Privacy Policy: What Is It and How to Comply with GDPR?


The Privacy Policy is an essential document for all businesses in the EU. In this article we will look into what it is and who needs it. We will also examine the fundamental requirements of the GDPR and how to comply.

Why do you need a Privacy Policy?

The right to privacy was established as early as 1950 as part of the European Convention on Human Rights. Later, with the invention of the Internet, the need for new legislation protecting personal data increased.

In 1995 the European Union adopted the Data Protection Directive with the goal to establish minimum standards for data protection and security. The new directive was to serve as the basis for new laws that each Member State had to adopt. However, this did not lead to harmonized rules all over the EU.

Thus, in 2016 the European Union passed the General Data Protection Regulation (GDPR).

GDPR

GDPR is a complex and far-reaching regulation which serves as the basis for Privacy Policy requirements among others.

It is important to note that the European GDPR applies to all companies that:

  • offer goods and services to EU citizens;
  • monitor the behavior of people in the EU, the so-called profiling

This is the case even if the businesses in question are not based or located in the EU. Therefore, even a US-based website needs to comply with GDPR if they sell to EU customers and collect their data.

For a thorough audit of the internal compliance of your business to GDPR and national legislation, contact our legal experts.

What is a Privacy Policy?

A Privacy Policy is a publicly displayed legal agreement that discloses how a website or a mobile app handles personal data.

The Privacy Policy must contain information about:

  • What personal data is collected
  • Why this information is collected
  • How it will be used
  • How the data is protected
  • Whether the company transfers or shares data with other parties
  • How users can control this

The Privacy Policy must be written in a clear and easy to understand way. It should also be readily available, easily accessible and offered free of charge.

A Privacy Policy also proves that the business is compliant with legal requirements.

Who needs a Privacy Policy?

All websites and mobile device apps that collect any personal information need to create their own Privacy Policy and comply with:

  • Privacy laws, such as GDPR, PIPEDA in Canada, COPPA in the USA or DPA in the UK;
  • The requirements of third party service providers, such as Google Analytics or app stores.

Often analytics, remarketing and tracking services require their partners to have a Privacy Policy. Website owners and app developers should check 3-rd party Terms and Conditions in advance to make sure they comply.

Note that although GDPR is a European law, it extends to companies outside the EU. The law poses requirements to businesses that offer goods and services to or profile EU citizens.

Companies that do not collect personal information do not need a Privacy Policy but users often see it as a sign that the business enterprise is trustworthy.

Privacy Policy around the world

There is no federal law that requires businesses to have a Privacy Policy in the United States. However, there are separate laws with specific requirements regarding data protection. Different state or federal agencies are responsible for consumer privacy and data protection. Examples of such agencies are the Federal Trade Commission (FTC) and the Federal Communications Commission (FCC).

An important US law is the Children’s Online Privacy Protection Act. COPPA sets rules for websites/ online services for children under the age of 13.

California State has its own Privacy Protection Law. It applies to commercial websites that collect information about California residents.

Privacy/ Data Protection Laws have been adopted all over the world, such as:

  • Privacy Act in Australia (1988), 
  • Data Protection Act in the UK (1988)
  • Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada (2000)
  • GDPR in EU (2018)

GDPR applies to businesses both within and outside of Europe that collect and process personal data of EU citizens, so it practically applies anywhere. 

The text of GDPR text itself consists of numerous legal requirements with very few specifics. Small and medium sized companies may find it hard to comply with it, and fines are harsh and costly (some reach up to tens of millions of Euros).

Let’s dive into the basic principles of GDPR, specific requirements and compliance issues.

Do you need legal advice and assistance? Contact our experienced lawyers.

 

GDPR

Firstly, here are GDPR’s fundamental principles.

