Privacy Policy for a company

The privacy policy of your project in 4 steps

The wording of the Privacy Policy, in any business project or in a startup, is usually a headache for entrepreneurs.

With the e-commerce boom of this year 2020 that is about to come to an end, many projects have been created in an exclusively online environment and traditional companies that have decidedly committed to digitisation.

Having a privacy policy that is understandable and suitable for the requirements of the GDPR is basic for the success of the digital business, and it is very strange to think of a business project nowadays, in which personal data is not requested, especially in the B2C world: registration in Newsletters, a contact form or the purchase of products are some examples of very common practices in which personal data is collected and that require careful thought on how your Privacy Policy should be designed.

It is obvious that not having a Privacy Policy on your website is an offence, as the AEPD reminded us in a recent resolution in which it fined a doctor €2000 for not having a Privacy Policy.

In this post, I will give 4 simple steps to configure your Privacy Policy, and these are things that you should think about as a business owner or entrepreneur because, although a specialist in GDPR or data protection is usually hired (in the best case scenario), he or she does not understand your business and, consequently, is unaware of your plans in relation to the data you are able to collect.

Before the 4 steps however, let me ask you the million-dollar question:

What if I copy any Privacy Policy that seems “serious” to me and add in the name of my company?

The temptation is great but so is the error. No matter how serious the company you want to “get inspired” by may seem to you, I assure you that the use of the data it produces has nothing in common with yours, so think twice before resorting to certain inspirations.

And now, the 4 steps for a good Privacy Policy:

STEP 1: Think carefully about what you want to do later on with the data collected.

It would not be the first case in which a “standard” Privacy Policy is used to collect personal data in a purchase process, indicating that the data will only be used to manage the order, and sometime later (and with all logic), you decide that you want to make commercial use of that data.

If you haven’t thought about it before, changing or modifying the purpose of data processing could be a problem. For this reason, as I said, when you include a data collection form, whatever it may be, think about what possible uses you foresee for that data to avoid this type of problems.

STEP 2: Use clear and transparent language.

Recently, the AEPD once again reminded us that expressions as common as those to indicate that we will use the data “to get to know you better” or “to offer products suitable for you” are not considered clear enough. Avoid vague terms and overly legal terminology.

A good Privacy Policy can even be a differentiating factor from your competitors so think about, beyond posting, and without questioning them, the texts provided by the lawyer to whom you have entrusted this matter. He may know the norm but only you know what “tone” you want to give your project, to something as “boring” as a Privacy Policy.

STEP 3: Make sure the Privacy Policy is expressly accepted.

Do not use pre-ticked or unticked boxes with texts such as “I do not agree to the use of my data” or “I do not want …”. Acceptance of the Privacy Policy must be express, so if you do not tick the box, the data is not sent, it’s as simple as that.

If you also want to do different things with the data, you should weigh up whether there are as many boxes as you foresee uses. Let me also remind you that you have a legal obligation to prove that the person has given you consent by keeping the necessary evidence.

STEP 4: Implement the information in a double layer.

Although this is not common yet, remember that it is mandatory for the data collection form to include the minimum information from the Privacy Policy, with access to the full text for whoever wants to consult it. This is known as two-layer information. As I said, is not often seen, and the AEPD has not penalised any failure to use it, despite it being mandatory, as I have mentioned.

The time when a business or startup is established is usually marked by effervescence and creativity, with little thought given to legal issues such as the Privacy Policy. Thinking about these 4 points can save you future problems and in some cases, additional and unexpected costs.

If you want us to assess your business or project to create the best Privacy Policy for you, contact us!

The legality of your company,
in the best hands


(+34) 933 80 12 56