You have the perfect website. Now you need to create the corresponding privacy policy – because only with the complete privacy policy your internet presence becomes GDPR compliant. Easy peasy, you think. After all, the Internet offers a variety of generators for the privacy policy of a website.
It is true, the generators take a lot of effort off your hands. Nevertheless, we have noticed that only in very few cases the privacy policy for an individual website can be entirely created by a generator only.
In this post, we explain how you can proceed when you want to create the complete and thus GDPR compliant privacy policy for your website. In addition, we will show you how to write missing passages of the privacy policy yourself.
In a nutshell: Create your own privacy policy
- Check the technical and content parts of your website for data protection relevance.
- Create the general part of the privacy policy and common content through a generator.
- Any relevant content left over from the website audit that you need to include in the privacy statement for which the generator did not return a result? Create these parts of the privacy policy yourself.
- Create the content according to the requirements of the duty to inform according to GDPR Art. 13 und Art. 14. The privacy policy consists of a general part, which contains general information about the company and the rights of the data subjects. The specific part lists the purpose for which data is processed, stored and, if applicable, passed on.
Please note that this article is not legal advice.
What is the structure of a privacy policy?
The passages of a privacy policy always have the same content. It corresponds to the duty to inform according to GDPR Art. 13 und Art. 14.
I will explain further down in the article how you can proceed if you want or need to create a privacy policy yourself.
General section of the privacy policy
What is special about the privacy policy is that there are points which apply to the entire privacy policy. It is enough if you specify them once – usually at the beginning. Generally, these are the points:
- Contact details of the person responsible for the website
- Contact details of the data protection officer (if any)
- Statement of rights of data subjects
- Existence of a right of appeal to the appropriate supervisory authority
Information on the various processing operations of personal data
On the other hand, there are points which differ from passage to passage. Therefore, these must be described individually in each passage. They will usually be the following points:
- Purpose and lawfulness of the individual processing
- Concrete recipients or categories of recipients for each processing operation (if applicable)
- Planned transfer of the data to third countries or international organizations and measures taken there to protect the data. It is common to link to the privacy policy of the respective organization for this purpose (only as far as it applies that they transfer data to non-EU countries)
- Storage period of the respective data
- Existence of automated decision making including profiling (if applicable)
Since each site is unique, it is possible that items from this listing may be generally applicable or vice versa. For example, it may be true for a site that basically no data is transferred to third countries. In this case, the point can therefore also be mentioned only once in the global part of the privacy policy.
If a point does not apply, it can be mentioned for clarification or omitted. For example, profiling will rarely be used and can therefore be omitted.
How to create a GDPR compliant privacy policy for your website
Before using an online generator for your privacy policy, you need to know what is “happening” on your website. Due to the complexity of websites, data is transferred in the background – most of which you may not even be aware of. Maybe your theme (design) uses web fonts? Maybe you have a website extension / plugin installed which brings more functionality without being asked?
Does this sound absurd to you? From our experience, it is not. We have reviewed many client websites by now and in very few cases we have been able to use a “simple” privacy policy through a generator. Below, we explain our approach so that you know what to look for when creating a custom privacy policy.
Steps for creating a complete privacy policy for the website
- Identify the website extensions / plugins / cookies and other add-ons
- Analyze the results from point 1
- Check the content of the website
- Capture the social media profiles
- Create the privacy policy (generator plus own content if necessary)
In the following I briefly cover points 1 – 4. The last point “create the privacy policy” will be explained in more detail.
You can find further information on points 1-4 and thus how to check which parts of your web presence are relevant to data protecion in a separate article: “How to check for GDPR website requirements yourself“.
Identify the website extensions
Identify all plugins / cookies and other extensions running on your website. These technical extensions can be either directly installed or programmed. It happens relatively often that a known extension brings with it at least one or more extensions – and you don’t even know about them. Nevertheless, this “additional extension” is often relevant to data protection. In this case, it must be taken into account in the privacy policy.
