Save
Print
3 minutes reading
The privacy policy is a document that describes how an organisation collects, processes, stores and protects the personal data of its users, customers or partners. This document is key in the context of data protection and aims to provide transparency in the company's data processing activities. Below is a list of key elements that should be included in a website privacy policy.
What must a website privacy policy have?
1. Introduction (general provisions).
2. basic concepts and their descriptions.
3. information on the entity responsible for processing personal data
4. Description of the categories of data that are collected by the company.
5 Details of how data is processed, stored and secured.
6. Description of the rights of data subjects.
7 Information on to whom and under what circumstances the data may be shared.
8 Details on the use of cookies.
9. Information on changes and updates to the privacy policy.
10. contact details.
What should a website privacy policy contain? - Checklist
- Enter the name of the company or organisation and its full registration details (address, KRS number, NIP, REGON).
- Identify who is the controller of the personal data.
- Explain what a privacy policy is and why it is created.
- Indicate the legal basis for the processing, such as RODO (GDPR) or other relevant legislation.
- Define what you mean by "personal data", "data processing" and other relevant terms.
- Ensure that key terms are clear and understandable to users.
- List the categories of personal data you collect (e.g. contact details, payment details).
- Indicate whether you collect data automatically (e.g. cookies, login data) or directly from users.
- Explain why you collect data (e.g. order fulfilment, newsletter sending, website traffic analysis).
- Identify the legal bases for data processing, such as user consent, contract performance, legal obligations.
- Describe what technical and organisational solutions you use to protect your data (e.g. encryption, access control).
- Highlight how long you keep the data and when it is deleted.
- List the rights of those whose data you are processing (e.g. right of access, right to erasure, right to data portability).
- Indicate how users can enforce these rights (e.g. email contact, special forms).
- Explain whether and to whom you share personal data (e.g. service providers, business partners).
- Specify the rules for transfers of data to third countries, if any.
- Describe what types of cookies you use (e.g. session cookies, permanent cookies) and for what purpose.
- Indicate how users can manage cookies in their browsers.
- Explain how you will inform users of changes to the privacy policy.
- Enter the date on which the document was last updated.
- Indicate the contact details of the person or department responsible for data protection (e.g. Data Protection Officer).
- Encourage users to contact you if they have any questions about the privacy policy.
- Consult the contents of the document with a lawyer or data protection specialist to ensure that it complies with the applicable law.
What are the risks of not having a privacy policy?
Failure to have a privacy policy can lead to serious legal and financial consequences, including:
- Financial penalties: Under the Data Protection Regulation (RODO), the absence of a privacy policy and breaches of the rules on the processing of personal data (Article 5 RODO) can result in an administrative fine of up to EUR 20,000,000 or 4% of the company's annual worldwide turnover. Smaller fines, up to EUR 10,000,000 or 2% of annual turnover, may be imposed for breaches of data security provisions (Article 32 RODO) or the obligation to conduct a data protection impact assessment (Article 35 RODO).
- Administrative penalties: A supervisory authority, such as the President of the Office for the Protection of Personal Data in Poland, may impose a financial penalty or other remedies, such as a warning or restriction of data processing.
- Criminal liability: Individuals, such as employees or officers, can be held criminally liable for the unlawful processing of personal data, which can lead to fines, restriction of freedom or imprisonment for up to two years (Article 107 of the Data Protection Act).
- Civil liability: Individuals whose personal data has been breached may claim compensation for the pecuniary or non-pecuniary damage suffered. The RODO does not set maximum compensation amounts, so the amount of the claim can be significant.
- Loss of customer confidence: The lack of a privacy policy can lead to a loss of customer trust, which will negatively affect the company's reputation and business.
- Legal proceedings: Clients may complain to supervisory authorities and bring civil cases, which may lead to additional costs and legal complications.
Legal basis of the privacy policy
1 Information obligation: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data (RODO), OJ L 119, 4.5.2016, pp. 1-88.
2 Penalties for not having a privacy policy: Article 83(5) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016. (RODO).
3 Information on privacy policy: Article 13(1) and (2) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016. (RODO).
Summary
The privacy policy is essential to comply with legislation such as the EU's RODO. Failure to do so can result in serious consequences, including heavy fines. This document ensures that the rights of data subjects are protected and that they have access to information about how their data is used. In addition, it builds customer trust by showing that their data is safe.
It is worth bearing in mind that having a privacy policy supports organisations in managing the risks associated with data breaches and minimising potential losses financial and reputational.
