In this guide you will learn about:
This guide was written in plain language, aimed at regular every day readers. No fancy legalese, so dive in and enjoy the read.
It certainly won’t give you all the answers, but will show you why a company processed personal data, what they process, and with whom they share it.
The General Data Protection Regulation (GDPR) of the EU, on the other hand, does not explicitly require one, but it requires businesses to provide users with information on their personal data operations under the transparency and accountability principles.
Unlike the CCPA, it is not explicit about the information that should be provided to users, but is sprinkled with many requirements regarding the information a business needs to provide to users in relation to transparency and accountability.
1. Identity of the data controller
You have to tell your users who you are. No need to get into too much detail or write too much prose. Providing your business name, address, and state or country of incorporation would be enough.
If you run a business or a simple blog as an individual, your name along with location or email address would be enough.
2. The categories of personal data you collect and/or process
Categories of personal data can be a person’s name, alias, home address, email address, ZIP code, phone number, ID number, passport number, Social Security Number, etc.
Personal data under the GDPR also includes health data, information about private life, IP address, political views, religious views, or any other information that could be directly or indirectly linked to an individual. Therefore, anything can be a category of personal data as long as it can by itself or in combination with other data identify a person.
3. How you collect and/or process personal data
Here you should describe the methods of data processing. In most cases, either:
- Users give you their data, such as when they give you their name and home address for delivery of goods, oir
4. The purposes of data processing
Transparency under the GDPR means that you have to disclose to users why you need their personal data processed. Purposes of processing may include:
- Analytics purposes, such as collecting statistics about website visits with Google Analytics or website usage with Hotjar,
- Marketing purposes, such as when you collect their email to send them marketing materials, or track their online behavior to serve them ads relevant to such behavior,
- Preferences, such as processing data to remember language preferences of a specific website visitor,
- Customer support, when you collect user’s email address or phone number to reach out back to them for solving a customer issue,
5. With whom you share personal data
You likely use third-party tools to collect and process data, such as Google Analytics, Facebook Pixel, Hotjar, Mailchimp, and others. In order to process your users’ personal data with these tools, you need to disclose that personal data with them.
6. Data subject rights
GDPR calls users data subjects. When you collect personal data of a user, they become your data subject.
Data controllers, which means the business that collects data and has it processed on their behalf, owes data subjects certain rights. These rights include the right to be informed of the processing, the right to have data deleted, objection to processing, and so on.
If you have to comply with multiple data protection laws at once, then you have to list all the rights that each of the laws grants to data subjects.
For example, compliance with the CCPA requires providing information on the sales of personal information. It is unique for the CCPA and is not required by the GDPR, LGPD, PIPEDA, or other laws.
So, if you need to comply with the CCPA, in addition to all other elements, you need to add those specific to this law.
7. How can users exercise their data subject rights
In most cases, providing an email address would be enough. Some businesses may also provide a contact form, a phone number, or any other means for exercising these rights.
8. Data transfers to third countries
Data transfers to third countries is arguably the trickiest issue for businesses who need to comply with the GDPR. Transfers within the Union and to adequate countries is free, but any other transfer required additional transfer tools and possibly protection measures.
No matter how and where you handle personal data, users have the right to know whether it is transferred to third countries, and if so, where it is being sent.
9. Children’s personal data
If you knowingly collect and process children’s data, that must be included in this document.
10. Contact information
If you have a Data Protection Officer or legal representative in the EU, their name and contact information go here. Otherwise, any means for contact with you would be enough to include in this section.
We assume that you never bothered with reading privacy policies and you always accept cookies.
Companies that are serious about GDPR compliance, as well as compliance with any other data protection law, have comprehensive privacy policies.
Such websites are rare, though. Most online businesses collect lots of data, including data they are not aware they collect and process.
If you notice a bunch of social media widgets on a website, that’s usually a sign of data collection.
If you are not sure what the website you visit does about your personal information, scan it for free on WebCookies.org and get the answers you need.
The scan report will also tell you with whom they share your personal data. It is impossible for online business to do everything by themselves, so they outsource many processes to third-parties, i.e. SAAS companies who manage some processes on their behalf.
In many cases, outsourcing involves sharing of users’ personal data. For example, sharing the IP address with Google Analytics, sharing email addresses with Milchimp, and so on.
It is written in plain language, is easy to navigate, and easy to understand. It signals that the company wants to be transparent toward the users.
Check out the purposes of data processing
The section on data processing purposes unveils the motives behind the personal data processing. Businesses are obliged to tell users what makes them want to collect and process data.
The most common purposes for data processing include, but are not limited to:
Provide you with products or services. They sell something and you have to provide your personal data, such as personal name, email address, home address, postal code, or other data they need to deliver you the product or service. The execution of a contract is a lawful basis for data processing under the GDPR and doesn’t require additional consent.
Marketing/Advertising purposes. When a business collects and processes personal data for marketing purposes, that means that they target customers based on the data they share with third-party services.
