A Data privacy statement is required by all websites hosted or doing business in Europe and is regulated by the General Data Privacy Rules (GDPR). This article deals with constructing a GDPR compliant Data Privacy statement.

For any website hosted in Europe, or doing business in Europe, a website Data Privacy statement is mandatory and is based on:

  1. General Data Protection Regulation (https://gdpr-info.eu/)
  2. ePrivacy Regulation (202? - Yet to be agreed)

The GDPR strengthens a consumer's rights around their personal data. Your responsibility, via your website's data privacy statement, is to explain to visitors:

  • What Personal Data is collected by your website (eg name, phone, address, photo, IP address)
  • How you collect Personal Data (eg website forms, payment forms, cookies etc)
  • What is the reason for collecting their Personal Data (eg to communicate with you, to provide a service)
  • How long you keep their Personal Data
  • What providers (eg webhost) would also have access to their Personal Data
  • Whether you use/sell their Personal Data for direct (from your company) or indirect (not your company) marketing
  • How you secure their Personal Data
  • Whether or not their Personal Data ever leaves the European Union
  • If you collect 'sensitive data' - eg gender, ethnicity, religion, sexuality, etc - that you do not collect this from minors (16 years or younger)
  • And finally that you recognise the rights of your website visitor to access/correct/delete any Personal Data that you hold under the GDPR

One thing that hasn't been finalised yet, is the other half of the Data Privacy duo which is the much anticipated publication of the ePrivacy Regulation, yet to be finalised. This is tricky because for website owners, the GDPR and ePrivacy kinda go together. Whereas your Data Privacy statement (GDPR) focusses on what you do with your visitor's personal data, ePrivacy has much more to do with technologies such as "cookies", which are heavily used when you deploy Google Analytics, embed maps and videos, display Social Media feeds and so on. As far as the Data Privacy statement is concerned, you should declare whether you set cookies that capture any Personal Data and refer them to your Cookie Policy for a more detailed explanation (and in the current confusion, you would also have to obtain permission from your visitor to set such cookies first). Note that the Data Privacy statement and the Cookie Policy are required to be two separate documents.

Another thing I'm frequently asked is: Is my website's Data Privacy statement about my whole organisation - or just the website? The simple answer is: usually, just the website. You're explaining to visitors how their Personal Data is collected and used on the website. But if you're harvesting personal data from the website and storing it on, for example, your Customer Relationship Management system for your customer fulfillment team to use, then you would be obliged to disclose that to your visitors, and inform them if their data will be treated differently to what you've disclosed in your website's Data Privacy statement.

Website Data Privacy Statements and the GDPR

One simple way to go about constructing a Data Privacy statement is to answer the following questions:

Example: We collect personal data from our Contact forms, shopping cart, Google Analytics (yes, that will collect an IP address - unless you anonymize the IP address collection first! See https://developers.google.com/analytics/devguides/collection/analyticsjs/ip-anonymization for some help on this.)

Example: We ask for your name, email address, physical address and contact number so that we can provide your with a legal invoice when you shop with us. We request your name and email address for our newsletter signup so that we can send you the newsletter and personalise it with your name. We ask for your name, email and a contact number on our contact form so that we can communicate with you quickly.

Note: quite a lot of shopping cart software collects IP addresses - make sure yours doesn't. Or if does, declare it here!

Example: We routinely delete all emails from our contact form on an annual basis (or whatever). We keep personal data and order transaction details - name, address, email, phone, products purchased, timestamp, amount spent, etc - for 6 years to comply with revenue purposes.

Example: Our newsletter provider, our payment processor, our webhost, our delivery company. These providers are hired by us to provide services and and are not allowed to use your personal data as they are also bound to data protection requirements.

If you want to understand more about their data privacy policies see this link, this link, this link.

Your personal data may also be provided to relevant third parties in the case of our business being sold, merged or made insolvent.

Example: Your personal data is secured using the most up to date and modern technology. Bear in mind that no system is foolproof. If there's ever a breach, and we hope that never happens - you'll be notified by us in 72 hours. (Note: breach notification within 72h is the rule with GDPR - no hiding it anymore)

Interestingly, you have to state if this is the case. Mailchimp have no European servers, so even though they are compliant with GDPR, you still have to state that personal data collected for your Mailchimp newsletter will leave the EU. And give a link to their privacy policy, you know yerself. We don't control these things...!

Same as the old Privacy Statement - do you market directly/indirectly. How they can opt out of marketing. Under the new GDPR, YOU are responsible for the opt-out for any indirect marketing that you engage in. Ouch ouch ouch.

My view is that you should include a statement that your website forms/shoppingcart that they cannot be used by anyone under 16 years of age (or at least not without parental/guardian's permission). The reason for this is that GDPR is tough on those who are obtaining personal data from minors. Ireland has declared the minimum age to be 16. Best avoided. CYA.

Expand this section as necessary, especially if you have a complicated set-up. You have 30 days to comply with any of the requests made below. And you can't charge money for it, unless the requests are ridiculously onerous.

  • You have the right to retrieve a copy of your personal data in machine readable format
  • You have the right to transfer your data to another provider
  • You have the right to request the removal of your data ("right to be forgotten")
  • You have the right to request a restriction from processing your data
  • You have the right to withdraw your consent to our use of your personal information at any time
  • You have the right to have your request dealt in 30 days of receipt

If you wish to exercise your rights please send details of your request to:

[email address]

Or by post to:

[NAME OF PERSON]
[FULL ADDRESS DETAILS]

In case of a dispute you have the right to contact the Data Protection Authority, please see: https://www.dataprotection.ie

Tagged under: Legals

Last updated: 15 Jul 2020