This article is written by Garima Gunjan, pursuing Diploma in Advanced Contract Drafting, Negotiation, and Dispute Resolution from LawSikho. The article has been edited by Anahita Arya (Senior Associate, LawSikho) and Dipshi Swara (Senior Associate, LawSikho).
Table of Contents
Introduction
General Data Protection Regulation (GDPR) is a game-changer framework that came into existence on May 25, 2018. GDPR was launched across every country in the European Union (EU) in alignment with the then prevalent data protection policies. However, it brought an increase in the protection level for EU citizens. The law helps its EU citizens to gain control over their data and is at par with the current tech era. Nowadays as every site that you visit collects data, GDPR has created a standard for the way data-related laws should be implemented in order to protect a private citizen’s privacy.
Privacy Policy is that part of a website that describes the manner in which that entity will be collecting, protecting, utilizing, or storing the personal information that the entity collects from its site user. Generally, personal information such as name, birth date, gender, residential and IP (Internet Protocol) address, and social security number is collected after the user gives prior permission. Depending on local legislation, the exact definition and information collected may vary. The Privacy Policy legislation of a region defines how entities are required to meet legal obligations, and what kind of punishments the companies may face if they fail to protect this data. This article highlights how recently launched start-ups should draft their official site’s privacy policy.
Meaning of GDPR
All the global companies irrespective of the countries they are based in, need to comply with GDPR if they are involved in business transactions with citizens based in the EU countries. The European Parliament and Council came up with GDPR so that global ventures with desktop & mobile apps along with sites can collect personal data with the consent of EU citizens.. If a company is involved in the procession or collection of personal data belonging to EU citizens, it must comply with GDPR and non-compliance of which may result in the company being slapped with hefty fines by the authorities.
GDPR is legislation according to which companies are required to adopt both technological and organizational steps to protect users’ data. Being an organization that deals with EU customers, they need to appoint Data Protection officers and train their staff regarding the handling of sensitive data. Under technological measures, the staff should be taught about data encryption, classification, deletion of data, management of consent, making changes according to requests made, and data loss prevention.
By complying with GDPR policies, the company needs to inform its site users of the reason their data is being processed and the period for which it will remain stored with this company in a clear and simple language.
For example, if you run a start-up that has users and customers from the EU countries, and your start-up is involved, then you will have to provide information to these users regarding what personal information is being collected, what is the process to collect it, how the data shall be utilized, how it shall be secured, whether data shall be shared with third parties, or shall users have any control over this data.
Significance of privacy policy
The technique of obtaining information regarding personal data and processing it according to the requirements of an organization is known as the privacy policy. If a company has a rigid privacy policy, its consumers may start trusting the organization and make frequent purchases online from such a company site. In a well-drafted privacy policy, details of collected information, parties with whom it is being shared or sold, and ways in which it is being analyzed.
The transaction habits of consumers widely depend on the company’s trustable privacy policy. So, organizations take utmost care in drafting their respective privacy policy depending on applicable laws and legal jurisdiction. The privacy policy of a company represents a crisp and generalized description in layman terms so that users are kept informed about how and where their data is being used.
Why is a privacy policy needed?
According to the GDPR, if a company fails to draft a privacy policy, it shall be liable for a fine of up to 4% of its annual revenue or €20 million, whichever remains higher. Even if the offence is found to be less serious during the investigation, the fine may amount to 2% of the company’s annual revenue or €20 million, whichever remains higher.
Privacy Policy under GDPR is intended to help EU citizens to understand how the companies (with whom citizens share asked data) utilize their collected data and file complaints if they discover that their data was being violated in some manner. Personal information is an integral part of the digital economy which needs the consent of the EU citizens before being utilized.
When the GDPR took effect, many big names such as Google, H&M, British Airways, etc. were fined hefty amounts as they were not complying with these norms. Several other companies and news providers also refused to comply with their privacy policy according to GDPR and as a result, they were blocked across Europe.
If a company complies with the privacy policy as mentioned in GDPR, the customers and users shall have this feeling that their data is safely being processed by the company. They may also show interest in trying new services or products that the company might be launching in the future.
How can privacy policy be drafted under GDPR for a startup?
While drafting GDPR privacy policy for start-ups, addressing the rights as a separate clause and by including personalized details. Let’s see them one by one.
How are user rights being addressed?