Examples for such services are social networks. They all provide advertisers with tracking pixels. These pixels track the web pages you visit online, match that activity with the data you have shared with them through your social media profile, and serve your profile as a potential buyer to the business.
Analytics purposes. Virtually every website on the internet uses some kind of analytics tool, such as Google Analytics, Plausible, Mixpanel, and others. Some of them collect personal data, others do not.
Check out which analytics tool they share data with in the section where they disclose the third-party tools they use.
Preferences. Businesses may collect your personal information to adjust the website to your preferences and improve your user experience. This may include accessibility adjustments, language, and others.
These are usually useful cookies that make the user’s life easier, but they collect personal data anyway, so consent is required before using them.
These are the most common processing purposes, but not the only ones. Different business activities lead to different processing purposes, so it is impossible to include them all here. However, most of them belong to these categories.
Shopify, for example, uses a more descriptive language to describe their purposes.
Instead of analytics purposes, they say “providing reporting and analytics” and “testing out features and additional services”.
Instead of execution of a contract, they say “answering questions or providing other types of support” (which is part of the execution of a contract).
Marketing purposes are described as “assisting with marketing, advertising, and other communications”.
Having read this, you can understand that they monitor the usage of their website because, as many other large companies, they take user experience seriously and they don’t hesitate to use personal data to figure out what a specific user wants from the website.
Also, you could understand that they use tracking tools to serve you with ads with tailored messages that are likely to interest you.
Finally, they have a purpose that serves their legitimate interest (fraud prevention) and some specific to their business (help merchants find and use apps in the app store).
Check out the categories of data collected
The next you should check out is what the business needs to fulfill these processing purposes.
Fulfilling each purpose requires processing of a certain category of personal data. So, now you need to see how categories of data processed relate to the purposes.
If the business collects your email address to send you a newsletter, then such a category of data relates to the purpose. Without the email address, the business could not send you the newsletter.
If an app requires access to your photos on your smartphone to provide you image editing services, then that is adequate to the processing purpose. But, if they request your geolocation data to provide you with an app to add filters photos, this is an obvious red flag. That app doesn’t need to know where you are at any given moment. They may use the data for something else, or even sell it for money.
See how Shopify solves the transparency requirement in relation to categories of data:
This table explains what categories of personal data they collect and how they use it.
Some businesses are not as transparent as Shopify, but it doesn’t mean they are not compliant. If you doubt their privacy practices, you can submit a data subject request and have your questions answered.
Where Do They Transfer Personal Data?
GDPR forbids businesses from exporting personal data to countries where data protection is below the EU protection levels, unless they have a lawful basis to do so or eventually implement supplementary data security measures.
However, you can understand whether the data is being transferred outside of the European Union or not by having a look at the third parties to whom they disclose information.
This image shows some of the third-parties they use for data processing. Many of them (and all of those on the image) are headquartered in the United States, which makes them subject to the US laws and may mean that the data is being transferred to the US. That makes things tricky in terms of the GDPR because such transfer requires supplementary protective measures.
Lawful Basis for Data Processing
GDPR allows businesses to process data only if they have a lawful basis to do so. The lawful basis listed in Article 6 of the GDPR include:
- Explicit user consent
- Performing a contract
- Legitimate interests
- Vital user’s interest
- Public interest
- Compliance with laws, investigations, etc.
The two most common lawful bases are the explicit consent and the execution (performing) of a contract.
Businesses usually obtain consent by using a cookie banner that appears on arrival giving the user the opportunity to accept or refuse the cookies by clicking on a button.
How to Draw the Lines
Basically, you need to ensure that:
- The categories of data processed are aligned with the purposes of processing
- The third parties’ business involves processing data for such a purpose
- The business has a lawful basis to process the data, such as you explicit consent, performing a contract, legitimate interest, or others
- The data transfers to third countries are lawful, and
Let’s imagine that an online business has collected your email address to deliver you a pdf on a subject that interests you. You gave them your email, they sent you the PDF. They also asked you if they could send you their weekly newsletter with marketing offers. You ticked the checkbox.
Now they have your email address. You have the PDF and their marketing materials.
They collected and processed your personal data for the purpose of execution of a contract (sending the pdf) and marketing purposes (sending the promo newsletter). They do not use the email address for anything else. They use Mailerlite, which is Lithuanian company with servers in the EU.
This means that they have adequate purpose for processing the email address, have a lawful basis to do so, and do not transfer data outside of Europe. That’s compliant with the GDPR and a nice privacy practice.
If they upload your email address on the Facebook Lookalike Audience tool and transfer your data in the US… well, that would be in violation of the GDPR, and many other similar data protection laws.
If you sign up for Shopify, they will monitor your behavior with Hotjar to see how you use the website and, when they gather enough information about that, make improvements. They have a valid purpose, a third-party tool to execute on the purpose and collect information on your behavior – that is all aligned and a valid privacy practice as long as they obtain your consent for the collection of personal information.
If you cannot determine yourself, just reach out to a professional.