Privacy Policy for your Website and Data Protection

What does “privacy policy” mean?

A privacy policy is a legal document that outlines how a website collects, processes, stores, shares, and protects individuals’ data, the purposes for doing so, and the rights of individuals in this regard.

It’s important to note that protecting users’ data is a fundamental right recognized in Article 18.4 of the Spanish Constitution, Article 8.1 of the Charter of Fundamental Rights of the European Union, and Article 16.1 of the Treaty on the Functioning of the European Union.

There is sometimes a misunderstanding that the legal notice and the privacy policy are the same document, but this is different. The legal notice regulates the website’s ownership and the rights and obligations that users may have while browsing it. It also establishes the conditions for intellectual property on the website, reserving information on personal data for the privacy policy.

política de privacidad para tu web

Having said that, what is the function of a privacy policy?

All websites interact with and collect data about their visitors in one way or another. This is even more applicable in the case of e-commerce, platforms or any other website that interacts with potential users, whether it’s offering a product or service and requires collecting certain personal information.

How to create a privacy notice for your company?

You can find numerous free offers on the Internet to help you create the data protection policy for your website. There are ready-made templates for the general declaration on the collection and protection of user data and for special categories such as social networks (Facebook, Twitter, etc.), cookies, contact forms, or newsletter subscriptions.

política de protección de datos

Some websites also offer free privacy policy generators that combine the required sample texts and provide them in their final form, as text and HTML code.

Is it a good idea to use online privacy policy generators?

Templates and generators provide a good opportunity to draft the privacy policy of the website. However, one should not blindly trust the result. While templates serve as the foundation, they often need to be customized and completed individually. If you’re unsure whether your policy aligns with your company’s business model, it’s always advisable to seek additional advice from a legal expert, especially if you collect personal data on a large scale or through online SaaS platforms. Consulting with an expert is recommended due to the significant implications it can have for your company.

In any case, if you decide to use a template downloaded from a website, we recommend that you conduct a thorough review of all its clauses, especially those that indicate how personal data is obtained and stored, making whatever changes are necessary to adapt them to your reality.

It’s also important to highlight that the information you include should be transparent, easily understandable, comprehensive, and up-to-date. The regulation stipulates that the privacy policy should be written with consideration for the language used by your potential customers. Therefore, if your users are minors, I recommend that you review the language and avoid including highly technical terminology.

What are the consequences of non-compliance with the regulation?

Non-compliance with regulatory requirements can result in significant fines under Article 83, ranging from a maximum of 10 million euros or, in the case of a company, an amount equivalent to a maximum of 2% of the total annual global turnover of the previous financial year, up to 20 million euros or 4% in the case of severe penalties.

Does the regulation apply to my company if established outside the European Union?

This regulation applies to all organizations (including non-profits) that access data or offer goods or services to individuals in the EU.

This means that the GDPR applies whether your organization is in the EU. But what is the GDPR? The General Data Protection Regulation is the European regulation regarding the protection of individuals in processing their data and the free movement of such data.

Not only is a privacy policy essential to ensure compliance with legal requirements and maintain users’ trust but many third-party apps and services also require it to use their tools.

A clear example is Google. To access certain services and utilities (e.g., AdSense, Google Analytics, etc.), Google requires that the user has a comprehensive and up-to-date privacy policy on their website.

Here is an excerpt from Google Analytics terms of use:

“You must publish a privacy policy, and that privacy policy must disclose your use of cookies that are used to collect traffic data and must not bypass any privacy features (e.g., an opt-out) that are part of the Service”.

RGPD

The GDPR details how individuals’ data should be collected, used, and protected or how to interact with it.

In the context of the GDPR, personal data refers to any data related to an identified or identifiable living person. This includes pieces of information that, when combined, can lead to the identification of an individual. As mentioned in this article, there are very hefty fines for non-compliance, so it’s essential to be prepared.

Within the policy, you must identify those cases where a third party may have access to personal data, whether through third-party apps, widgets, social buttons, advertising service integrations, etc.

The privacy policy must be easily accessible, and, as mentioned earlier, it cannot use overly complex or indecipherable language (without unnecessary legal jargon).

EU regulations explicitly state that you must obtain the active and verifiable consent of individuals BEFORE collecting their data. Approval requires a positive opt-in. It would help if you did not use pre-checked boxes or similar default consent procedures.

What are data protection rights?

The General Data Protection Regulation makes data protection in EU countries more transparent, understandable, and secure.

All users from whom personal data is collected have rights, also known as data subject requests. For example, the right of access (Article 15 of the GDPR) grants the right to obtain detailed information about the purposes of processing, potential recipients, the storage period, and the origin. In addition, users have, among other things, the right to rectification (Article 16 of the GDPR) and – under certain conditions – the right to erasure (Article 17 of the GDPR) of personal data.

When is data protection breached?

There are many ways to breach data protection law, but the main ones are data leaks, loss, or alteration of personal data.

Data protection is also often violated when an unauthorized third party accesses personal data hosted in your system.

Lastly, not allowing your users to exercise their rights (such as access, rectification, erasure, restriction, portability, and objection to processing) could be an infringement.

It should also be noted that a data breach is considered such whether it occurs due to negligence, as a result of carelessness, or as a consequence of deception or a cyberattack, as well as if it occurs deliberately because the data controller discloses data to third parties without the consent and knowledge of the data subjects or collects or processes personal data without the permission of the data subject or any other legitimate reason (as recognized in Article 6 of the GDPR).

What are the functions of the AEPD?

The main functions of the AEPD include:

    • Regulatory authority, as established by the Organic Law on Data Protection and Digital Rights Guarantee and through circulars periodically published to regulate scenarios not expressly covered by the regulation.
    • We are conducting preventive audits of a specific sector of activity to issue applicable guidelines in that regard, as stipulated by Article 54 of the LOPD GDD.
    • Enforcement authority, meaning that it acts on complaints received regarding breaches of data protection regulations, whether the European Data Protection Regulation or the Spanish Data Protection Law.

What happens if I store personal data outside the European Union?

If you store personal data on servers outside the European Union, you must indicate this in your website’s data protection declaration, referencing possible different data protection regulations that may apply in the jurisdiction where the data is stored.

AEPD

Do I have to notify if I make automated decisions with my users’ data?

If you make automated decisions, including profiling, you must provide meaningful information about the underlying logic. This means explaining what the automated decision is based on, the algorithm, calculation, or characteristics that the system uses for these actions. The critical point is to indicate the desired effects and the scope that such data processing processes have on the data subject. The background is that, in principle, your users have the right to “not be subject to a decision based solely on automated processing, including profiling” (Article 22 of the GDPR). However, this right does not apply if the corresponding automated procedure is necessary for the conclusion or performance of a contract, is permitted by EU and member state law, or is carried out with the data subject’s explicit consent.

Key points:

  • If your website processes personal data, you must maintain a privacy policy that explains how you do it.
  • When preparing the privacy policy, you must consider the regulations applicable to the region where you do business and those of your potential users.
  • Non-compliance with the regulations can result in severe fines that affect the viability of your company.
  • While this does not impede preparing your template or downloading one of the many available on the internet, it is advisable to have it reviewed by an expert, as depending on your business model, you may not be covered. This is especially true if you use a third-party SaaS system.
  • Your potential users must expressly accept the privacy policy, so the most recommended location is in the form of code on your website, linked through a clear, prominent, and accessible button.

In general, a privacy policy is a vital part of the legal framework of any website and should not be underestimated. At Mylegalinbox, we have experience advising multinational companies on the implications of collecting personal data in multiple jurisdictions through online platforms. We can help you prepare a clear privacy policy to protect your company.