SlideShare a Scribd company logo
1 of 41
Download to read offline
GDPR
Privacy Policy
The General Data Protection Regulation
(GDPR) takes effect on May 25, 2018.
If the GDPR applies to you, you’ll need to
make sure your Privacy Policy is updated
by that date.
UPDATE
Who the GDPR
Applies to
The GDPR will apply to your business if you:
Offer products or services to EU citizens, or
Collect personal information from EU citizens
Note that it doesn’t matter where your business
is located/headquartered. If you meet either of
these criteria, the GDPR applies to you.
For example, a U.S.-based business that simply
collects email addresses from users in the EU
will fall under the scope of the GDPR.
@
What the GDPR
Requires
(1) Link to https://termsfeed.com/blog/gdpr-compliance-plan/#Requirements_for_GDPR_Data_Controllers
(2) Link to https://termsfeed.com/blog/gdpr-compliance-plan/#Requirements_for_GDPR_Data_Processors
(3) Link to https://termsfeed.com/blog/data-protection-officer-dpo/
The GDPR comes with a number of enhancements
to the current privacy law in the UK - the Data
Protection Directive.
New responsibilities (1) for Data Controllers
Data Processors (2) are now covered by the law
The new role of Data Protection Officer (3) has
been created
The main focus of the GDPR is the protection of
personal data and digital privacy.
Users must be provided with thorough information
about how their personal data is processed.
Here’s where your Privacy Policy comes in.
GDPR-Compliant
Privacy Policy
(4) Link to https://gdpr-info.eu/art-12-gdpr/
Article 12 of the GDPR (4) requires that
you communicate information about your
processing of personal data in a way
that’s:
Concise
Transparent
In clear and plain language
Intelligible
Easily accessible
Free of charge
Most Privacy Policies tend to be long and
dense, filled with legal jargon and less than
clear for most readers.
The GDPR is working to avoid this.
Update your Privacy Policy by:
Cutting out legalese
Simplifying overly technical information
Using short, clear sentences
Writing with your average user in mind
In addition to the standard required components
of your Privacy Policy (5), your GDPR-compliant
policy will need to disclose more information.
(5) Link to https://termsfeed.com/blog/gdpr-privacy-policy/#Have_a_Privacy_Policy
The following 7 concepts must be covered
somewhere in your Privacy Policy.
They can be separate, standalone clauses,
or integrated into other existing clauses.
Just make sure you have the information
somewhere in your Policy.
1. Who is your data controller?
The data controller is the party in charge of
deciding what personal data is collected.
Let users know if this is your business or if
someone else is responsible for making
this important decision.
In most cases, it will be your company.
GDPR Privacy Policy
2. Contact information for
the data controller
It’s likely that your company is the data
controller, and that you already provide
contact information in your Privacy Policy.
If a different company/party is your data
controller, include their contact information
along with yours.
GDPR Privacy Policy
If you have a Data Protection Officer (DPO),
include contact information for this as well.
3. Do you use personal data to
make automated decisions?
If you make automated decisions - such as
loan screening, employment decisions,
credit scoring, etc. - using personal data
you collect, you need to disclose this.
You can let users know if you don’t do this,
but it isn’t necessary.
GDPR Privacy Policy
(6) Link to https://www.vividfish.co.uk/blog/gdpr-8-rights-under-gdpr
4. The 8 rights of users under the GDPR
Inform users of these 8 rights (6).
They don’t have to be explicitly listed out in
your Privacy Policy, but each point should
be addressed somewhere within it.
The 8 rights of users:
Right to be informed
Right of access
Right of rectification
Right to erasure
Right to restrict data processing
Right to data portability
Right to object
Rights of automated decision-making
and profiling
GDPR Privacy Policy
5. Is providing personal data mandatory?
Let users know if any data you collect is
mandatory to use your service/website,
and what happens if they don’t provide
this data.
For example, users may need to provide
an email address to create a user account.
If they don’t provide this, they cannot
create an account.
GDPR Privacy Policy
6. Do you transfer data internationally?
Let users know if you transfer their personal
data to a different country.
Include one of the following:
If your transfer falls under a legal framework
or decisions, such as the EU-US Privacy
Shield, or
A description and explanation of suitable
safeguards you have in place for the transfer,
and how users can obtain a copy of them
GDPR Privacy Policy
(7) Link to https://gdpr-info.eu/art-6-gdpr/
7. Your legal basis for processing data
The GDPR provides 6 lawful bases (7).
You’ll likely satisfy this requirement in your clause
that covers what data you collect and how you
use it.
For example, let users know you collect financial
information for payment processing, use cookies
to remember user preferences and collect email
addresses for communicating with users.
GDPR Privacy Policy
Getting Agreement and
Consent to your Privacy
Practices
(8) Link to https://termsfeed.com/blog/examples-click-accept/
Make sure you get users to agree to your
Privacy Policy and give consent for you
to collect and use their personal data.
Do this with checkmark boxes or another
active method of clickwrap (8).
Provide a link to your Privacy Policy
when you ask users to agree to it.
GDPR Privacy Policy
Have Privacy
Notices
Because the GDPR focuses on creating
transparency and understanding for users,
having Privacy Notices will help you be
GDPR-compliant.
A Privacy Notice is a short, concise notice that
helps users understand why you’re requesting
their personal data.
They should be available at the point where
you’re requesting to collect the data.
GDPR Privacy Policy
The GDPR requires your Privacy Policy to
be more informative.
However, it requires that you provide this
information in a simplified, clear way.
To summarize:
Review the language in your Privacy Policy and
drop the legalese. Make it be easy to understand
by your average user.
Update your Privacy Policy with the additional
information required by the GDPR
Use clickwrap to get agreement and consent
before collecting personal data
Add Privacy Notices to help users understand
what they’re consenting to
GDPR Privacy Policy

More Related Content

More from termsfeed

FTC Disclosures
FTC DisclosuresFTC Disclosures
FTC Disclosurestermsfeed
 
Australia Privacy Act of 1988
Australia Privacy Act of 1988Australia Privacy Act of 1988
Australia Privacy Act of 1988termsfeed
 
The Digital Millennium Copyright Act
The Digital Millennium Copyright ActThe Digital Millennium Copyright Act
The Digital Millennium Copyright Acttermsfeed
 
Disclosures for Affiliate Links
Disclosures for Affiliate LinksDisclosures for Affiliate Links
Disclosures for Affiliate Linkstermsfeed
 
Disclaimer Examples
Disclaimer ExamplesDisclaimer Examples
Disclaimer Examplestermsfeed
 
How to Comply with CAN-SPAM
How to Comply with CAN-SPAMHow to Comply with CAN-SPAM
How to Comply with CAN-SPAMtermsfeed
 
Privacy Policy for Flurry
Privacy Policy for FlurryPrivacy Policy for Flurry
Privacy Policy for Flurrytermsfeed
 
Termination Clause in Terms and Conditions
Termination Clause in Terms and ConditionsTermination Clause in Terms and Conditions
Termination Clause in Terms and Conditionstermsfeed
 
Click to Accept: A Method of Clickwrap
Click to Accept: A Method of ClickwrapClick to Accept: A Method of Clickwrap
Click to Accept: A Method of Clickwraptermsfeed
 
Privacy Policy for Wistia
Privacy Policy for WistiaPrivacy Policy for Wistia
Privacy Policy for Wistiatermsfeed
 
The "Your California Privacy Rights" clause
The "Your California Privacy Rights" clauseThe "Your California Privacy Rights" clause
The "Your California Privacy Rights" clausetermsfeed
 
Terms & Conditions Generator
Terms & Conditions GeneratorTerms & Conditions Generator
Terms & Conditions Generatortermsfeed
 
Terms & Conditions FAQ
Terms & Conditions FAQTerms & Conditions FAQ
Terms & Conditions FAQtermsfeed
 
Software License Agreements
Software License AgreementsSoftware License Agreements
Software License Agreementstermsfeed
 
Why use End-User License Agreement (EULA)
Why use End-User License Agreement (EULA)Why use End-User License Agreement (EULA)
Why use End-User License Agreement (EULA)termsfeed
 
Rules for Sweepstakes
Rules for SweepstakesRules for Sweepstakes
Rules for Sweepstakestermsfeed
 
Definition of a Cookies Policy
Definition of a Cookies PolicyDefinition of a Cookies Policy
Definition of a Cookies Policytermsfeed
 
What are Return & Refund Policies
What are Return & Refund PoliciesWhat are Return & Refund Policies
What are Return & Refund Policiestermsfeed
 
Terms & Conditions for mobile apps (iOS, Android, Windows)
Terms & Conditions for mobile apps (iOS, Android, Windows)Terms & Conditions for mobile apps (iOS, Android, Windows)
Terms & Conditions for mobile apps (iOS, Android, Windows)termsfeed
 
What's an Opt-Out Policy
What's an Opt-Out PolicyWhat's an Opt-Out Policy
What's an Opt-Out Policytermsfeed
 

More from termsfeed (20)

FTC Disclosures
FTC DisclosuresFTC Disclosures
FTC Disclosures
 
Australia Privacy Act of 1988
Australia Privacy Act of 1988Australia Privacy Act of 1988
Australia Privacy Act of 1988
 
The Digital Millennium Copyright Act
The Digital Millennium Copyright ActThe Digital Millennium Copyright Act
The Digital Millennium Copyright Act
 
Disclosures for Affiliate Links
Disclosures for Affiliate LinksDisclosures for Affiliate Links
Disclosures for Affiliate Links
 
Disclaimer Examples
Disclaimer ExamplesDisclaimer Examples
Disclaimer Examples
 
How to Comply with CAN-SPAM
How to Comply with CAN-SPAMHow to Comply with CAN-SPAM
How to Comply with CAN-SPAM
 
Privacy Policy for Flurry
Privacy Policy for FlurryPrivacy Policy for Flurry
Privacy Policy for Flurry
 
Termination Clause in Terms and Conditions
Termination Clause in Terms and ConditionsTermination Clause in Terms and Conditions
Termination Clause in Terms and Conditions
 
Click to Accept: A Method of Clickwrap
Click to Accept: A Method of ClickwrapClick to Accept: A Method of Clickwrap
Click to Accept: A Method of Clickwrap
 
Privacy Policy for Wistia
Privacy Policy for WistiaPrivacy Policy for Wistia
Privacy Policy for Wistia
 
The "Your California Privacy Rights" clause
The "Your California Privacy Rights" clauseThe "Your California Privacy Rights" clause
The "Your California Privacy Rights" clause
 
Terms & Conditions Generator
Terms & Conditions GeneratorTerms & Conditions Generator
Terms & Conditions Generator
 
Terms & Conditions FAQ
Terms & Conditions FAQTerms & Conditions FAQ
Terms & Conditions FAQ
 
Software License Agreements
Software License AgreementsSoftware License Agreements
Software License Agreements
 
Why use End-User License Agreement (EULA)
Why use End-User License Agreement (EULA)Why use End-User License Agreement (EULA)
Why use End-User License Agreement (EULA)
 
Rules for Sweepstakes
Rules for SweepstakesRules for Sweepstakes
Rules for Sweepstakes
 
Definition of a Cookies Policy
Definition of a Cookies PolicyDefinition of a Cookies Policy
Definition of a Cookies Policy
 
What are Return & Refund Policies
What are Return & Refund PoliciesWhat are Return & Refund Policies
What are Return & Refund Policies
 
Terms & Conditions for mobile apps (iOS, Android, Windows)
Terms & Conditions for mobile apps (iOS, Android, Windows)Terms & Conditions for mobile apps (iOS, Android, Windows)
Terms & Conditions for mobile apps (iOS, Android, Windows)
 
What's an Opt-Out Policy
What's an Opt-Out PolicyWhat's an Opt-Out Policy
What's an Opt-Out Policy
 

Recently uploaded

Classification of Contracts in Business Regulations
Classification of Contracts in Business RegulationsClassification of Contracts in Business Regulations
Classification of Contracts in Business RegulationsSyedaAyeshaTabassum1
 
ArtificiaI Intelligence based Cyber Forensic Tools: Relevancy and Admissibili...
ArtificiaI Intelligence based Cyber Forensic Tools: Relevancy and Admissibili...ArtificiaI Intelligence based Cyber Forensic Tools: Relevancy and Admissibili...
ArtificiaI Intelligence based Cyber Forensic Tools: Relevancy and Admissibili...Anadi Tewari
 
An introduction to Indian Contract Act, 1872 by Shraddha Pandit
An introduction to Indian Contract Act, 1872 by Shraddha PanditAn introduction to Indian Contract Act, 1872 by Shraddha Pandit
An introduction to Indian Contract Act, 1872 by Shraddha PanditSHRADDHA PANDIT
 
The Ultimate Guide to Drafting Your Separation Agreement with a Template
The Ultimate Guide to Drafting Your Separation Agreement with a TemplateThe Ultimate Guide to Drafting Your Separation Agreement with a Template
The Ultimate Guide to Drafting Your Separation Agreement with a TemplateBTL Law P.C.
 
xLran: Open source AI for legal hackers.
xLran: Open source AI for legal hackers.xLran: Open source AI for legal hackers.
xLran: Open source AI for legal hackers.mike689707
 
Corporate Sustainability Due Diligence Directive (CSDDD or the EU Supply Chai...
Corporate Sustainability Due Diligence Directive (CSDDD or the EU Supply Chai...Corporate Sustainability Due Diligence Directive (CSDDD or the EU Supply Chai...
Corporate Sustainability Due Diligence Directive (CSDDD or the EU Supply Chai...Dr. Oliver Massmann
 
