Menú

All

privacy policy

What is a privacy policy?

What is a privacy policy? What is the purpose of implementing privacy policies? How should the information be presented to the data subject? What kind of information should it contain?

Introduction

In an increasingly digitalised world, the privacy of personal data is a growing concern for both individuals and organisations. Privacy policies have become essential tools to establish trust and ensure transparency in data handling.

What is a privacy policy?

A privacy policy is a legal document that details how an organisation collects, uses, stores and protects users’ personal information. This document is essential for users to understand what data is being collected, for what purpose and how it is handled.

What is the purpose of implementing privacy policies?

The ultimate goal is to enable the user to make informed decisions about the use of personal data. Taking care with the language used and not using overly technical terms makes it easier to understand.

How should the information be presented to the data subject?

Information should be concise, transparent, easily accessible and in clear and simple language, so as not to confuse users. It is recommended that the complete information regarding the processing of personal data be provided in a single document or in a single location within the website, easily accessible from any page of the website, usually through a link in the footer. It should be structured in an organised manner, differentiated by well-defined sections. Finally, it needs to be regularly updated to reflect any changes in data handling practices or applicable regulations.

What kind of information should it contain?

  1. Identification of the controller

It is recommended that the privacy policy begins by identifying the entity responsible for the processing of personal data. This includes:

  • Name of the company.
  • Contact details (address, e-mail or telephone number).
  1. Contact of the Data Protection Officer

In those cases in which it is mandatory for the controller and the processor to appoint a Data Protection Officer, it is necessary to indicate the contact details, for example by e-mail or access to an electronic form that allows contact.

  1. Types of data collected

The policy should specify the types of personal data that are collected. These may include, but are not limited to:

  • Personal identification data: name, address, e-mail address, telephone number, etc.
  • Financial data: credit card information, bank accounts.
  • Browsing data: IP address, browser type, pages visited.
  • Sensitive data: medical information, religious beliefs.
  1. Purposes of data processing

It is mandatory to explain and detail all the purposes for which the personal data of data subjects are collected and used. It is advisable to group the purposes into categories. Some common purposes include:

  • Provision of contracted services.
  • Personalisation of the user experience.
  • Sending commercial and promotional communications.
  • Compliance with legal obligations.
  • Market research and statistical analysis.
  1. Legal basis for data processing

The policy should indicate the legal basis that legitimises the activity of each processing of personal data, which may be:

  • User consent: explicitly given for one or more specific purposes.
  • Enforcement of a contract: necessary for the performance of a contract to which the user is a party or for the implementation of pre-contractual measures at the user’s request.
  • Legal obligation: compliance with a legal obligation to which the controller is subject.
  • Legitimate interests: of the controller or of a third party, provided that the user’s fundamental rights and freedoms prevail. In this case, these interests must be specified in detail for each processing activity.
  1. Recipients of the data collected

Information is required on whether and under what circumstances personal data is shared with third parties. This includes:

  • Service providers: such as payment platforms, delivery services, marketing, etc.
  • Legal entities: where necessary to comply with a legal obligation.
  • Business partners: in case of joint marketing activities or other commercial agreements.
  1. Intention of the controller, where applicable, to transfer personal data to a third country or international organisation.

  2. Users’ rights

The policy should detail the rights that users have in relation to their personal data, as well as the procedure for exercising these rights. These rights include:

  • Right of access: users may request access to their personal data.
  • Right of rectification: to correct inaccurate or incomplete data.
  • Right to erasure (right to be forgotten): request the deletion of your personal data.
  • Right to restriction of processing: to restrict the use of your data in certain cases.
  • Right to data portability: to receive your data in a structured and commonly used format and to transmit it to another data controller.
  • Right to object: to object to the processing of your personal data in certain circumstances.
  • Right to lodge a complaint with the supervisory authority.
  1. Data retention periods

The policy should specify how long personal data will be retained and the criteria used to determine this period. For example:

  • For the time necessary to fulfil the purpose for which they were collected.
  • As long as required by the applicable regulations.
  • Until the user requests its deletion, if there are no legal obligations that require its conservation.
  1. Information on the existence of automated decisions (including profiling).

In such cases, information should be provided on the logic applied and the significance and expected consequences of such processing for the data subject.

  1. Changes to the privacy policy

Inform users about how modifications to the privacy policy will be communicated and their right to be informed of these changes. It is also important to explain the procedure for accepting or rejecting such changes.

  1. Contact details for enquiries

Provide clear information on how users can contact the company to resolve queries or exercise their data protection rights.

If you liked this article, you may also find it interesting to read the following one:

The role of the Data Protection Officer (DPO)

Contacto No te quedes con la duda, contacta con nosotros. Estaremos encantados de atenderte y ofrecerte soluciones.