Drafting a privacy policy

Privacy is crucial for both users and website owners. Operators of websites shall understand the privacy concerns of visitors to their websites regarding the protection of personal data and shall be committed to protecting their personal data by applying all standards in accordance with the applicable law. Owners of websites shall respect the privacy of users and inform them about the purposes of collecting of personal data, categories of personal data that are collected, whether personal data is being disclosed to third parties, and how data is protected against unauthorized processing.

This publication aims to provide a detailed information on how to draft a detailed privacy policy that is in compliance with the current legislation.

The privacy policy most commonly contains all information about the protection of personal data. Also, it is common for the privacy policy to be published in the website terms and conditions of use. However, for the sake of clarity, it is advisable to provide the privacy policy in a separate document. The collection, processing and storage of personal data is regulated by the Personal Data Protection Act and Ordinance No 1 of 30 January 2013 on the minimum level of technical and organizational measures and the allowed type of personal data protection. Under the Personal Data Protection Act, anyone who processes personal data should be registered as a data controller. This obligation will be abolished with the entry into force on 25 May 2018 of the new Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.

In the first place, before describing what a comprehensive privacy policy should contain, a definition of the terms “personal data” and “processing of personal data” shall be provided. Personal data shall refer to any information relating to an individual who is identified or identifiable, directly or indirectly, by reference to an identification number or to one or more specific features, such as name, address, telephone number, e-mail, etc. Processing of personal data shall mean any operation or set of operations which can be performed with respect to personal data, whether by automatic means or otherwise, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, provision, transfer or otherwise making available, updating or combination, blocking, deletion or destruction.

Content of the privacy policy

  • Introduction: As an introduction to the privacy policy, operators are recommended to advise users to read the privacy policy carefully and in case of questions, they are advised to contact the operator of the website. Also, if the visitor does not agree to any of the terms contained in the privacy policy, the use of the website is not recommended and should not provide any personal data. The privacy policy should be accepted unconditionally before the user has provided any personal data.
  • Providing of information: The operator of the website shall provide information about the name of the operator of the website; permanent address or registered office and address of management; the address in which the operator carries out its activity if it is different from the address mentioned in the previous point; correspondence data, including telephone and e-mail address; data for entry in a commercial or other public register; information on the body exercising control over its activities when such activity is subject to a notification, registration or licensing regime; in the case of a regulated profession, information about the Chamber, the trade union or organization to which the operator is affiliated or registered, the professional title and the country in which it is provided, as well as a reference to the applicable provisions on the right to exercise the trade or the profession and instructions for access to them; an indication if the operator is registered under the Value Added Tax Act.
  • Purpose and scope of the privacy policy: In this part of the privacy policy, the operator should state that he is seriously committed to personal data protection. It is also advisable to list what information the privacy policy shall contain, such as: the purpose of the processing of personal data; the recipients or categories of recipients to whom the data may be disclosed; the data for the mandatory or voluntary nature of provision of personal data and consequences of refusal to provide the data; information on the right of access and right to rectify the collected data.
  • Definitions: The operator shall provide definitions of some of the terms that will be used in the privacy policy.
  • Purpose of personal data processing: It is essential to list the purpose for which the personal data has been collected and processed. Usually, the operators collect and process personal data from users of the website for providing of the offered services.
  • Personal data that is collected and processed: The operator shall list in the privacy policy what kind of personal data collects and processes.
  • Cookies policy: Most internet sites use cookies. Cookies are small text files that are sent from web sites to the computer or user’s device and are stored in the browser’s file directory that the user uses. They collect information about how the site is used to identify the user and improve the performance of the website. When using cookies, it is essential to provide a detailed information about the purposes of storing or accessing data. The operator shall also specify that the user has the right to accept or disable the cookies. In practice cookies policy is published in the privacy policy or in the website terms and conditions of use. However, for the sake of clarity, it is advisable to provide the cookies policy in a separate document.
  • Period for storing of personal data: The period for storing of personal data should also be specified. It is important to note that the site operator is required to destroy the data once the purpose for which it has been collected has been accomplished. However, there are cases where personal data should be kept for a specified period of time and after the processing has been completed.
  • Mandatory and voluntary nature of provision of personal data: Information shall be also provided on the mandatory or voluntary nature of provision of personal data and the consequences of refusal to provide the data.
  • Information about personal data processing: In this part of the privacy policy, it is recommended to describe how the personal data is processed, as well as to indicate whether the personal data is processed independently by the operator of the website or by assigning the processing of personal data to third party on behalf of the operator.
  • Protection of personal data: The operator shall indicate that it has undertaken the appropriate technical and organizational measures to protect the personal data against accidental or unlawful destruction, or against accidental loss, unauthorized access, alteration or dissemination, as well as against other unlawful forms of processing.
  • Recipients to whom personal data may be disclosed: The operator shall mention the recipients to whom the personal data may be disclosed, such as: individuals to whom the data relate; individuals, if provided in a legal act; individuals, processing personal data.
  • Rights of individuals and procedure to exercise the rights: It is advisable in a separate section to be described what are the rights of the users whose personal data has been processed and the procedure to exercise the rights. For example, among the most important rights are the right of access, the right to erase, rectify or block. Along with these rights, any user who has provided his/her personal data has the right to object against the processing of his/her personal data on the basis of legitimate grounds. The user is also entitled to object against the processing of his or her personal data for the purposes of direct marketing and to be informed before his or her personal data are disclosed for the first time to third parties or used on their behalf for the purposes of the direct marketing, and to be given the opportunity to object to such disclosure or use. The procedure to exercise the right of access and the right to erase, rectify or block is by submitting a written request to the operator of the web site. The web site operator considers the request and takes a decision within 14 days from its submission. Lack of response is considered a denial. The operator shall deny access to personal data when such data do not exist or their provision is prohibited by law or denies full or partial access when such provision would threaten the defense or national security, or the protection of classified information and this is stipulated in a special law.
  • Changes to privacy policy: It is also worth mentioning that the operator has the right to modify and update the privacy policy at any time in the future when the circumstances impose.

Due to the many peculiarities that should be taken into account when drafting of a privacy policy, it is advisable to seek assistance from a specialist with experience in this matter. The intellectual property specialist in Bulgaria Krasimira Kadieva will gladly assist you in drafting of the privacy policy for your website due to the fact that she has successfully in her practice drafted website terms and conditions of use, privacy policies, cookies policies in Bulgarian and English languages.

Legal Disclaimer: This material prepared by Krasimira Kadieva aims to provide information about a privacy policy. It does not constitute a legal opinion and cannot be interpreted as an individual consultation on any concrete facts or circumstances. The advice of a legal specialist should be obtained for specific questions and situations. For more information on the above mentioned issues and individual consultations, please contact Krasimira Kadieva at 00359 882 308 670 or make an inquiry using the contact form of this website. Krasimira Kadieva is a Bulgarian and European trademark and design attorney. She can assist in drafting of website terms and conditions of use, privacy policies, cookies policies in Bulgarian and English languages.