1. Select your industry sector
2. Confirm your business processes
3. Generate your Privacy Policies
4. Our updates keep you in the green
The GDPR applies to you if you:
Are located in the EU, or Offer goods and services to individuals located in the EU, or Monitor the behaviour of individuals located in the EU.
- Your policy on privacy must be written in clear, simple language.
- You must include your legal basis for processing personal information.
- You must inform users what rights they have under GDPR.
- You have to inform people how long you’ll keep their personal information.
- You also have to talk about international data transfers in detail and list safeguards.
Personal data is big business. Companies like Facebook made a lot of money by handling people’s personal information.
The GDPR sets the rules about how personal data should be processed in the EU. It gives people rights over their personal information. Without privacy laws like the GDPR, people wouldn’t be able to control what businesses and governments do with the information they have about them.
- The Personal Information Protection and Electronic Documents Act of Canada (PIPEDA)
- The Online Privacy Protection Act of California (CalOPPA)
- The Privacy Act of Australia
- The Data Protection Directive (GDPR’s predecessor)
The current GDPR is not the same. It has stricter rules than any of the above laws, so anything you did to follow those laws probably won’t be enough to follow the GDPR.
It’s important to remember that this document is to be public and not just for your existing customers. It should be for anyone whose personal information you might handle, this includes people who visit your website, prospects, your suppliers etc.
Principles for Processing Personal Data
Article 5 of the GDPR contains six principles, by which all personal data must be processed. They are:
- Lawfulness, fairness, and transparency: Follow the law, don’t use personal information in ways that people wouldn’t expect, and be open about how you protect data.
- Purpose limitation: You must normally only process, and use, personal data for the exact reason you collected it, and nothing in addition.
- Data minimization: means that you shouldn’t process more data than you have to.
- Accuracy: Make sure that any personal data you hold is adequate and accurate.
- Storage limitation: Don’t store personal data for longer than you need to.
- Integrity and confidentiality: Always handle personal information in a safe way.
Types of Personal Data You Process
The GDPR has a very broad idea of what “personal data” is. It’s likely that a lot of it is processed by your company.
Many companies divide this part of their Privacy Policies into sub-sections, such as “data that you provide us,” “data collected by our website”.
How You Process Personal Data
The legal reasons why a person’s personal data can be used are:
- Consent: You have obtained their permission in a way that is in line with GDPR.
- Contract: You have a contract that says you have to handle their personal information.
- Legal obligation: If you didn’t process their personal data, you’d be breaking the law.
- Vital interests: Their life (or the life of someone else) may depend on how you handle their personal information.
- Public task: You have to use their personal information to do something that is in the public interest.
- Legitimate Interest: You have a good reason to process their personal data, and you’ve done a Legitimate Interests Assessment.
Retention of Personal Data
Who You Share Personal Data With
Note that the GDPR doesn’t require you to list the names of every company you share data with. Instead, you just have to list the types of companies (e.g. payment processors, couriers, etc.).
But make sure you check the Terms and Conditions of companies with whom you have a Data Processing Agreement.
International Transfers of Personal Data
These 8 data rights are:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure (known as “the right to be forgotten”)
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision-making
Not all of the rights will likely apply to your business, but you still need to know about them.
Our GDPR compliance software for SME can generate all of the documents that the GDPR regulation requires: