RGPD

Drafting a privacy policy

Discover how a robust privacy policy can protect your personal information, strengthen your online security and ensure worry-free browsing: everything you need to know is here!

Contents
Schedule a discussion

Reading time:

7 min

Discover how a robust privacy policy can protect your personal information, strengthen your online security and ensure worry-free browsing: everything you need to know is here!

It is also a legal requirement in many countries, including the European Union and the United States, whether you operate:

  • A showcase website (landing page)
  • An e-commerce website
  • A digital platform (social network, rating platform, exchange platform, etc.)
  • Any kind of application (intranet, mobile application, B2B application).

The required disclosures are not, however, identical, owing to the categories of data collected and the purpose of those processing operations. The privacy policy ensures the protection of your users' personal data and transparency in your data processing practices in accordance with Article 13 of the GDPR.

This article provides that, where personal data are collected from the data subject, the controller must, at the time the data are obtained, provide the data subject with a range of detailed information.

This information includes the identity and contact details of the controller, the purposes and legal basis of the processing, the recipients of the data, and other details relating to the protection of personal data.

Article 14 of the GDPR sets out similar requirements for cases where the personal data have not been obtained directly from the data subject.

In this article, we will guide you through the steps to put in place an effective privacy policy for your B2B or B2C website.

You can also be assisted by a GDPR lawyer

How to draw up a privacy policy?

The first step in drawing up a privacy policy is to understand the data you collect and how you use it. This may include contact details, IP addresses, transaction data and other information relevant to your business.

You must also take into account local data protection laws, such as the GDPR in Europe.

In many countries, in particular in the European Union and the United States, having a privacy policy is a legal requirement for websites.

Next, you must clearly inform the users of your website (i) about the types of data you collect, (ii) how you collect it and (iii) how you use it. This can be done through a privacy policy accessible from any page of your website under a clear heading ("privacy policy", "privacy page", or "personal data") so as to ensure that your users understand that information about their connected data can be found on this page.

Finally, you must ensure that you provide information on the intended processing of the data collected or, where necessary, that you obtain the user's consent before collecting any data. This collection must be accompanied by the implementation of appropriate security measures to protect that data.

Need help with drafting?

Is it mandatory to have a privacy policy?

In France, this obligation stems from the duty of transparency regarding the data collected and the processing purposes for which it is collected, in particular in accordance with Article 13 of the GDPR.

To this end, a dedicated page must appear at the bottom of each of your URL pages with a recognisable name.

How to draft a privacy policy for an e-commerce website?

A privacy policy for an e-commerce website must include information about the data you collect during the transaction, such as payment and shipping details. You must also inform users about how you will use this data and how you will protect it. Be sure to also mention your return and exchange policy in your privacy policy.

Unlike a showcase website, the information collected will probably be more extensive and serve other purposes. Moreover, this also means that the points at which such data is collected on the website will be more numerous.

Please note that if you use third-party providers to deliver your products, run email campaigns or track your users' activity, these providers must be identified as processors in your policy, and their contact details provided.

What are the important elements to include in a privacy policy?

Without being exhaustive, a privacy policy must include the following elements:

  • The types of data you collect;
  • How you collect the data;
  • How you use the data;
  • How you protect the data;
  • How you share the data with third parties;
  • How users can exercise their data protection rights;
  • What processing operations are carried out;
  • How the data is transferred outside the European Union.

Who must draft the privacy policy?

The privacy policy must be drafted by the data controller, which may be the company itself or a natural or legal person mandated for that purpose. It may also be your lawyer.

There are several parties who can assist you in drafting your privacy policy, such as LegalTechs, IT service providers or a lawyer.

Please note, as a reminder, that providers other than lawyers must not give legal advice on this regulation.

Accordingly, it is advisable to use a lawyer, who will provide you with a full review of your GDPR analysis in order to ensure your compliance with French and European law.

What are the privacy rules?

When we talk about privacy rules, we are in fact referring to the regulations on the protection of personal data, governed (i) in Europe by the General Data Protection Regulation (GDPR), which came into force on 25 May 2018 in the European Union, and (ii) in France by the "French Data Protection Act" (initially adopted in 1978, it has undergone several amendments since, in particular to bring it into line with the EU GDPR).

This regulation aims to strengthen the protection of users' personal data by imposing obligations on companies that collect and process such data. In particular, it requires that users be informed of how their data is collected, used and stored.

Let's talk for 15 minutes about your GDPR needs

What is the difference between legal notices and a privacy policy?

Legal notices and the privacy policy are two pieces of information that websites must make accessible to their users.

To find out more about legal notices, you can read the following article: "Legal notices for an e-commerce website!"

