of the Regulations). This stage is not just a “chamomile fortune telling”, but a complex legal analysis;
  4. determination of processing time for each process;
  5. inventory of third parties (outsourcers, partners, suppliers, providers) to whom you give access to personal data.

Errors committed in these early stages are often clearly seen in privacy policies.

Risks of using incorrect privacy policy


  1. Fines imposed after inspection of the supervisory authority. And this is 20 million euros, or 4% of the total global turnover of the company.
  2. A complaint from a data subject who did not understand your privacy policy directed to the supervisor. What will happen next - see paragraph 1.
  3. Damaged reputation . The presence of obvious mistakes in the privacy policy can drop the quotes of a public company. Investors are frightened not so much by the fact that the company has violated some rules, but that it is under the risk of huge sanctions. None of the shareholders of your company will appreciate this risk, and counterparties will definitely not be happy with your bankruptcy.
  4. If you choose the wrong legal basis, then the data subject may have a right, the implementation of which will actually block the processes in your company . Example: you have chosen consent as the legal basis for processing in a situation where only a contract is possible. If the user withdraws his consent - you can not provide him a service. In the end, you find yourself in a legal trap: on the one hand, you need to realize the right of the subject to be forgotten, and on the other - to render him a service. Do not give him the right to be forgotten - get a fine, but do not provide him with a service - get sanctioned by the contract you signed with this subject.

Thus, privacy policy:

  1. is developed individually for the processes of a particular organization,
  2. written in plain language and has a clear structure,
  3. only one of many and far from being the first event to comply with the Regulations,
  4. necessary for the survival of the company in the era of GDPR and
  5. does not forgive mistakes.
Tags:

Also popular now: