Even before the GDPR, the Telecommunications Act required that website users be informed about the use of personal data in a privacy statement. The GDPR requires in Article 13 that data subjects must be informed about the use of personal data when it is collected. Article 14 requires that if the data is obtained from a third party, the data subject must be informed within 30 days.
A privacy policy on the website is required by the Telecommunications Act for the data processed on the website. In addition, the privacy statement is an effective way to comply with the information requirements of Articles 13 and 14.
Duty to inform
When personal data is collected, the data subject must be provided with the following information:
- The name and contact details of the person responsible and, if applicable, his representative
- The contact details of the data protection officer, if available
- The purpose of processing
- The legal ground (Article 6).
- If the legal ground is “legitimate interest”, these interests must be specified. It should also be documented why these interests are more weighty than the interest of the data subject who does not want the data to be processed.
- Recipients or categories of recipients, if applicable (e.g. suppliers, tax advisors, …)
- If applicable, whether the data will be transferred to a third country without equivalent data protection and how data protection is nevertheless ensured (see US-EU Privacy Shield).
- The duration for which the personal data will be stored or, if this is not possible, the criteria for determining this duration
- Information about the right of access to personal data and the right to erasure or restriction and opposition, as well as the right to data portability.
- If the processing is based on the data subject’s consent, he or she must be informed of the right to withdraw consent.
- Reference must be made to the right to complain to the supervisory authority.
- If the data is required for the performance of the contract, it must be stated what the possible consequences of not providing it are.
- If automated decisions are made or profiling is performed, meaningful information about the logic involved and the scope and intended effects must be provided. Article 22(1) and (4)
- If the data was not collected directly from the data subject, it must also be stated where the data originated and, if applicable, whether it was obtained from a publicly accessible source. further details and restrictions in Article 14 GDPR
If a data subject already has this information, it does not need to be provided again.
Privacy policy
The privacy policy is the ideal place to fulfill this information obligation with minimal effort. If the privacy statement could concern not only the information relevant to the website, but all the information of the customers, prospects, … could concern, you can fulfill your information obligations with a link to the privacy policy.
We recommend wherever they collect data from individuals (web form, paper order, …) to refer to the privacy policy.
The obligation to inform about data received from third parties is often difficult to implement correctly. Data from third parties are, for example, orders that come via an intermediary or data that have been researched from the Internet. As mentioned, according to Article 14 GDPR , data subjects must be informed about the processing within 30 days.
A pragmatic approach to implementation is also to refer to the privacy statement in all documents (offer, invoice, letters, …) as well as in all e-mails. This automatically transmits the required information at the next customer contact.
The European Data Protection Authority (formerly the Article 29 Working Party) has explicitly recommended in Working Paper 260 not to “bludgeon” data subjects with the information. It is recommended to provide only the core information (e.g. details critical/unexpected for the data subject) directly and to provide the rest via a link e.g. to the privacy policy.
Article 14 requires that the data subject must be informed at the latest after 30 days that his or her data will be processed if it is disclosed to third parties.
Consent
It is not necessary to agree to a privacy policy. It is sufficient if the link to the privacy policy is available to the data subject.
From our point of view, approval is counterproductive. Any consent may be objected to. But what happens if consent to the privacy policy is objected to? We would still process the data as stated in the privacy policy.
Implementation
We recommend that you first create a processing directory . Make sure to also document the processing operations relevant to the website (Google Analytics, forms, Like buttons, …). The privacy policy can then be derived from this.
easyGDPR lite helps you to implement this task quickly and efficiently.