Legal notices serve to describe the identity and legal information of the company, whereas the privacy policy concerns the way in which users' personal data is collected, processed and stored.

The two are therefore complementary, but distinct.

In conclusion, the privacy policy is an essential element for any website that collects personal data. It must be clear and concise, and contain the essential information regarding data processing.

It is governed by the GDPR and its drafting must be entrusted to a competent data controller. Companies must therefore take care to comply with their legal obligations regarding the protection of personal data and to inform users of how their data is processed.

If you want to ensure the protection of your data and your website's compliance with the GDPR, do not hesitate to get in touch today. Click here for a free audit of your privacy policy and discover how we can support you in navigating the world of personal data protection with complete peace of mind.

To learn more

Is a privacy policy mandatory?

Yes. The GDPR imposes a duty to inform: as soon as you collect personal data, you must inform the data subjects (Articles 13 and 14). This applies to a showcase website, an e-commerce website, a platform or an application. The absence of a privacy policy exposes you to penalties from the CNIL.

What must a compliant privacy policy contain?

It must specify the identity and contact details of the controller, the purposes and legal basis of the processing, the recipients of the data, the retention periods, the rights of data subjects (access, rectification, erasure) and how to exercise them. The content varies according to the categories of data collected and their purpose.

What is the difference between a privacy policy and legal notices?

Legal notices identify the website's publisher and host; this is an obligation arising from the French Act for confidence in the digital economy. The privacy policy, on the other hand, falls under the GDPR and concerns the processing of personal data. These are two distinct and complementary documents, both mandatory.

Must the policy be the same for a B2B and a B2C website?

The structure is similar, but the content differs. The categories of data collected and the purposes are not the same depending on whether you are addressing professionals or consumers. The policy must reflect your actual processing operations: simply copying a generic template does not protect you.

What is the risk of not having a compliant privacy policy?

A breach of the GDPR's duty to inform exposes you to penalties from the CNIL, which can reach substantial amounts, as well as to complaints from data subjects. Beyond the legal risk, a missing or poorly drafted policy undermines users' trust and your reputation.

Should you update your privacy policy?

Yes. It must be updated as soon as your processing operations evolve: a new tool collecting data, a new provider, a new purpose, a change in retention period. A static policy that no longer matches the reality of your processing operations loses its protective value and exposes you in the event of an inspection.

Can you draft your privacy policy yourself?

Templates exist, but they rarely describe your actual processing operations. An effective policy requires that you have mapped your data and your purposes. Assistance from a lawyer makes it possible to align the document with your business, avoid missing disclosures and secure your compliance with the GDPR.

Where should you place the privacy policy on your website?

It must be easily accessible, in practice via a link in the footer, visible from all pages. The information must be provided at the time the data is collected: a clear link at the point of forms and when cookies are placed is recommended.

Still have questions?

Our team is available!

Have a question?

Vos informations restent strictement confidentielles.
Thank you! We will get back to you shortly. If you'd like to speed things up, schedule a time with me directly here:
Schedule a 15-minute call
Oops! Something went wrong while submitting the form.
Homme en costume bleu foncé avec cravate et pochette blanche, bras croisés, regardant vers l'avant.

Ressources

Aller plus loin

00
article(s) affiché(s) sur
00

17 min

GTC of Use and GTC of Sale: differences, articulation and mistakes to avoid to secure your digital business
For any director of a digital company, e-merchant, platform publisher or online service provider, the General Terms of Use (GTU) and the General Terms and Conditions of Sale (GTC) constitute the daily contractual foundation of the business. Yet these two documents are the subject of

11 min

Custom software development: the key contractual elements to protect your investment
The development of custom software represents a major strategic investment for a company. Beyond the financial aspects, it is a project that mobilises considerable internal resources and can profoundly transform business processes.

9 min

Cybersecurity and e-commerce: your legal obligations in the event of data breaches
Cybersecurity: this article breaks down your obligations in the event of data breaches and how to effectively secure your online business.

2 min

Legal Obligations of Digital Platforms
A digital platform is an entity that uses technology to facilitate exchanges of goods, services or social content between various groups. This encompasses a range of structures, from small marketplaces to e-commerce giants such as Amazon and Airbnb. If you have any

4 min

Software licence agreement - Lawyer
Software licences play an essential role in protecting the rights of software publishers and in regulating the use of the software by users. They define the conditions under which a developed software may be used, modified, or distributed, while

9 min

DORA Contract - Lawyer
The European regulation on digital operational resilience for the financial sector, also known as the "DORA Regulation" ( Digital Operational Resilience Act ) is a European directive aimed at ensuring the digital operational resilience of financial entities and ICT service providers
Prendre rendez-vous
Book an appointment