7 principles of GDPR

  1. Lawfulness, transparency of processing and fairness
    Users must be informed about personal data used and data processing must comply with the legal requirements.
  2. Data minimization
    Businesses must collect and process only as much data as absolutely necessary for the legally allowed and disclosed purposes.
  3. Purpose limitation
    Personal data must be used only for legitimate purposes and these must be explicitly specified.
  4. Storage limitation
    Personal information must be stored only for as long as it is strictly necessary for the specified purpose.
  5. Integrity and security
    The processing of the personal information must guarantee confidentiality (e.g. through the use of encryption).
  6. Accuracy
    The information must be accurate and up to date.
  7. Accountability
    The business collecting and processing personal data must prove GDPR compliance.

How to demonstrate you are GDPR compliant

The accountability principle of GDPR imposes the following requirements:

  1. Maintain detailed documentation on:
    • personal data that is collected
    • how it is used or processed
    • where it is stored
    • who is responsible for data in the company
  2. Designate staff that will be responsible for data protection
  3. Train your staff
  4. Make data protection agreements with 3rd parties that process the data for your business

Certain institutions need to appoint a Data Protection Officer. This is the case for:

  • Public Authorities
  • Large-scale enterprises collecting personal data, if regular monitoring is involved
  • Large-scale enterprises if data collection and processing is their core activity.

For advice and assistance in establishing the legally required data protection procedures, contact our lawyers.

What is considered personal data?

GDPR considers personal data any information that can help to identify an individual, directly or indirectly, such as:

  • contact information including email address, mailing address, phone number, etc.
  • location information
  • gender
  • ethnicity
  • religious beliefs
  • political opinions
  • biometric data
  • web cookies.

Websites often create a separate Cookies Policy, especially if they use sophisticated cookies for targeting ads or 3rd party services. The Cookie Policy can also be part of the Privacy Policy.

Read more about who needs a Cookie policy and how to be compliant.

Note that an IP address is not personal information in itself. However, it can become personal data when combined with other information to build a profile for a given user.

The person whose data is processed, e.g. site visitor or customer, is called a Data subject.

What is considered data processing?

Any action performed on data is considered data processing, whether this is done automatically or manually. This includes data collecting, recording, organizing, storing, using, sharing, erasing, etc.

Who is the person responsible for data?

The Data controller is the person who decides why and how personal information is processed. This may be the business owner or an employee in the organization who handles the data.

The Data processor is the 3rd party that processes the data on behalf of the data controller. Special GDPR rules apply to data processors like cloud servers or email service providers.

Large-scale organizations need to appoint a Data Protection Officer.

Businesses have to comply with both the GDPR and Bulgarian legislation if:

  • they are selling goods or services to Bulgarian citizens;
  • they are processing the personal data of Bulgarian citizens. 

Large-scale enterprises need a local representative with good knowledge of both national and EU laws. For further information and assistance, do not hesitate to contact us.

Who is allowed to process data?

To protect personal data, GDPR imposes strict requirements on data processors. They are legally allowed to process data only in case:

  • The personal data is necessary to enter into contract (e.g. for a background check when a property deal is being made)
  • The personal data is needed to comply with legal obligations (e.g. due to a court order)
  • The personal data is necessary for a task in public interest
  • The personal data is necessary to save somebody’s life
  • The data subject has given his explicit and unambiguous consent
  • There is a legitimate interest to process data

The last rule is the most flexible one. GDPR requires that businesses document the lawful basis for the data processing. They also have to notify the data subject under the rule for transparency. This is done in a number of required documents, like the Privacy Policy.

Consent 

Establishing the legitimate basis for processing data is the first step for businesses. The next important stage is getting the consent of the user or consumer. The law sets the following requirements in regards to consent:

  • It must be given freely, in an informed and explicit manner
  • The request for consent must be clearly presented to the user; it must use plain language
  • The data subject must be able to withdraw their consent at any given time
  • Children under 13 need their parents’ permission to give consent
  • All relevant documentation must be kept to prove consent has been given.

GDPR and Privacy Policy

Essentially, to comply with GDPR, an enterprise needs to create a Privacy Policy that states clearly:

  • What personal data is collected by the data collector
  • The purpose of the data collection (for example improvement of the offered product or service)
  • The way data is processed
  • The way personal information is protected
  • What rights data subjects have

Do you need legal advice and assistance? Contact our experienced lawyers.

 

Where should you place your Privacy Policy?

Data protection laws impose strict requirements stating that the Privacy Policy must be easily accessible for users whose data is collected. Therefore, websites and mobile apps must display it in a prominent place and on all pages collecting personal information.

Website

The Privacy Policy must be accessible in the:

  • footer: this section is visible on all web pages which guarantees easy access;
  • sign-up or registration form: these collect account information like email addresses, usernames, etc.;
  • checkout or payment submission section: this collects important data such as names, contact details, mailing address, payment information;
  • email collection form: if visitors are prompted to sign-up for a newsletter and emails are collected.

Mobile app

Mobile app developers should include the Privacy Policy in the:

  • app menu: within the section About/ Settings, etc.;
  • app listing in the App store: most app stores require this to make sure they are compliant;
  • sign-up or log-in screen: as this collects personal data;
  • checkout or payment screen: as this collects sensitive payment information, mailing address, etc.

Wherever the Privacy Policy is placed, it is vital that users are prompted to agree with it. This should be done in a clear manner.

Websites usually add a box users can check or an Agree button they can click. Naturally, it should be clear for the users that they are agreeing to the Privacy Policy.

Content of the Privacy Policy

The specific content of a Privacy Policy depends on the business and the type and amount of data that is collected. Whether data is transferred to third parties is also important.

Although there are templates online, these must be used with caution and always checked by a legal expert.

To comply with GDPR, most Privacy Policies include the following sections:

  1. What data is collected
  2. How is this data collected and used
  3. Data storage
  4. Data security
  5. Third-party services (including marketing)
  6. Tracking and cookies
  7. Modifying or deleting personal data
  8. Changes to the Privacy Policy (it is acceptable to mention that the PP is changed “from time to time”)
  9. How to contact us
  10. How to contact the relevant authorities

Keep in mind that companies often face technical issues when implementing their privacy policies. Therefore it is essential to invest in the necessary technical measures to protect customers' data.

A qualified legal expert with knowledge of the applicable laws and data security practices can assist in drafting your Privacy Policy. If you need help, do not hesitate to contact our lawyers.

Compliance issues

Google and Facebook, among others, know that non-compliance with GDPR is a costly mistake. Google has been levied a €50 million fine in France, about 6 million in Sweden and €600,000 in Belgium. In 2019 German authorities fined Facebook €2 million for failing to comply with the transparency rule under GDPR.

As the GDPR covers all types of businesses, the applicable fines are flexible and scale with the company.

Fines

GDPR sets 2 tiers of fines:

  1. Up to €10 million or 2% of the company’s annual revenue (worldwide), whichever is higher
  2. Up to €20 million or 4% of the company’s annual revenue (worldwide), whichever is higher

The higher fines are levied in cases of:

  • infringement of the basic principles of GDPR (fairness, transparency, etc.)
  • Failure to comply with the rules regarding the right to be forgotten;
  • Failure to comply with the rules regarding transferring data to 3rd parties.

The fine amount depends also on various aspects, such as:

  • The gravity and nature of the infringement
  • Intent - whether the infringement was intentional or caused by negligence
  • Mitigation - whether the company tried to mitigate the damages suffered by the person whose personal data was affected by the infringement
  • Precautions taken by the company to comply with GDPR

Responsibility for 3rd party infringements

Under GDPR, the data controller (business owner) must make sure that his partners or subcontractors comply with data protection laws. Thus, the transfer of personally identifiable information to 3rd parties will make both the data controller and the data processor liable. 

This means that if the external organization is not in compliance, your organization is not in compliance.

The law also imposes strict requirements for reporting breaches and personal data theft. All staff members in the chain are required to comply with these rules.

GDPR also requires organizations to inform their customers and users of their rights. In addition, they have to provide contact details of the appropriate authorities in case an issue needs to be reported.

Businesses that need assistance in establishing the necessary procedures, training and drafting all relevant documentation, may contact our legal experts.

Data Protection Authorities

The EU has appointed an independent body to ensure data protection rules are applied consistently in all Member States. This is the European Data Protection Board (EDPB).

The EDPB is responsible for:

  • Issuing guidelines on interpreting the basic concepts of GDPR
  • Making binding decisions on cross-border processing disputes

In addition, all EU countries have created national bodies in charge of protecting personal data. Contact details for these authorities are publicly available.

National authorities

All Member States have national authorities enforcing the GDPR. Individuals may contact them also for issues related to the Data Protection Law Enforcement Directive (regulating criminal offenses).

EU

The European Data Protection Supervisor, Mr Wojciech Wiewiórowski, is based in Brussels. 

Ireland

The Irish Data Protection Commission is based in Dublin and headed by Ms Helen Dixon.

Bulgaria

The relevant authority in Bulgaria is the Commission for Personal Data Protection, based in Sofia.

Contact information for EU national authorities is available at the EDPR Member States page of the official EU website.

The UK is still obliged to comply with the GDPR even after Brexit. For more information, see the Information Commissioner's Office website.

GDPR in Bulgaria

The Bulgarian Commission for Personal Data Protection is the authority responsible for GDPR application.

Data protection in Bulgaria is regulated by both EU and Bulgarian legislation.

EU data protection legal framework:

  • GDPR
  • Directive on Data Protection in Police and Criminal Justice Activities (Directive EU 2016/ 680)

The applicable national legal framework includes:

  • Constitution of the Republic of Bulgaria
  • Personal Data Protection Act
  • Electronic Communications Act
  • Other Rules and Ordinances

International laws also apply, such as:

  • The universal declaration of human rights
  • Charter of Fundamental Rights of the European Union

Legal counselling for GDPR compliance in Bulgaria

No registration for data controllers

Businesses should know that GDPR requires no registration. The moment they start processing personal data, they are considered a data controller. They are then subject to regulation and sanctions according to the Bulgarian and EU laws, regulations and legal processes.

Representation

As of July 2020, US companies that operate in the EU are not allowed to transfer data to the US freely. Up until then data transfer occurred under the Privacy Shield Framework but now it is seen as too weak. Therefore, US companies need to:

  • adopt data protection rules that comply with GDPR,
  • draft all necessary documentation, and
  • appoint a Data Protection Officer (DPO).

DPO

Large-scale data controllers and processors are required to have their representatives in Bulgaria or the EU.

A Bulgarian lawyer can be appointed DPO in this case. They can serve as a contact point and representative for the company if any data protection issues arise.

This designation as DPO must be done explicitly and in writing by the data controller. The most suitable form is a service agreement. It should be made with a qualified legal expert with comprehensive knowledge of both GDPR and Bulgarian data protection legislation.

EU authorities will be able to contact this person directly regarding all data protection issues. Therefore, the contact details of the DPO must be publicly announced and provided to the relevant regulatory bodies.

Legal services

The legal experts at Danailova, Todorov and partners can assist with:

  • Legal counseling for compliance, according to the needs of the specific company and the type of data collected
  • Legal advice on the processing and storing of personal information
  • Assigning employees in charge of data protection under GDPR
  • A thorough audit of internal compliance
  • Drafting all compliance documentation on data processing activities in Bulgaria and the EU, including Privacy Policy, Cookies Policy, etc.
  • Drafting internal rules, policies and instructions for data protection
  • Drafting a Declaration of Consent compliant with GDPR
  • Representation with data protection authorities in Bulgaria
  • Representation in court for appeals against a decision made by relevant authorities

 

Creating a Privacy Policy is an important step in protecting your business and making it trustworthy for your clients.


If you need to consult a good lawyer, contact us. We will be happy to assist you on these and all other legal matters.

“Danailova, Todorov and Partners'' Law Firm provides top-quality legal services on all aspects of contractual law and trade law. Our experts also specialize in employment law, tax law and administrative law.

SEND US YOUR INQUIRY

Image
far fa-map

ADDRESS

g.k. Gotse Delchev, ul. "Slavovitsa" , block 24Е, office 2, 1404 Sofia, Bulgaria

Western Industrial Zone, 2 Neptun Str.,
9000 Varna, Bulgaria

fas fa-mail-bulk
fas fa-phone-volume