Under the GDPR provisions, users have been granted certain rights so that they may be able to gain control over their data. Some of these rights are:
- The right to be informed,
- The right of access,
- The right to rectification,
- The right to erasure,
- The right to restrict processing,
- The right to data portability,
- The right to object.
These rights can be related to any personal information that the company collects from its users.
For example, suppose there is an Indian start-up called ‘Fellon’ with customers from the EU, it will address the user rights under GDPR via the following clause:
“You have the right to ask us not to process your personal information for marketing purposes. You can exercise your right to prevent such processing by checking or unchecking a few boxes on the forms we use to collect your data. If you wish to exercise this right, please drop us a mail at [email protected].”
How does the user’s consent have to be obtained?
As per Article 7 of GDPR, If the users freely give their affirmative consent to a company regarding their personal data collection, in such a case, the company has managed to obtain users’ consent regarding the collection of personal data.
Suppose if ‘Fellon’ wishes to obtain its users’ consent before collecting personal info, it may do in the following manner:
“We want you to know exactly how our services work and why we require your registration details. Please state that you have read these terms before you continue.
__ I agree to the terms and conditions.”
How can data be modified or deleted?
According to Article 4(11) of GDPR, if a user believes that their data has become out of date or contains errors, they can request the company to get their data modified. The company has to oblige to this request without any due delay.
For example, ‘Fellon’ shall include this right as a clause given below:
“If you have registered an account on Fellon, we provide you with tools and account settings (link) to access, collect, delete, or modify the personal data you provided to us or associated with your account. You can download certain account information, by following instructions here (link redirects to page with details). You can request the correction, deletion, or modification of your data, and download account information, by following instructions here (redirects to a page with details).”
How can personal data be utilized for some other purpose?
According to Article 4(10) of GDPR, If the company that collects its users’ personal data wishes to utilize this data for some purpose other than those users have provided consent, the company will be able to do this only after the users agree to the same.
If ‘Fellon’ wishes to utilize its users’ data for some other purpose, it may draft that privacy clause in the following manner:
“Fellon provides you with a means to download the information you have shared through our services by clicking here (redirects to a page with details). We provide you with a means to download the information you have shared through our services by clicking here (redirects to a page with details).”
How to resolve complaints?
According to Article 65 of GDPR, if a company receives any complaint from its user regarding its privacy policy, it is required to resolve that complaint at the earliest.
To resolve complaints received from the users, ‘Fellon’ will have to draft a clause as follows:
“If you have any concern about the way Fellon is handling your User Personal Information, please inform us immediately. You can email us at [email protected] so that your complaint reaches our Data Protection Officer (DPO) directly.
Whether data is being used in automated decision making?
According to Article 22 of GDPR, If a company wishes to utilize collected data in automated decision making after processing personal data, the users are to be informed about the same.
If ‘Fellon’ decides that it shall be using automated decision making in order to provide services to its customers, the clause shall be drafted as follows:
“Fellon may use automated decision making in processing your personal information for some services and products. You can request a manual review of the accuracy of an automated decision if you are unhappy with it.”
The purpose for collecting data
According to Article 13 of GDPR, information has to be provided from when data is being collected from the data subjects.
As ‘Fellon’ collects personal data of its users to process them accordingly, it may inform users about it by drafting the following clause:
“Fellon collects the data of its users to introduce new people to its products, improve the site quality, for personalization for optimizing content and to display ads on other sites.”
Period for which data shall be stored with the company
According to Article 5(e) of GDPR, the users are to be informed about the specific period for which their data shall be stored and analyzed for different purposes.
As ‘Fellon’ has the policy to store users’ data for 36 months according to GDPR, it has to be described as under:
“Fellon collects and uses data provided by its users only for providing services. The maximum period for which your data shall remain with us is 36 months.”
What are the compliances related to GDPR Privacy Policy?
According to GDPR Privacy Policy, companies need to elaborate and justify how they are going to use personal data collected from the users. Personal data such as sexual orientation; genetic and health data; political affiliations and opinions; online data such as RFID tags, cookies, or IP address; ethnic or racial data; biometric data; personally, identifiable information such as names, social security number, birth dates, etc., are required to be protected according to GDPR privacy policy.
A start-up can be compliant according to GDPR privacy policy by providing the following rights to its users
Right to be forgotten
Also known as ‘Right to erasure,’ under Article 17(1) of GDPR, users can request the data controller of the company to remove their personal information without undue delay. Once the companies have achieved their target regarding the processing of data collected from the users, these users have the right to request to get their data erased from the company database. It is also famous as a right to data deletion.
