Drafting a privacy policy

Privacy is crucial for both users and website owners. Operators of websites (hereinafter referred to as “controller” or “controllers”) shall understand the privacy concerns of visitors to their websites regarding the protection of personal data and shall be committed to protecting their personal data by applying all standards in accordance with the applicable law. Controllers shall respect the privacy of users and inform them about the purposes of collecting of personal data, categories of personal data that are collected, whether personal data is being disclosed to third parties, and how data is protected against unauthorized processing.

This publication aims to provide a detailed information on how to draft a detailed privacy policy that is in compliance with with the requirements of Article 13 of Regulation 2016/679 (GDPR). The privacy policy guidelines in this article are completely in line with the requirements of the new EU Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data (GDPR), which will apply from 25 May 2018.

The policy on protection of personal data  (or so-called “privacy policy”), most commonly in practice, contains all information about the protection of personal data.

 In the first place, before describing what a comprehensive privacy policy should contain, a definition of the terms “personal data” and “processing of personal data” shall be provided. Personal data shall refer to any information relating to an individual (“data subject,” in this publication being referred to as “the user”)  who is identified or identifiable, directly or indirectly, by reference to an identification number or to one or more specific features, such as name, address, telephone number, e-mail, etc. Processing of personal data shall mean any operation or set of operations which can be performed with respect to personal data, whether by automatic means or otherwise, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, provision, transfer or otherwise making available, updating or combination, blocking, deletion or destruction.

Content of the privacy policy

  • Introduction:As an introduction to the privacy policy, controllers are recommended to advise users to read the privacy policy carefully and in case of questions, they are advised to contact the controller of the website. Also, if the visitor does not agree to any of the terms contained in the privacy policy, the use of the website is not recommended and should not provide any personal data.
  • Providing of information: Furthermore, information should be provided about the  controller that  generally identifies  Such information is: the name of the controller of the website; permanent address or registered office and address of management; the address in which the controller carries out its activity if it is different from the address mentioned in the previous point; correspondence data, including telephone and e-mail address; data for entry in a commercial or other public register; information on the body exercising control over its activities when such activity is subject to a notification, registration or licensing regime;
  • Contact details of the Data Protection Officer: Contact details of the Data Protection Officer should be provided where the controller has a Data Protection Officer, and the name of the Data Protection Officer may or may not be indicated.
  • Purpose and scope of the privacy policy:In this part of the privacy policy, the controller should state that he is seriously committed to personal data protection. It is also advisable to list what information the privacy policy shall contain, such as: the purpose of the processing of personal data; the recipients or categories of recipients to whom the data may be disclosed; the data for the mandatory or voluntary nature of provision of personal data and consequences of refusal to provide the data; information on the right of access and right to rectify the collected data.
  • Definitions: It is necessary to define some of the terms that will be used in the privacy policy, such as personal data, personal data processing, processing restriction, profiling, pseudonymization, personal data administrator, personal data processor data, recipient of personal data, third party, consent of the data subject, data security breach.
  • Principles relating to the processing of personal data: It is advisable for a controller to indicate which principles observes when processing personal data, such as lawfulness; good faith and transparency; relevance of treatment to objectives; accuracy and timeliness; minimizing data; storage limitation; accountability; integrity and confidentiality; user consent for data processing.
  • Purpose of personal data processing:It is essential to list the purpose for which the personal data has been collected and processed. Usually, the controllers  collect and process personal data from users of the website for providing of the offered services. Additional purposes include sending newsletters, offers, and more.
  • The legal basis for the processing of personal data: It must be stated on what legal basis personal data is collected and processed: – whether the user has consented to the processing of his or her personal data for one or more specific purposes; – whether processing is necessary for the performance of a contract by which the consumer is a party, or for taking steps at the request of the consumer prior to the conclusion of a contract; – whether the processing is necessary to comply with a legal obligation applying to the controller, – whether processing is necessary to protect the vital interests of the consumer or of another individual; – whether the processing is necessary for the performance of a task in the public interest or in the exercise of official authority conferred on the controller, – whether the processing is necessary for the legitimate interests of the controller or of a third party, except where the interests or fundamental rights and freedoms of the consumer which require the protection of personal data, in particular when the consumer is a child, are advantageous to such interests.
  • Personal data that is collected and processed: In the privacy policy, it shall be indicated whether special categories of personal data (so-called sensitive personal data) are collected and processed, if children’s personal data are processed as well as all personal data that the controller collects and processes shall be described, including:
  1. Personal data directly collected by users such as what personal data is collected when the user contacts the controller via email, telephone, mail, or when the user subscribes to receive a newsletter or sign up at the website or make a purchase through the site.
  2. Personal data provided by third parties.
  3. Personal data collected from public registers.
  • Cookies policy:Most internet sites use cookies. Cookies are small text files that are sent from web sites to the computer or user’s device and are stored in the browser’s file directory that the user uses. They collect information about how the site is used to identify the user and improve the performance of the website. When using cookies, it is essential to provide a detailed information about the purposes of storing or accessing data. The controller shall also specify that the user has the right to accept or disable the cookies. In practice cookies policy is published in the privacy policy or in the website terms and conditions of use. However, for the sake of clarity,it is recommended to be described in a separate document, therefore this topic will be discussed in detail in the next publication, which will be dedicated to instructions on using cookies.
  • Period for storing of personal data: The period for storing personal data should also be specified and, if that is not possible, the criteria used to determine that period. It should be ensured that the period for which personal data is stored is limited to a strict minimum. It is important to note that the administrator is obliged to destroy the data once the purpose for which it was collected has been accomplished.
  • Mandatory and voluntary nature of provision of personal data:Information shall be also provided on the mandatory or voluntary nature of provision of personal data and the consequences of refusal to provide the data.
  • Information about personal data processing:In this part of the privacy policy, it is recommended to describe how the personal data is processed, as well as to indicate whether the personal data is processed independently by the controller of the website or by assigning the processing of personal data to third party on behalf of the controller.
  • Protection of personal data:The controller shall indicate that it has undertaken the appropriate technical and organizational measures to protect the personal data against accidental or unlawful destruction, or against accidental loss, unauthorized access, alteration or dissemination, as well as against other unlawful forms of processing.
  • Recipients to whom personal data may be disclosed:The controller shall mention the recipients to whom the personal data may be disclosed, such as: individuals to whom the data relate; individuals, if provided in a legal act; individuals, processing personal data. Where applicable, the controller’s intention to transmit the personal data to a third country or to an international organization shall also be indicated.
  • Rights of individuals and procedure to exercise the rights:It is advisable in a separate section to be decribed what are the rights of the users whose personal data are processed and the order to exercise of the rights shall be also described. For example, among the most important rights are:
  1. Right of access for users to data relating to them;
  2. Right of rectification;
  3. Right to erasure (right to be forgotten);
  4. Right to Restrict Processing;
  5. Right to data portability;
  6. Right to notify of a personal data breach;
  7. Right to judicial and administrative remedy (right to appeal to a supervisor, right to effective judicial protection against a supervisor, right to effective judicial protection against an administrator or processor of personal data);
  8. Right to compensation for suffered damages;
  9. Right to withdraw consent at any time, without prejudice to the lawfulness of processing on the basis of consent given before it is withdrawn.

In addition to these rights, the user is entitled, at any time and on grounds relating to his particular situation, to object to the processing of personal data relating to him where the processing is necessary for the performance of a task of public interest or in the exercise of official authority conferred on the controller or the processing is necessary for the legitimate interests of the controller or of a third party, except where interests or fundamental rights and users who require the protection of personal data, in particular when the consumer is a child.

When processing personal data for direct marketing purposes, the user is entitled at any time to object to the processing of personal data relating to him for this type of marketing, including profiling insofar as it relates to direct marketing. At the latest at the time of first contact with the consumer, it shall be expressly informed of the existence of the right of objection described above, which shall be communicated to it in a clear and separate manner from any other information.

  • Procedure for exercising the rights: The procedure for exercising the right of access, the right to delete, correct or limit the processing is by submitting a written request to the controller. The controller shall provide the user with information on the action taken on the request without undue delay and in any event within one month of receipt of the request. If necessary, this period may be extended by a further two months, taking into account the complexity and the number of requests. The controller shall inform the user of any such extension within one month of receipt of the request, indicating the reasons for the delay. Where a user submits a request by electronic means, the information shall be provided, if possible, by electronic means, unless the user has requested otherwise. If the controller does not act upon the user’s request, the administrator shall notify the user without delay and at the latest within one month of receipt of the request for reasons not to act and of the possibility of filing a complaint to a supervisory authority and seeking legal protection order.
  • Information about profiling and the consequences of this profiling: It should be specified whether profiling is being done and the consequences of profiling.
  • Changes to privacy policy:It is also worth mentioning that the controller has the right to modify and update the privacy policy at any time in the future when the circumstances impose.

Lastly, we recommend that you use a clear language when drafting a GDPR Privacy Policy. Due to the many features that should be taken into account when drafting a privacy policy, it is advisable to seek assistance from a specialist with experience in this field. Krasimira Kadyeva will gladly assist you in drafting of the privacy policy, as in her practice, Kadieva has repeatedly produced documents for doing business on the Internet (general terms, personal data protection policy, cookie policy) in both Bulgarian and English. In connection with the newly adopted Regulation (EU) 2016/679, lawyer Kadyeva assists its clients to update the current data protection policies in line with GDPR requirements.

Due to the many peculiarities that should be taken into account when drafting of a privacy policy, it is advisable to seek assistance from a specialist with experience in this matter. The intellectual property specialist in Bulgaria Krasimira Kadieva will gladly assist you in drafting of the privacy policy for your website due to the fact that she has successfully in her practice drafted website terms and conditions of use, privacy policies, cookies policies in Bulgarian and English languages.

Legal Disclaimer: This material prepared by Krasimira Kadieva aims to provide information about a privacy policy. It does not constitute a legal opinion and cannot be interpreted as an individual consultation on any concrete facts or circumstances. The advice of a legal specialist should be obtained for specific questions and situations. For more information on the above mentioned issues and individual consultations, please contact Krasimira Kadieva at 00359 882 308 670 or make an inquiry using the contact form of this website. Krasimira Kadieva is a Bulgarian and European trademark and design attorney. She can assist in drafting of website terms and conditions of use, privacy policies, cookies policies in Bulgarian and English languages.