Privacy is crucial for both users and website owners. Operators of websites shall understand the privacy concerns of visitors to their websites regarding the protection of personal data and shall be committed to protecting their personal data by applying all standards in accordance with the applicable law. Owners of websites shall respect the privacy of users and inform them about the purposes of collecting of personal data, categories of personal data that are collected, whether personal data is being disclosed to third parties, and how data is protected against unauthorized processing.
- Providing of information: The operator of the website shall provide information about the name of the operator of the website; permanent address or registered office and address of management; the address in which the operator carries out its activity if it is different from the address mentioned in the previous point; correspondence data, including telephone and e-mail address; data for entry in a commercial or other public register; information on the body exercising control over its activities when such activity is subject to a notification, registration or licensing regime; in the case of a regulated profession, information about the Chamber, the trade union or organization to which the operator is affiliated or registered, the professional title and the country in which it is provided, as well as a reference to the applicable provisions on the right to exercise the trade or the profession and instructions for access to them; an indication if the operator is registered under the Value Added Tax Act.
- Purpose of personal data processing: It is essential to list the purpose for which the personal data has been collected and processed. Usually, the operators collect and process personal data from users of the website for providing of the offered services.
- Period for storing of personal data: The period for storing of personal data should also be specified. It is important to note that the site operator is required to destroy the data once the purpose for which it has been collected has been accomplished. However, there are cases where personal data should be kept for a specified period of time and after the processing has been completed.
- Mandatory and voluntary nature of provision of personal data: Information shall be also provided on the mandatory or voluntary nature of provision of personal data and the consequences of refusal to provide the data.
- Protection of personal data: The operator shall indicate that it has undertaken the appropriate technical and organizational measures to protect the personal data against accidental or unlawful destruction, or against accidental loss, unauthorized access, alteration or dissemination, as well as against other unlawful forms of processing.
- Recipients to whom personal data may be disclosed: The operator shall mention the recipients to whom the personal data may be disclosed, such as: individuals to whom the data relate; individuals, if provided in a legal act; individuals, processing personal data.
- Rights of individuals and procedure to exercise the rights: It is advisable in a separate section to be described what are the rights of the users whose personal data has been processed and the procedure to exercise the rights. For example, among the most important rights are the right of access, the right to erase, rectify or block. Along with these rights, any user who has provided his/her personal data has the right to object against the processing of his/her personal data on the basis of legitimate grounds. The user is also entitled to object against the processing of his or her personal data for the purposes of direct marketing and to be informed before his or her personal data are disclosed for the first time to third parties or used on their behalf for the purposes of the direct marketing, and to be given the opportunity to object to such disclosure or use. The procedure to exercise the right of access and the right to erase, rectify or block is by submitting a written request to the operator of the web site. The web site operator considers the request and takes a decision within 14 days from its submission. Lack of response is considered a denial. The operator shall deny access to personal data when such data do not exist or their provision is prohibited by law or denies full or partial access when such provision would threaten the defense or national security, or the protection of classified information and this is stipulated in a special law.