For identification, you can use online services such as Datasky, BuiltWith or the browser plugin uMatrix. This is only a small selection – without rating and advertising. It is best to use several tools, since our experience has shown that each service shows a slightly different result. You will get a complete picture if you use different providers and merge all results.
Analyze the cookies / plugins and other add-ons found
Now you know the technical content that comes with your website. Then things become more difficult. You need to identify which parts of it are relevant to the privacy policy. Basically, it’s about whether personal data is
a) processed and / or
b) transferred to a third party (e.g. service provider).
Is this applicable? Then you must briefly outline the purpose for which the personal data will be processed or transferred.
For “known” add-ons to the website, the description of the purpose is no longer necessary. A good privacy generator from the internet will provide you with this information.
If there are cookies or plugins that you have not integrated into the website yourself, it is sometimes difficult to answer this question. We come across this issue relatively often when we check customer sites. However, without information about what exactly is actually happening on the website, it is not possible to create a legally compliant privacy policy.
For a suggestion on how to evaluate the content you have collected, read our post on website check (in German).
Check website content for privacy relevance
The first stage and the technical part are done. Now it’s time to sift through the content. The following categories of website content have to be considered for the privacy policy:
- Forms (which forms, purpose and required data)
- Newsletter distribution / newsletter signups
- Affiliate offers
- External media (e.g. videos on YouTube, podcasts…) – if they were not already identified via the technical analysis
- Content Delivery Networks (CDN) – probably these were also already found in the technical analysis
There are other points to consider for the GDPR compliant website. You can find these in the separate article ” Website check“. For the privacy policy, this overview is sufficient.
Social media profile
A complete data privacy policy contains a summary of the company profiles used on social networks. So list all the company pages and fan pages in operation:
- YouTube channel
- …
Generate privacy policy
Now you have completed the elaborate preliminary work. The next step is easier.
Select a privacy generator and have it generate your privacy policy. Today, there is a variety of generators on the internet. Some are even free for private websites. We do not want to give any product recommendation at this point. However, we of course appreciate your personal feedback in the comments. So feel free to tell us about your experience!
When you start the privacy policy generator, the first thing you do is provide general information about your company. This should be easy.
For the detailed content, you now need to select what applies to your website. What do you have installed or programmed?
Here it pays off if you have done a good job in documenting the preliminary work. Check the boxes for all the content that you have on your website. For example, enable Google Maps or OpenStreet Maps if you have included the service. Select Google Analytics or Matomo, in case you use one of the mentioned statistical tools.
Now go through the generator point by point. In your own “analysis report”, highlight the content that the generator covers in the privacy policy.
In the best case, you will have found all identified cookies and other website extensions in the generator at the end. Content like forms and newsletters are also covered. Perfect. In this case, copy the privacy policy from the generator and paste it into your website on a separate “Privacy Policy” page.
Are there any identified points left which were not covered by the privacy policy generator? Then you will have to create the missing paragraphs yourself. But don’t worry – it is not as hard as it might seem at first glance.
Write your own passages for the privacy policy
So now it’s down to the nitty gritty. As explained above, the privacy policy consists of a general part and the specific content for each procedure.
I will not go into detail about the general part here. You can find detailed guidance in the post on Duty to inform. However, it is likely that the privacy generator will have already created this general part for you.
Example of a passage of the privacy policy
Let’s describe a specific procedure with the help of an example. We will use the rating service “ProvenExpert” and are going to create the passage for ProvenExpert together.
| Purpose / Forwarding | Our website uses a plugin to collect ratings. You can leave a review for the service of Regina Stoiber. The data is stored by the provider ProvenExperts.com, Expert Systems AG, Quedlinburger Straße 1, 10589 Berlin. Based on your rating we can optimize the quality of our service and offers. Other users benefit from your ratings. |
| Data categories | For the rating, your e-mail address is stored for quality reasons. It is not displayed publicly. Other information about you is optional. |
| Legal basis | The data processing is based on your consent (GDPR Art. 6 para. 1 lit. a). You can revoke this consent at any time. The legality of the data processing operations already carried out remains unaffected by the revocation. |
| Storage time | The data will remain stored until revoked. |
| Further notes on data protection | ProvenExperts’ privacy policy can be found at the following link: https://www.provenexpert.com/de-de/datenschutzbestimmungen/ |
Explanation of the privacy policy
Purpose
Briefly describe as best you can why you are processing the data. For what purpose do you collect and store the information?
