Skip to main content

Have you revised your privacy policy lately to keep up with the latest privacy regulations?

Most people know that their data is collected and stored by companies, and more and more take an interest in how their personal information is handled. That’s why many companies formulate privacy policies to describe why and how they store personal information and how they protect it.

In collaboration with DAHL law firm, one of Denmark’s largest law firms, we have prepared a template for a standard privacy policy that you can personalize and use.

NOTE: This is not a definitive privacy policy, but a template to help you get started

What is a privacy policy?

A privacy policy is written to provide information about why and how companies collect and process personal data, as well as who they share it with and for what purpose.

The Personal Data Protection Regulation, or GDPR (General Data Protection Regulation) of 2018, outlines a number of new and updated principles that companies must comply with when collecting and storing personal information.

The changes aim to protect the privacy of EU citizens, requiring greater transparency from companies and granting private persons more rights regarding their own data.

With increasing focus on personal data and how it is processed, many companies have updated their privacy policies to more clearly explain their use and storage of personal data.

An example from Google:

Privacy Policy requirements

As the Data Protection Authority explains, the GDPR does not require companies to have a privacy policy. However, publishing a well-written privacy policy is a good way for companies to meet a key requirement of the legislation, the disclosure requirement, as per Articles 13 and 14 of the Data Protection Regulation.

In this article, we have gathered some important tips for writing a solid privacy policy and some examples of what your policy should include.

6 questions your privacy policy should answer

1. What kind of data is collected, how, and why?

This section should describe the purposes for which personal data is collected. There are different types of personal data, so mention each type you collect; for example, profile data, behavioral data, etc. Then be specific when explaining why the data is collected.

2. How is the data processed and kept safely?

Describe and explain how your company processes personal data. Specify the security measures your company takes to protect data. For example, do you use user authentication? Do you have a secure, encrypted mail or a system that can receive and handle personal data securely in other ways?

3. What are your users’ rights?

One of the principles of the Personal Data Regulation is that individuals have the right to access their own data. This lets individuals gain insight into which companies have their data. We recommend you include this right in your privacy policy, because the EU requires companies to allow their users / customers to gain insight into the data they control.

4. Is your policy up to date?

Your privacy policy should always reflect the most current applicable privacy legislation. Update your policy regularly and specify the date it was most recently updated.
Apple’s privacy policy includes the date of its recent update:

5. How can individuals contact you?

Include contact information. This is a way to build trust and show that your company will follow up on any inquiries about personal data. If you provide a Request Portal along with your contact info, even better. Directing users who want to make data access requests to do so online, makes the request process simple and frustration-free on all sides.

6. How should a person make a complaint, if needed?

Article 13.2d of the GDPR requires companies to “…provide the data subject with the following further information necessary to ensure fair and transparent processing: …the right to lodge a complaint with a supervisory authority”.
Consent forms and privacy policies can include the right to file a complaint and direct people to the proper government agencies/contact information to do so.

Automate and streamline

Offering a request portal or another automated way for users to retrieve their data is best practice and it’s a concept that is growing in popularity. Some companies have designed their own, for example, Google lets users request, retrieve and delete their data directly from their privacy policy with what they call ‘Google Takeout’:

For many companies it’s not practical or cost effective to design and build their own request portal. The better choice may be a service like Connectid Business.

When you sign up for a free Connectid Business account you get a pre-built, fully functional data request portal personalized with your company name and logo. You add it to your privacy policy simply by copying and pasting its link, no coding required:

Offering the data request portal link is a good way to show you respect your customers’, employees’ and partners’ personal data rights. It’s also the easiest way for your company to receive, organize, verify and respond to requests on time.

Processing data requests with Connectid Business

Data requests now come to you in a simple, structured format, improving the data request process for your entire organization. The Connectid Business Request Portal automatically verifies and logs new data requests and shows your users that you are protecting their rights and the personal information they share with you.

Safe Online can help you get started

Try to answer the questions we’ve listed above in your privacy policy. Remember that specifics like the types of personal data collected and processed as well as who it is shared with and why vary enormously from company to company. So when you add details about your company’s use of personal data to your privacy policy, make sure everything is:

• Clear and easy to understand, not vague
• Accurate and up to date, never misleading

The last one is especially important because you can be fined for providing inaccurate information. You are not required to have a legal team draft your policy or use contractual language but you should consult with others on your team to ensure you thoroughly understand how your company collects and uses personal data, to make sure all your statements are accurate.

Do you want to create a great privacy policy for your company?

Download a work-friendly version below. Add specifics about how your company does and does not use personal data and feel free to adapt the language and tone to suit your company’s audience: