If the company collects, uses, modifies, stores or performs other actions with users' personal information (e.g. name, phone number, e-mail, etc.), in particular on the website, it is a personal data controller and shall organize the processing of personal information in a special way.

The order of the of the specified actions is formalized by the company in a special document - Privacy Policy (Personal Data Processing Policy).

The following should be reflected in the Privacy Policy.

Basis of treatment

In order for processing to be lawful, it must be carried out on the grounds specified in the legislation, for example:

  • Based on the user's consent.
  • For the performance of the agreement concluded with the user.
  • To exercise the rights and legitimate interests of the operator.
  • If there is a relevant judicial act, act of another body/official.

While the grounds may vary from jurisdiction to jurisdiction, obtaining consent is common in most jurisdictions. It must be specific and given knowingly by the user, under conditions of prior knowledge of the subject matter of the consent. However, there are no requirements for the specific form of consent: the form must allow confirmation of the fact that consent has been obtained (the exception is the written form when processing certain types of personal information).

In the process of formalizing the consent to the processing of personal data, it is recommended to specify information about the operator and the user, the list of information to be processed, the purpose of processing and the list of actions in its process, as well as the validity period of the consent.

List of data, purposes, methods of data processing

The Policy should state in as much detail as possible what, why and how it will be processed. For example, you can specify that the phone number is collected for the purpose of providing the user with access to the site (account creation and subsequent authorization), and that the operator has the right to collect, use, store, delete, etc.

Measures taken to protect the existing data

The protection measures include both technical (intrusion detection and prevention systems, encryption of data on the server, two-factor authentication, etc.) and organizational (periodic data protection audits, etc.).

Procedure for transferring data to third parties

If the operator transfers the collected personal information to third parties, it must necessarily specify in which cases this is possible. For example, if they are affiliates of the operator, if the user has given consent, etc. It should be noted separately in the documentation whether there will be cross-border data transfers.

Procedure for exercising user rights

By law, the user is guaranteed certain rights in the field of personal data protection. For example, it has the right to withdraw his/her consent to processing, change the information previously sent to the operator, ask the operator to delete the information or limit its processing, etc. The operator shall respond immediately to requests related to the exercise of such rights. Of course, there may be limits to the exercise of users' rights: for example, the operator may not delete certain information when requested to do so if it is legally obliged to store it.

Limitation of operator's liability

The operator has the right to specify that it takes all possible measures to protect the information, but there are situations for which it cannot be held responsible (e.g. data leakage occurred as a result of a technical failure, not due to the operator's fault).

Appointment of an employee responsible for the company's work with personal data

Today, in most jurisdictions, operators are required to appoint a dedicated employee to oversee the implementation of the policies and procedures set out in the Privacy Policy.

Information about the operator

It is necessary to specify the company's data, as well as an e-mail address where users can contact regarding the personal data.

The Privacy Policy is an important document that helps to ensure the protection of personal information and the company's commitment to privacy and legality, as well as to avoid fines that can reach up to 20 million euros. Such a document is intended to establish transparent and responsible relations in the field of personal data processing.

GMT Legal can assist you in drafting your Privacy Policy. We will take into account all the nuances of your business, the requirements of applicable law and develop a document that will effectively protect the rights and interests of you and your users.