Whenever you collect personal data from a natural person you have to inform the person about who you are, the purpose of the processing, recipients of the data, how long you are keeping the data,... One way to inform people is in a privacy statement.
There are two different cases to inform people about data processing:
- if personal data is collected directly from the concerned person
- if personal data is not collected directly from the concerned person but received by someone else.
In the second case - if you receive the data not directly from the concerned person - you have to inform the person before you process the data for the first time, but at least within a month.
Here we will give you some information about how to update your privacy statement i.e. for your website. However, for other activities you have to inform the people as well about your data processing and the according information like purpose, contact details, ...
What you have to state in your privacy statement:
- for what processing activity you are collecting the data
website tracking, newsletter,... - data controller (contact details) or representative
name, email, phone,... - what is the legal purpose
fulfilling a contract, consent,... - if you are transmitting the personal data to other recipients
cloud storage, newsletter software, accountant,... - if you are transmitting the personal data to recipients outside the EU, what kind of security measures you are using to ensure data protection.
privacy shield, corporate binding rules,... - how long you are going to save the data
general inquiries for 6 months, tracking data for 14 month,... - how the user can take his/her rights to access, cancellation, restrict processing, data portability and the right to object
state a contact and inform about local authorities - if you have automated decision processes (profiling) you have to inform the users as well
You should publish this privacy statement i.e. on your website.
There are many privacy generators online, however you will have to check about their quality and if all obligatory information is included.
