Privacy is crucial for both users and website owners. Operators of websites (hereinafter referred to as “controller” or “controllers”) shall understand the privacy concerns of visitors to their websites regarding the protection of personal data and shall be committed to protecting their personal data by applying all standards in accordance with the applicable law. Controllers shall respect the privacy of users and inform them about the purposes of collecting of personal data, categories of personal data that are collected, whether personal data is being disclosed to third parties, and how data is protected against unauthorized processing.
- Providing of information: Furthermore, information should be provided about the controller that generally identifies Such information is: the name of the controller of the website; permanent address or registered office and address of management; the address in which the controller carries out its activity if it is different from the address mentioned in the previous point; correspondence data, including telephone and e-mail address; data for entry in a commercial or other public register; information on the body exercising control over its activities when such activity is subject to a notification, registration or licensing regime;
- Contact details of the Data Protection Officer: Contact details of the Data Protection Officer should be provided where the controller has a Data Protection Officer, and the name of the Data Protection Officer may or may not be indicated.
- Principles relating to the processing of personal data: It is advisable for a controller to indicate which principles observes when processing personal data, such as lawfulness; good faith and transparency; relevance of treatment to objectives; accuracy and timeliness; minimizing data; storage limitation; accountability; integrity and confidentiality; user consent for data processing.
- Purpose of personal data processing:It is essential to list the purpose for which the personal data has been collected and processed. Usually, the controllers collect and process personal data from users of the website for providing of the offered services. Additional purposes include sending newsletters, offers, and more.
- The legal basis for the processing of personal data: It must be stated on what legal basis personal data is collected and processed: – whether the user has consented to the processing of his or her personal data for one or more specific purposes; – whether processing is necessary for the performance of a contract by which the consumer is a party, or for taking steps at the request of the consumer prior to the conclusion of a contract; – whether the processing is necessary to comply with a legal obligation applying to the controller, – whether processing is necessary to protect the vital interests of the consumer or of another individual; – whether the processing is necessary for the performance of a task in the public interest or in the exercise of official authority conferred on the controller, – whether the processing is necessary for the legitimate interests of the controller or of a third party, except where the interests or fundamental rights and freedoms of the consumer which require the protection of personal data, in particular when the consumer is a child, are advantageous to such interests.
- Personal data directly collected by users such as what personal data is collected when the user contacts the controller via email, telephone, mail, or when the user subscribes to receive a newsletter or sign up at the website or make a purchase through the site.
- Personal data provided by third parties.
- Personal data collected from public registers.
- Period for storing of personal data: The period for storing personal data should also be specified and, if that is not possible, the criteria used to determine that period. It should be ensured that the period for which personal data is stored is limited to a strict minimum. It is important to note that the administrator is obliged to destroy the data once the purpose for which it was collected has been accomplished.
- Mandatory and voluntary nature of provision of personal data:Information shall be also provided on the mandatory or voluntary nature of provision of personal data and the consequences of refusal to provide the data.
- Protection of personal data:The controller shall indicate that it has undertaken the appropriate technical and organizational measures to protect the personal data against accidental or unlawful destruction, or against accidental loss, unauthorized access, alteration or dissemination, as well as against other unlawful forms of processing.
- Recipients to whom personal data may be disclosed:The controller shall mention the recipients to whom the personal data may be disclosed, such as: individuals to whom the data relate; individuals, if provided in a legal act; individuals, processing personal data. Where applicable, the controller’s intention to transmit the personal data to a third country or to an international organization shall also be indicated.
- Rights of individuals and procedure to exercise the rights:It is advisable in a separate section to be decribed what are the rights of the users whose personal data are processed and the order to exercise of the rights shall be also described. For example, among the most important rights are:
- Right of access for users to data relating to them;
- Right of rectification;
- Right to erasure (right to be forgotten);
- Right to Restrict Processing;
- Right to data portability;
- Right to notify of a personal data breach;
- Right to judicial and administrative remedy (right to appeal to a supervisor, right to effective judicial protection against a supervisor, right to effective judicial protection against an administrator or processor of personal data);
- Right to compensation for suffered damages;
- Right to withdraw consent at any time, without prejudice to the lawfulness of processing on the basis of consent given before it is withdrawn.
In addition to these rights, the user is entitled, at any time and on grounds relating to his particular situation, to object to the processing of personal data relating to him where the processing is necessary for the performance of a task of public interest or in the exercise of official authority conferred on the controller or the processing is necessary for the legitimate interests of the controller or of a third party, except where interests or fundamental rights and users who require the protection of personal data, in particular when the consumer is a child.
When processing personal data for direct marketing purposes, the user is entitled at any time to object to the processing of personal data relating to him for this type of marketing, including profiling insofar as it relates to direct marketing. At the latest at the time of first contact with the consumer, it shall be expressly informed of the existence of the right of objection described above, which shall be communicated to it in a clear and separate manner from any other information.
- Procedure for exercising the rights: The procedure for exercising the right of access, the right to delete, correct or limit the processing is by submitting a written request to the controller. The controller shall provide the user with information on the action taken on the request without undue delay and in any event within one month of receipt of the request. If necessary, this period may be extended by a further two months, taking into account the complexity and the number of requests. The controller shall inform the user of any such extension within one month of receipt of the request, indicating the reasons for the delay. Where a user submits a request by electronic means, the information shall be provided, if possible, by electronic means, unless the user has requested otherwise. If the controller does not act upon the user’s request, the administrator shall notify the user without delay and at the latest within one month of receipt of the request for reasons not to act and of the possibility of filing a complaint to a supervisory authority and seeking legal protection order.
- Information about profiling and the consequences of this profiling: It should be specified whether profiling is being done and the consequences of profiling.