Appointment of Data Protection Officers (DPO)
Article 37 of GDPR talks about the appointment of the DPO. In order to deal with GDPR issues, few companies can be asked to appoint a DPO. The need depends on the way user data is processed and company size.
Timely breach notification
According to Article 33 of GDPR, if a site complying with GDPR faces a security breach, the concerned company is required to report this issue to both its data controllers and customers within 72 hours. If this step is not taken within a given time frame, the company can attract a fine.
Privacy by design
According to Article 25 of GDPR, companies should design their sites in a manner that complies with cybersecurity protocols. The data collection process should also be regulated. If a company fails to comply with this, it may face a fine.
Obtaining consent
According to Article 7 of GDPR, the companies are required to clearly state their terms for consent. The terms and conditions should be explained in simple language for the users. Sites should allow the users to withdraw their consent anytime freely.
Data portability
According to Article 20 of GDPR, users reserve their rights to the data that they have consented to a company. Users can obtain that data from the company and it can be used for another purpose by another company.
Sample draft of privacy policy under GDPR for a start-up
Let’s see how the GDPR privacy policy for the earlier mentioned Indian start-up “Fellon” is going to be.
1. Privacy statement The protection of your personal data is of great importance to Fellon Limited (“Company”) and its affiliates in the European Economic Area (the “EEA”) (together, the “Company Group”). This privacy policy (the “Privacy Policy”) therefore intends to inform you about how the Company Group entities, acting as data controller, collect and process your personal data that you submit or disclose to us. We also act as a data controller when we process your personal data received or obtained through third parties. We process this personal data in accordance with the applicable EU and Member State regulations on data protection, in particular, the General Data Protection Regulation No 2020/382 (the “GDPR”).We encourage you to read this Privacy Policy carefully. If you do not wish your personal data to be used by us as set out in this Privacy Policy, please do not provide us with your personal data. Please note that in such a case, we may not be able to provide you with our services, you may not have access to and/or be able to use some features of the Website, and your customer experience may be impacted. 2. How do we use your personal data? We will always process your personal data based on one of the legal basis provided for in the GDPR (Articles 6 and 7). In addition, we will always process your sensitive personal data, for example, concerning your trade union membership, religious views, or health condition, in accordance with the special rules provided for in the GDPR (Articles 9 and 10). We may collect and process your personal data for the purposes detailed below, which are required so that we can pursue our legitimate interests and provide you with adequate services and products: a. To ensure that content from our site is presented in the most effective manner for you; b. To notify you about changes to our service(s); c. To manage your customer account; d. To offer you products and services; e. To inform you about our policies and terms; f. To promote safety and security, such as by monitoring fraud and investigating suspicious or potentially illegal activity or violations of our terms or policies; g. To provide, improve, and develop our products, services, and advertising; h. To use personal information for purposes such as data analysis, research, and audits; I. To ensure business continuity. 3. What type of personal data do we use? For the purposes specified under this Privacy Policy, we may collect the following categories of personal data: a. Name and surname, b. Title, c. Home Address, d. Identification number (e.g., customer number), e. Location data, f. Email address (personal/professional), g. Telephone number (personal/professional), h. Employer, i. Credit card/bank account information, j. Recorded customer phone calls, k. Record of employee performance assessment, l. Recruitment information (e.g., CV, certificates, marital status, date of birth, reference letters). We can obtain such personal data either directly from you when you decide to communicate such data to us (i.e., when you fill in forms displayed on the Website) or indirectly where such personal data is provided to us by your electronic communication terminal equipment or your Internet browser. We ensure that the personal data processed is adequate, relevant and limited to what is necessary for relation to the purposes for which they are processed. 