Privacy Policy for a company


The wording of the Privacy Policy, in any business project or in a startup, is usually a headache for entrepreneurs.

With the e-commerce boom of this year 2020 that we are about to close, there are many projects that are born in an exclusively online environment or traditional companies that have decidedly committed to digitization.

Having a privacy policy that is understandable and adequate to the requirements of the GDPR, is something basic for the luck of the digital business, and it is very strange to think of a business project nowadays, in which personal data is not requested, especially in the B2C world: a registration in Newletters, a contact form or the purchase of products are some examples of very common practices in which personal data is collected and that require careful thought about how your Privacy Policy should be.

It is obvious that not having a Privacy Policy on your website is a reason for sanction, as the AEPD has reminded us in a recent resolution in which it sanctioned to a doctor with € 2000 for not having a Privacy Policy.

In this post, I am going to tell you 4 simple steps to configure your Privacy Policy and these are things that you should think about as a businessman or entrepreneur since although a specialist in GDPR or data protection is usually hired (in the best of cases), he or she does not understand your business and consequently does not know what plans you have in relation to the data that you are able to collect. Before the 4 steps however, I ask you the million-dollar question:

What if I copy any Privacy Policy that seems “serious” to me and put in the name of my company?

The temptation is great but so is the error. No matter how serious the company you want to “get inspired” may seem to you, I assure you that the use of the data that it makes has nothing in common with yours, so think twice before resorting to certain inspirations.

And now, the 4 steps to have a good Privacy Policy:

STEP 1: Think carefully about what you want to do with the data collected in a while.

It would not be the first case in which a “standard” Privacy Policy is used to collect personal data in a purchase process, informing that the data will only be used to manage the order, and sometime later (and with all logic), You decide that you want to make commercial use of that data.

If you haven’t thought about it before, changing or modifying the purpose of data processing could be a problem. For this reason, as I said, when you put a data collection form, whatever it is, think about what possible uses you foresee that data to avoid these types of problems.

STEP 2: Use clear and transparent language.

Recently, the AEPD has once again reminded us that expressions as common as that we will use the data “to get to know you better” or “to offer products suitable for you” are not considered clear enough. Avoid vague terms and overly legal terminology.

A good Privacy Policy can even be a differentiating factor from your competitors so think about it, beyond posting, without questioning them, the texts that the lawyer you have entrusted to this matter has provided you with. He may know the norm but only you know what “tone” you want to give your project, also to something so “boring”, such as a Privacy Policy.

STEP 3: Make sure the Privacy Policy is expressly accepted.

Do not use pre-marked or unmarked boxes with texts such as “I do not authorize the use of my data” or “I do not want …”. Acceptance of the Privacy Policy must be express, in other words, if you do not check the box, the data is not sent, it’s that simple.

If you also want to do different things with the data, you should assess that there are as many boxes as you foresee uses. I also remind you that you have a legal obligation to prove that the person has given you consent by keeping the necessary evidence.

STEP 4: Implement the information in double layer.

Although is not common yet, remember that it is mandatory that in the data collection form, you must include the minimum information of the Privacy Policy, giving access to the full text for whoever wants to consult it. This is known as the two-layer information. As I said, is not common to see and the AEPD has not sanctioned it, although it is mandatory, as I have mentioned.

The moment of creation of a business or startup is usually marked by effervescence and creativity little given to thinking about legal issues such as the Privacy Policy; Thinking about these 4 points can save you future problems and in some cases, added and unexpected costs.

If you want us to evaluate your business or project to create the best Privacy Policy for you, contact us!

The legality of your company,
in the best hands

(+34) 692 14 05 71