How can you know which options to apply to your privacy policy document inside the iubenda generator? We’ve got everything outlined in this guide. Read on to learn more.
In picking the right privacy policy options, you must first consider the area that you are based in as well as the area where your users are located. You would also need to carefully consider if a Representative is to be appointed in a foreign jurisdiction and what considerations are to be made if your users’ personal data is to be transferred to third countries.
iubenda offers the opportunity to create various privacy policy options that cater to the GDPR (which also encompasses the UK GDPR), FADP, LGPD and US Law needs.
It is that simple to modify your privacy policy options and to ensure that your privacy policy reflects your business operations and the privacy of your users.
iubenda has implemented a system that allows you to apply different rights to different user groups, whose personal data you collect and process as “controller” (that is the word that GDPR uses for whoever determines the purposes and means of the processing of personal data).
👋 If you target US based users, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) could apply to you. You can read all about the CCPA and take our free assessment here.
You can choose from “Apply GDPR’s broader protection standards to”:
You can find the switch here:
Once you have decided what rights to offer to whom, you can continue.
If you’re a US-based controller, you may choose to apply basic rights to your users, as required by US legislation. However, if part of your processing activities consists in the offering of paid or unpaid goods or services to EU-based users, or in monitoring user behavior taking place in the EU, then you’re obliged to apply broader protection standards in those cases.
The applicability of broader protection standards results in further implications, described below.
If you collect Personal Data within the EU, you’re free to transfer them to other EU or EEA countries. However, if you plan to transfer them to other countries, such as Switzerland or the U.S., you need to name a valid legal basis allowing for such transfer.
Services to consider adding:
With our Register of Data Processing Activities, you can specify for each service provider which is the legal basis for data transfer abroad.
Whenever you work with partners or add services based outside the EU/EEA (such as e.g. Google Analytics), you are transferring personal data outside of the EU. Services listed in our generator have an estimation of the service’s home base.
When adding a custom service (i.e a service written by you), be sure to indicate what the legal basis is for such a transfer.
If you’re a controller based outside of the EU, you’re transferring personal data outside of the EU each time you collect data of users based within the EU. Please make sure you do so according to one of the legal bases for transfer.
The GDPR provides for a set of valid legal bases to transfer data outside of the EU. The most relevant are:
Whenever the European Commission thinks that a specific country in the world guarantees data protection standards comparable to those applicable in the EU, it issues an adequacy decision. If you plan to transfer data into such a country, you may do so – you just need to tell your Users via your privacy policy.
Adequacy decisions have so far been adopted for Andorra, Argentina, Canada (commercial organizations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and Japan.
Service to add in this case: “Data transfer to countries that guarantee European standards“.
If the country you plan to export data to does not seem to guarantee an adequate level of protection, you can make sure that the specific data importer (i.e. the company or individual you’re exporting data to) complies with stricter rules. To these ends, you will close a contract with the data importer, that includes standard contractual clauses drafted by the European Commission. In most cases, you’ll use the standard contractual clauses for Controllers based in the EU exporting data to Processors based elsewhere.
Here again: if you have such a contract in place, you may transfer personal data – but you have to mention this in your privacy policy.
Service to add in this case: “Data transfer abroad based on standard contractual clauses“.
Finally, if none of the above-mentioned options seems viable, you have to collect your Users’ consent to transfer their data outside of the EU. This is the most complicated scenario, because you have to make sure that their consent is – among other aspects – “informed”. Do you really know what is going to happen to User data once they are exported outside the EU? Can you tell, what kind of security measures are being provided by the local legislation or adopted at the data importer’s initiative to ensure protection of personal data?
If you’re able to provide such information, you may ask your Users to consent to the transfer of personal data, but if you’re not able to provide it, be careful: any consent collected would not be considered “informed” and therefore void.
Service to add in this case: “Data transfer abroad based on consent“.
Finally, a lesser known fact is that the GDPR mentions a few other (though less relevant) options for transferring data outside of the EU. If you’re basing your transfer on any such option, you should choose the service “Other legal basis for Data transfer abroad” and specify or add any relevant details by adding a custom clause.
