According to the Data Protection Commissioner, if your site does any of the following a Website Privacy Statement is required;
- Collects personal data (visitors filling in web forms, feedback forms, etc).
- Covertly collects personal data (IP addresses, e- mail addresses.)
The information in your statement has to be tailored to how your organisation processes personal data and must give enough information to allow visitors to decide if they wish to proceed or not. You cannot make a statement like ‘All information collected on this site will be treated in line with the principles of GDPR’; you need to explain how you comply.
Here is an overview of what you should include:
- Identity: the identity of your organisation should be clear on your site, including name and contact details, which could include an email address and postal address. Visitors should have a way of contacting you in case they have a question about the processing of personal data on your site.
- Purpose: you must clearly state for what purpose the personal data is requested. Some purposes may seem obvious; for example, processing personal data in order to make a purchase, but the data could then be used for additional purposes such as profiling or future marketing. All purposes must be referred to in the privacy statement.
- Disclosure: if you intend to disclose the personal data to a third party, this must be stated in the privacy statement, unless this disclosure is required by law.
- Consent: as explicit consent is a strong focus of the GDPR, it would be good practice to outline your commitment to consent, and that consent will be required for each purpose for which the information is used.
- Data Subject Access Rights: you must mention that data subjects have the right to access any personal data you hold belonging to them and that these will be handled within one month. You should state how a request should be made, e.g. provide an email address, what information needs to be supplied and what identification is needed.
- Right of rectification, restriction, portability and erasure: under the GDPR, a data subject has a right to have his/her personal data corrected, if inaccurate, or erased, if you do not have a legitimate reason for retaining the data. They may also request its use to be restricted while they obtain more information on or have their personal data corrected. They also have the right to portability of their data if they wish to move to another provider. You should comply within one month of the receipt of such a request. Your Privacy Statement should make reference to this, if you retain personal data, as well as detailing the procedures a person should follow when making such a request.
- Security: in the case of security, it is generally considered unwise to be too explicit about your security procedures, but you should state that you take your responsibilities seriously, employing appropriate physical and technical measures, including staff training and awareness and that you review these measures regularly.
- Data Breaches: you may consider stating your commitment to report any data breaches to the DPC within 72 hours, to investigate any breaches and put corrective action in place to prevent future occurrences and that you will inform the data subject as soon as possible.
- Accurate, complete and up-to-date: it is good practice to state how you keep personal data up-to-date and inform data subjects how they can review and update their own data.
- Data minimisation: the GDPR requires ‘data minimisation’, which means only collecting as much personal data as is necessary. You should refer to this in your statement.
- Retention: You must define retention periods for each category of personal data. In your statement, you should outline your retention periods and how these are implemented.
- Complaint Resolution Mechanism: it is a good idea to have a system where a customer can make a complaint in relation to their personal data, e.g. if they make a subject access request and it is not responded to within one month.
The Website Privacy Statement should be placed in an obvious location on your homepage. It may be wise to have it in the website footer so it is visible on all pages and link it to any contact forms where you request personal information.
If you have any further questions, feel free to get in touch with us at firstname.lastname@example.org or find out more about how we can support your GDPR implementation at https://dppl.ie/service/