Disclosure of data / transfer to a third country
If the data is passed on to a third party, then this must be stated specifically. You should list the recipient of the data including address. The recipient of the data can be a service provider who – as in this case – provides the web service. However, it can also be a recipient who takes over the further processing of the data for you.
Transfer to a third country applies if the recipient of the data is not located in the EU. In this case, in addition to the contact details, you should also indicate how you will ensure that the recipient complies with data protection requirements.
If there is no onward transfer of the data, whether in the EU or outside, you can omit this point completely. You do not need to explicitly state that there is no onward transfer. But of course there is nothing wrong with indicating this anyway.
Legal basis
The possible legal bases are mentioned in GDPR Article 6 (1). The main legal bases that may be relevant for privacy statements on websites are as follows:
- Article 6 (1) lit. a – Consent
Consents are increasing due to the recent ECJ ruling (dated 1.10.19). If it was previously okay for Google Analytics to collect statistics based on a legitimate interest, it is now a voluntary consent. Consent always entails a right to object. So make sure to grant this right of objection as well (usually through a technical opt-out in the privacy policy). - Article 6 (1) lit. b – contract or pre-contractual measures
If there is an internal area, then this can usually only be entered through a purchase agreement or recognition of T&Cs. This would then be a contractual measure. Contact forms can also fall under this category. - Article 6 (1) lit. f – due to legitimate interest
In this case, you must provide additional explanation about what exactly the legitimate interest of the responsible party is. For example, the correct and optimized presentation of the website.
Storage period
Here you must specify how long the data will be stored. With consent, you normally have the storage period until revocation. With other legal bases, a period must usually be stated. For example, it could say “within the legal retention period”.
Profiling and automated decision making
Rarely, profiling or automated decision making will take place. Thus, you can omit this point. Otherwise, you must describe how the decision making / profiling will take place and what consequences this will have for the data subject.
More privacy notices
If you have the option to link to additional privacy statements or notices from the service provider, do use that opportunity.
Conclusion
The difficulty of a legally compliant privacy statement lies not in the drafting itself, but in the preliminary work. In order to obtain a complete date privacy policy, you need to know your website down to the last detail.
Creating the privacy policy itself is less difficult. Use a generator and fill in missing points. The above points serve as a reference for what must be included in the passages and what is optional.
Help for creating a privacy policy
We are be happy to support you with analyzing your website and / or creating the privacy policy. Please feel free to contact us by Mail oder phone without obligation.
Your experience with privacy policies
What is your experience with creating a complete privacy policy? We look forward to your comment.
FAQs
Where does a privacy policy belong?
The privacy policy must – just like the imprint – be easy to find. The courts have a different interpretation of what this means exactly. We recommend a separate page “Privacy Policy” which can be reached from any other page with one click. In case you still want to have the privacy policy together with the imprint, the page or the link to it must be called accordingly: “Imprint and und Privacy Policy”.
It is also important that you display the privacy policy properly for mobile devices. You can easily test this requirement. It is just as important that the link to the privacy policy (and the imprint) is not covered, for example, by the cookie banner.
What needs to be explained in the privacy policy?
A privacy statement follows the requirements of GDPR Article 13 and Article 14. The general part provides information about the responsible party (website operator and name of the data protection officer), the rights of data subjects and the right of appeal to the supervisory authority.
The second and detailed part refers to the the content of the website. Write a specific passage about each operation on the website that processes data of the site visitors – for example, contact forms or newsletters, but also plugins, addons, tracking pixels and other website extensions embedded on the page.