4. How do we share your personal data? We may share your personal data with Company Group entities and with third parties in accordance with the GDPR. Where we share your data with a data processor, we will put the appropriate legal framework in place in order to cover such transfer and processing (Articles 26,28 and 29 GDPR). Furthermore, where we share your data with any entity outside the EEA, we will put appropriate legal frameworks in place, notably controller-to-controller and controller-to-processor Standard Contract Clauses approved by the European Commission, in order to cover such transfers (Articles 44 of GDPR). Strategic Partners Subject to your prior consent, your personal data may be transferred to, stored, and further processed by strategic partners that work with us to provide our products and services or help us market to customers. Your personal data will only be shared by us with the partners in order to provide or improve our products, services and advertising. Service Providers We may share your personal data with companies that provide services on our behalf, such as hosting, maintenance, support services, email services, marketing, auditing, fulfilling your orders, processing payments, data analytics, providing customer service, and conducting customer research and satisfaction surveys. Corporate Affiliates and Corporate Business Transactions We may share your personal data with all Company’s affiliates. In the event of a merger, reorganization, acquisition, joint venture, assignment, spin-off, transfer, or sale or disposition of all or any portion of our business, including in connection with any bankruptcy or similar proceedings, we may transfer any and all personal data to the relevant third party. Legal Compliance and Security It may be necessary for us; by law, legal process, litigation, and/or requests from public and governmental authorities within or outside your country of residence – to disclose your personal data. We may also disclose your personal data if we determine that, due to purposes of national security, law enforcement, or other issues of public importance, the disclosure is necessary or appropriate. We may also disclose your personal data if we determine in good faith that disclosure is reasonably necessary to protect our rights and pursue available remedies, enforce our terms and conditions, investigate fraud, or protect our operations or users. 5. Our records of data processes We handle records of all processing of personal data in accordance with the obligations established by the GDPR (Article 30), both where we might act as a controller or as a processor. In these records, we reflect all the information necessary in order to comply with the GDPR and cooperate with the supervisory authorities as required (Article 31 GDPR). 6. Security measures We process your personal data in a manner that ensures its appropriate security, including protection against unauthorized or unlawful processing, accidental loss, destruction or damage. We use appropriate technical or organizational measures to achieve this level of protection (Article 25(1) and 32 GDPR). We will retain your personal information for as long as it is necessary to fulfil the purposes outlined in this Privacy Policy unless a longer retention period is required or permitted by law. 7. Notification of data breach to the competent supervisory authorities In case of breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed, we have the mechanisms and policies in place in order to identify it and assess it promptly. Depending on the outcome of our assessment, we will make the requisite notifications to the supervisory authorities and communications to the affected data subjects, which might include you (Articles 33 and 34 GDPR). 8. Processing likely to result in a high risk to your rights and freedoms We have mechanisms and policies in place in order to identify data processing activities that may result in a high risk to your rights and freedoms (Article 35 GDPR). If any such data processing activity is identified, we will assess it internally and either stop it or ensure that the processing is compliant with the GDPR or that appropriate technical and organizational safeguards are in place in order to proceed with it. In case of doubt, we will contact the competent Data Protection Supervisory Authority in order to obtain their advice and recommendations (Article 36 GDPR). 9. Links to other sites We may propose hypertext links from the website on which this policy is stated to third-party websites or internet sources. We do not control and cannot be held liable for third parties’ privacy practices and content. Please read carefully their privacy policies to find out how they collect and process your personal data. 10. Updates to Privacy Policy We may revise or update this Privacy Policy from time to time. Any changes to this Privacy Policy will become effective upon posting of the revised Privacy Policy. If we make changes which we believe are significant, we will inform you through the Website to the extent possible and seek your consent where applicable. For any questions or requests relating to this Privacy Policy, please mail us at [email protected]. |
Conclusion
Start-ups should draft understandable and clear GDPR privacy policies with help of trained lawyers. If the start-ups have any site or application that collects certain data from its users, such an entity has a certain responsibility towards its users. Visitors should understand legal terms without any hurdle. The policies can vary depending on the needs of start-ups or the kind of services that they provide. The policies should be drafted according to the requirements of the venture.
References
- https://www.termsfeed.com/blog/sample-gdpr-privacy-policy-template/
- https://piwik.pro/blog/elements-gdpr-compliant-privacy-policy/
- https://www.privacypolicies.com/blog/gdpr-privacy-policy/
- https://earlygrowthfinancialservices.com/is-your-startup-gdpr-compliant/
- https://gdpr.eu/checklist/
- https://www.coredna.com/blogs/general-data-protection-regulation
- What is a Privacy Policy & How to Write It: The Definitive Guide (websitepolicies.com)
Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.
LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join:
https://t.me/joinchat/J_0YrBa4IBSHdpuTfQO_sA
Follow us on Instagram and subscribe to our YouTube channel for more amazing legal content.