Patents and AI: Current Tools, Future Solutions
Patents and AI: Current Tools, Future SolutionsPatents and AI: Current Tools, Future Solutions
Patents and AI: Current Tools, Future SolutionsAurora Consulting
 
Islamabad High Court Judges wrote a letter to Supreme Judicial Council.pdf
Islamabad High Court Judges wrote a letter to Supreme Judicial Council.pdfIslamabad High Court Judges wrote a letter to Supreme Judicial Council.pdf
Islamabad High Court Judges wrote a letter to Supreme Judicial Council.pdfNo One
 
Women and the World of Climate Change- A Conceptual Foundation by Shraddha Pa...
Women and the World of Climate Change- A Conceptual Foundation by Shraddha Pa...Women and the World of Climate Change- A Conceptual Foundation by Shraddha Pa...
Women and the World of Climate Change- A Conceptual Foundation by Shraddha Pa...SHRADDHA PANDIT
 

Recently uploaded (10)

Classification of Contracts in Business Regulations
Classification of Contracts in Business RegulationsClassification of Contracts in Business Regulations
Classification of Contracts in Business Regulations
 
ArtificiaI Intelligence based Cyber Forensic Tools: Relevancy and Admissibili...
ArtificiaI Intelligence based Cyber Forensic Tools: Relevancy and Admissibili...ArtificiaI Intelligence based Cyber Forensic Tools: Relevancy and Admissibili...
ArtificiaI Intelligence based Cyber Forensic Tools: Relevancy and Admissibili...
 
An introduction to Indian Contract Act, 1872 by Shraddha Pandit
An introduction to Indian Contract Act, 1872 by Shraddha PanditAn introduction to Indian Contract Act, 1872 by Shraddha Pandit
An introduction to Indian Contract Act, 1872 by Shraddha Pandit
 
Criminalizing Disabilities & False Confessions
Criminalizing Disabilities & False ConfessionsCriminalizing Disabilities & False Confessions
Criminalizing Disabilities & False Confessions
 
The Ultimate Guide to Drafting Your Separation Agreement with a Template
The Ultimate Guide to Drafting Your Separation Agreement with a TemplateThe Ultimate Guide to Drafting Your Separation Agreement with a Template
The Ultimate Guide to Drafting Your Separation Agreement with a Template
 
xLran: Open source AI for legal hackers.
xLran: Open source AI for legal hackers.xLran: Open source AI for legal hackers.
xLran: Open source AI for legal hackers.
 
Corporate Sustainability Due Diligence Directive (CSDDD or the EU Supply Chai...
Corporate Sustainability Due Diligence Directive (CSDDD or the EU Supply Chai...Corporate Sustainability Due Diligence Directive (CSDDD or the EU Supply Chai...
Corporate Sustainability Due Diligence Directive (CSDDD or the EU Supply Chai...
 
Patents and AI: Current Tools, Future Solutions
Patents and AI: Current Tools, Future SolutionsPatents and AI: Current Tools, Future Solutions
Patents and AI: Current Tools, Future Solutions
 
Islamabad High Court Judges wrote a letter to Supreme Judicial Council.pdf
Islamabad High Court Judges wrote a letter to Supreme Judicial Council.pdfIslamabad High Court Judges wrote a letter to Supreme Judicial Council.pdf
Islamabad High Court Judges wrote a letter to Supreme Judicial Council.pdf
 
Women and the World of Climate Change- A Conceptual Foundation by Shraddha Pa...
Women and the World of Climate Change- A Conceptual Foundation by Shraddha Pa...Women and the World of Climate Change- A Conceptual Foundation by Shraddha Pa...
Women and the World of Climate Change- A Conceptual Foundation by Shraddha Pa...
 

