GDPR Compliant Privacy Policy
It is important that companies that process personal data belonging to EU citizens have at least one GDPR Compliant Privacy Policy. The Privacy Policy must be provided to the data subjects in accordance with the GDPR. The company is the personal data controller. The personal data controller must provide a GDPR Compliant Privacy Policy.
The purpose of a GDPR Compliant Privacy Policy regarding the Processing of Personal Data
Providing information absout the processing of personal data is a key area within the GDPR. A data protection policy may also be referred to as “Privacy Policy”.
According to the GDPR, the purpose of a privacy policy is to inform the data subjects about how the company processes personal data. It is almost always the company that is responsible for the processing of personal data and thus determines the purposes of the processing.
According to the GDPR, the privacy policy must be written in simple language, so that the reader can understand the content and how the processing takes place. A privacy policy should be published on the company’s website, so that the public can read it. It should also be available in connection with any contact form that the company has on its website. Also in connection with registration for newsletters. And in connection with the checkout before a purchase via the web shop.
Content of a GDPR Compliant Privacy Policy
Personal Data Controller
According to Article 13 of the GDPR, a Privacy Policy must contain information about who the person responsible for personal data is (the company’s company name and organization number) as well as contact information for a contact person for matters concerning personal data.
The Purpose of the Processing
Information should also be provided on how the personal data is processed and the purpose of the processing. For example, the processing can take place in order for the company to be able to send ordered products to the customer or to perform an ordered service. Then the company needs to process the customer’s name and contact information as well as any other personal information. In addition, it must be clear what legal basis the company uses for the processing to be legal.
Categories of Personal Data
The company must also write down the types of personal data that are processed. For example, name, address information, telephone number, account information, e-mail address, profile pictures, IP address or other personal information.
How Personal Data is Collected
The data protection policy must also contain information on how the personal data is collected. For example, it can be done by a person contacting the company, or by the company entering into an agreement with a person.
How long the Personal Data is stored
Information about how long and where the personal data is stored must also appear in the data protection policy.
Personal Pata Processors and information about where the Personal Data is stored
If the company hires one or more personal data assistants, this must be stated, and the registered persons have the right to request information about who the assistants are and where the processing takes place. For example, within Sweden, within the EU or outside the EU. If personal data is processed outside the EU / EEA, there are special requirements, rules and regulations. Here you can read more about storing personal data outside the EU.
What the company does with the Personal Data
In addition, there must be information about what the company does with the personal data. For example, that the company registers the information in its internal registers, to offer better service or to save order history.
Rights of Data Subjects
It is also important that the data subjects’ rights are stated in the data protection policy. The registered persons have, among other things, the right to have free access to their personal data which the company processes. Registered persons also have the right to correct incorrect personal data. They also have the right to request the deletion of personal data, the right to have it moved (data portability) and the right to object to the data being used for direct marketing and profiling. Registered persons are also entitled to information about any data breaches and incidents.
Complaints to the Supervisory Authority
The data protection policy must also contain information on how and to whom the data subjects can submit complaints regarding the processing of personal data and that they always have the right to contact the Supervisory Authority.
News about GDPR and reviews from supervisory authorities
In addition to this information, you can also read our GDPR summary. And also about various news about the GDPR on this website. For example, audits carried out by Supervisory Authorities and sanction fees that they distribute. By learning from mistakes from others, it is possible to avoid making similar mistakes yourself. In addition, you can find information that is important and good to know as an entrepreneur as well as guides.
Summary of the GDPR for Companies, Entrepreneurs and Businesses
There is a lot of information about the GDPR that is important for companies, entrepreneurs and businesses to know about. We have therefore written a GDPR Summary and mention various key elements. Therefore, we are able to provide an overview of the GDPR, what it means and what companies must do to comply with the EU regulation.