RGPD
Discover how a robust privacy policy can protect your personal information, strengthen your online security and ensure worry-free browsing: everything you need to know is here!
Reading time:
7 min
Discover how a robust privacy policy can protect your personal information, strengthen your online security and ensure worry-free browsing: everything you need to know is here!
It is also a legal requirement in many countries, including the European Union and the United States, whether you operate:
The required disclosures are not, however, identical, owing to the categories of data collected and the purpose of those processing operations. The privacy policy ensures the protection of your users' personal data and transparency in your data processing practices in accordance with Article 13 of the GDPR.
This article provides that, where personal data are collected from the data subject, the controller must, at the time the data are obtained, provide the data subject with a range of detailed information.
This information includes the identity and contact details of the controller, the purposes and legal basis of the processing, the recipients of the data, and other details relating to the protection of personal data.
Article 14 of the GDPR sets out similar requirements for cases where the personal data have not been obtained directly from the data subject.
In this article, we will guide you through the steps to put in place an effective privacy policy for your B2B or B2C website.
You can also be assisted by a GDPR lawyer
The first step in drawing up a privacy policy is to understand the data you collect and how you use it. This may include contact details, IP addresses, transaction data and other information relevant to your business.
You must also take into account local data protection laws, such as the GDPR in Europe.
In many countries, in particular in the European Union and the United States, having a privacy policy is a legal requirement for websites.
Next, you must clearly inform the users of your website (i) about the types of data you collect, (ii) how you collect it and (iii) how you use it. This can be done through a privacy policy accessible from any page of your website under a clear heading ("privacy policy", "privacy page", or "personal data") so as to ensure that your users understand that information about their connected data can be found on this page.
Finally, you must ensure that you provide information on the intended processing of the data collected or, where necessary, that you obtain the user's consent before collecting any data. This collection must be accompanied by the implementation of appropriate security measures to protect that data.
In France, this obligation stems from the duty of transparency regarding the data collected and the processing purposes for which it is collected, in particular in accordance with Article 13 of the GDPR.
To this end, a dedicated page must appear at the bottom of each of your URL pages with a recognisable name.
A privacy policy for an e-commerce website must include information about the data you collect during the transaction, such as payment and shipping details. You must also inform users about how you will use this data and how you will protect it. Be sure to also mention your return and exchange policy in your privacy policy.
Unlike a showcase website, the information collected will probably be more extensive and serve other purposes. Moreover, this also means that the points at which such data is collected on the website will be more numerous.
Please note that if you use third-party providers to deliver your products, run email campaigns or track your users' activity, these providers must be identified as processors in your policy, and their contact details provided.
Without being exhaustive, a privacy policy must include the following elements:
The privacy policy must be drafted by the data controller, which may be the company itself or a natural or legal person mandated for that purpose. It may also be your lawyer.
There are several parties who can assist you in drafting your privacy policy, such as LegalTechs, IT service providers or a lawyer.
Please note, as a reminder, that providers other than lawyers must not give legal advice on this regulation.
Accordingly, it is advisable to use a lawyer, who will provide you with a full review of your GDPR analysis in order to ensure your compliance with French and European law.
When we talk about privacy rules, we are in fact referring to the regulations on the protection of personal data, governed (i) in Europe by the General Data Protection Regulation (GDPR), which came into force on 25 May 2018 in the European Union, and (ii) in France by the "French Data Protection Act" (initially adopted in 1978, it has undergone several amendments since, in particular to bring it into line with the EU GDPR).
This regulation aims to strengthen the protection of users' personal data by imposing obligations on companies that collect and process such data. In particular, it requires that users be informed of how their data is collected, used and stored.
Let's talk for 15 minutes about your GDPR needs
Legal notices and the privacy policy are two pieces of information that websites must make accessible to their users.
To find out more about legal notices, you can read the following article: "Legal notices for an e-commerce website!"
Legal notices serve to describe the identity and legal information of the company, whereas the privacy policy concerns the way in which users' personal data is collected, processed and stored.
The two are therefore complementary, but distinct.
In conclusion, the privacy policy is an essential element for any website that collects personal data. It must be clear and concise, and contain the essential information regarding data processing.
It is governed by the GDPR and its drafting must be entrusted to a competent data controller. Companies must therefore take care to comply with their legal obligations regarding the protection of personal data and to inform users of how their data is processed.
If you want to ensure the protection of your data and your website's compliance with the GDPR, do not hesitate to get in touch today. Click here for a free audit of your privacy policy and discover how we can support you in navigating the world of personal data protection with complete peace of mind.
To learn more
Yes. The GDPR imposes a duty to inform: as soon as you collect personal data, you must inform the data subjects (Articles 13 and 14). This applies to a showcase website, an e-commerce website, a platform or an application. The absence of a privacy policy exposes you to penalties from the CNIL.
It must specify the identity and contact details of the controller, the purposes and legal basis of the processing, the recipients of the data, the retention periods, the rights of data subjects (access, rectification, erasure) and how to exercise them. The content varies according to the categories of data collected and their purpose.
Legal notices identify the website's publisher and host; this is an obligation arising from the French Act for confidence in the digital economy. The privacy policy, on the other hand, falls under the GDPR and concerns the processing of personal data. These are two distinct and complementary documents, both mandatory.
The structure is similar, but the content differs. The categories of data collected and the purposes are not the same depending on whether you are addressing professionals or consumers. The policy must reflect your actual processing operations: simply copying a generic template does not protect you.
A breach of the GDPR's duty to inform exposes you to penalties from the CNIL, which can reach substantial amounts, as well as to complaints from data subjects. Beyond the legal risk, a missing or poorly drafted policy undermines users' trust and your reputation.
Yes. It must be updated as soon as your processing operations evolve: a new tool collecting data, a new provider, a new purpose, a change in retention period. A static policy that no longer matches the reality of your processing operations loses its protective value and exposes you in the event of an inspection.
Templates exist, but they rarely describe your actual processing operations. An effective policy requires that you have mapped your data and your purposes. Assistance from a lawyer makes it possible to align the document with your business, avoid missing disclosures and secure your compliance with the GDPR.
It must be easily accessible, in practice via a link in the footer, visible from all pages. The information must be provided at the time the data is collected: a clear link at the point of forms and when cookies are placed is recommended.
Still have questions?
Our team is available!
Have a question?

Ressources
Aller plus loin