GDPR Privacy Policy

  • 2. The General Data Protection Regulation (GDPR) takes effect on May 25, 2018. If the GDPR applies to you, you’ll need to make sure your Privacy Policy is updated by that date. UPDATE
  • 4. The GDPR will apply to your business if you: Offer products or services to EU citizens, or Collect personal information from EU citizens
  • 5. Note that it doesn’t matter where your business is located/headquartered. If you meet either of these criteria, the GDPR applies to you.
  • 6. For example, a U.S.-based business that simply collects email addresses from users in the EU will fall under the scope of the GDPR. @
  • 8. (1) Link to https://termsfeed.com/blog/gdpr-compliance-plan/#Requirements_for_GDPR_Data_Controllers (2) Link to https://termsfeed.com/blog/gdpr-compliance-plan/#Requirements_for_GDPR_Data_Processors (3) Link to https://termsfeed.com/blog/data-protection-officer-dpo/ The GDPR comes with a number of enhancements to the current privacy law in the UK - the Data Protection Directive. New responsibilities (1) for Data Controllers Data Processors (2) are now covered by the law The new role of Data Protection Officer (3) has been created
  • 9. The main focus of the GDPR is the protection of personal data and digital privacy. Users must be provided with thorough information about how their personal data is processed. Here’s where your Privacy Policy comes in.
  • 11. (4) Link to https://gdpr-info.eu/art-12-gdpr/ Article 12 of the GDPR (4) requires that you communicate information about your processing of personal data in a way that’s: Concise Transparent In clear and plain language Intelligible Easily accessible Free of charge
  • 12. Most Privacy Policies tend to be long and dense, filled with legal jargon and less than clear for most readers. The GDPR is working to avoid this.
  • 13. Update your Privacy Policy by: Cutting out legalese Simplifying overly technical information Using short, clear sentences Writing with your average user in mind
  • 14. In addition to the standard required components of your Privacy Policy (5), your GDPR-compliant policy will need to disclose more information. (5) Link to https://termsfeed.com/blog/gdpr-privacy-policy/#Have_a_Privacy_Policy
  • 15. The following 7 concepts must be covered somewhere in your Privacy Policy. They can be separate, standalone clauses, or integrated into other existing clauses. Just make sure you have the information somewhere in your Policy.
  • 16. 1. Who is your data controller? The data controller is the party in charge of deciding what personal data is collected. Let users know if this is your business or if someone else is responsible for making this important decision. In most cases, it will be your company.
  • 18. 2. Contact information for the data controller It’s likely that your company is the data controller, and that you already provide contact information in your Privacy Policy. If a different company/party is your data controller, include their contact information along with yours.
  • 20. If you have a Data Protection Officer (DPO), include contact information for this as well.
  • 21. 3. Do you use personal data to make automated decisions? If you make automated decisions - such as loan screening, employment decisions, credit scoring, etc. - using personal data you collect, you need to disclose this. You can let users know if you don’t do this, but it isn’t necessary.
  • 23. (6) Link to https://www.vividfish.co.uk/blog/gdpr-8-rights-under-gdpr 4. The 8 rights of users under the GDPR Inform users of these 8 rights (6). They don’t have to be explicitly listed out in your Privacy Policy, but each point should be addressed somewhere within it.
  • 24. The 8 rights of users: Right to be informed Right of access Right of rectification Right to erasure Right to restrict data processing Right to data portability Right to object Rights of automated decision-making and profiling
  • 26. 5. Is providing personal data mandatory? Let users know if any data you collect is mandatory to use your service/website, and what happens if they don’t provide this data. For example, users may need to provide an email address to create a user account. If they don’t provide this, they cannot create an account.
  • 28. 6. Do you transfer data internationally? Let users know if you transfer their personal data to a different country. Include one of the following: If your transfer falls under a legal framework or decisions, such as the EU-US Privacy Shield, or A description and explanation of suitable safeguards you have in place for the transfer, and how users can obtain a copy of them
  • 30. (7) Link to https://gdpr-info.eu/art-6-gdpr/ 7. Your legal basis for processing data The GDPR provides 6 lawful bases (7). You’ll likely satisfy this requirement in your clause that covers what data you collect and how you use it. For example, let users know you collect financial information for payment processing, use cookies to remember user preferences and collect email addresses for communicating with users.
  • 32. Getting Agreement and Consent to your Privacy Practices
  • 33. (8) Link to https://termsfeed.com/blog/examples-click-accept/ Make sure you get users to agree to your Privacy Policy and give consent for you to collect and use their personal data. Do this with checkmark boxes or another active method of clickwrap (8). Provide a link to your Privacy Policy when you ask users to agree to it.
  • 36. Because the GDPR focuses on creating transparency and understanding for users, having Privacy Notices will help you be GDPR-compliant.
  • 37. A Privacy Notice is a short, concise notice that helps users understand why you’re requesting their personal data. They should be available at the point where you’re requesting to collect the data.
  • 39. The GDPR requires your Privacy Policy to be more informative. However, it requires that you provide this information in a simplified, clear way.
  • 40. To summarize: Review the language in your Privacy Policy and drop the legalese. Make it be easy to understand by your average user. Update your Privacy Policy with the additional information required by the GDPR Use clickwrap to get agreement and consent before collecting personal data Add Privacy Notices to help users understand what they’re consenting to