If you’re transferring personal data from Switzerland to another country, you have to do so according to one of the legal bases recognized under Swiss legislation. Among these the most relevant are:
More information about data protection rules on a federal level in Switzerland can be found here.
💡 Read our dedicated guide to know how the iubenda solution can help you to provide transparency about the transfer of personal data from Switzerland to another country.
If you’re transferring personal data from the United Kingdom to another country, you have to do so according to one of the legal bases recognized under the UK GDPR.
A guide to transfers outside of the United Kingdom can be found here.
Our Privacy and Cookie Policy Generator offers additional clauses related to the transfer of data outside of the United Kingdom. These clauses, if selected, will be shown in your privacy policy inside both the simplified and the complete versions, under the section “Transfer of Personal Data outside of the United Kingdom”.
These additional clauses can be of great help, but they contain broad and generic descriptions since we do not know exactly how you transfer data abroad. Therefore, we highly recommend that you check if they apply to your case and, if needed, describe your data transfer activities in more detail by adding custom clauses.
💡With our Register of Data Processing Activities you can specify for each service provider which is the legal basis for data transfer abroad.
Profiling means any form of automated processing of personal data performed to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
If you profile your users, you have to tell them. Therefore, you must pick the relevant clause from the privacy policy generator.
Services to consider adding:
If you’re selling products and keep record of users’ choices for marketing purposes, dividing them into meaningful categories, such as by age, gender, geographical origin etc., you’re profiling them.
Automated decision making, or ADM, is a process allowing you to make decisions that may produce legal or similarly significant effects on users in a fully automated manner, without human intervention. Such ADM may also be based on profiling (see above).
In case you’re implementing any ADM process, you have to tell your users. Therefore, you must pick the relevant clause in the privacy policy generator. Please note that users enjoy a specific right of opposition to ADM processes, specified in the section called regarding automated decision-making of the privacy policy you will generate.
Services to consider adding:
You are a bank. In order to decide whether users are eligible to receive a loan, you have them fill their personal data into a form. Thanks to an algorithm, such data is evaluated in a fully automated manner and the decision is made.
If you’re not collecting personal data directly from the user they refer to, but you’re sourcing them from a third party instead, you must inform the relevant user about such third party in addition to all other information duties. Please pick the relevant clause from the privacy policy generator.
This information must be given to the user no later than one month after having collected the data, and in particular
Services to consider adding:
You are a head hunter. You find an interesting profile on LinkedIn. As soon as you contact the relevant candidate or transfer his/her data to the potential employer, and in any case within one month, you have to give the candidate all mandatory information, including mentioning LinkedIn as source of his/her data.
If you are a controller based outside of the EU, you need to appoint any natural or legal person based in one of the EU countries where your users are, as EU representative. The appointment must be done in writing and the appointed representative must be mentioned in your privacy policy.
Therefore, please insert the representative’s details (name and contact details of your representative) in the field where you have your own company information.
If you are a controller based outside of Switzerland and are involved in high risk processing of Swiss users, you need to appoint a person based in Switzerland as a representative.
Please insert the representative’s details (name and address of your representative) in the field where you have your own company information.
If you are a controller based outside of the United Kingdom you need to appoint any natural or legal person based in the United Kingdom as a representative. The appointment must be done in writing and the appointed representative must be mentioned in your privacy policy as indicated in this guidance note.
Therefore, please insert the representative’s details (name and contact details of your representative) in the field where you have your own company information.
Under certain conditions, you must appoint a natural or legal person as data protection officer (or DPO), and mention it in your privacy policy. This applies whether you are following the GDPR, UK GDPR or the FADP (however Swiss law refers to them as Data Protection Advisors).
If any of the above-mentioned conditions applies to you, please insert the DPO’s details (contact details of your data protection officer) in the field where you have your own company information.
Please note that the GDPR allows EU Member States to provide for further conditions under which the appointment of a DPO is mandatory. Therefore, please check if you are subject to any national provisions of an EU Member State in addition to the GDPR and if such provisions require you to appoint a DPO.
More information about the data protection officer and other single topics can be found at our GDPR guide.
