Documentation

Picking the right privacy policy options

iubenda has implemented a system that allows you to apply different rights to different user groups, whose personal data you collect and process as “controller” (that is the word that GDPR uses for whoever determines the purposes and means of the processing of personal data).

In particular:

  • you can decide to apply broader protection standards to all your users. In this case, you will generate a privacy policy that applies in all its parts to all your users and follows the GDPR.
  • you can decide to apply a basic set of rights to all users, and broader protection standards only to some of them. In this case, such broader protection standards will always apply whenever the processing of personal data is subject to the GDPR. In all other cases, a basic set of rights shall apply.

How do I make the right choice?

You can choose from “Apply GDPR’s broader protection standards to”

  • EU only
  • All users

You can find the switch here:

  • log into your privacy policy admin area
  • enter the editing of your privacy policy, which can be found via “Dashboard -> then click on your policy -> and go to “edit” from the privacy policy section
  • there’s a box housing the switch to enable the GDPR text called “GDPR and EU standards”
  • under the heading “Apply GDPR`s broader protection standards to” choose from “Apply to all users” (default option) or “Apply to EU users only“
  • This allows you to consider your specific case and react to where your users/clients are based and choose accordingly.

Once you have decided what rights to offer to whom, you can continue.

I’m a controller based within the EU

Then you must apply the broader protection standards to all your users, because all data processing activities you perform are subject to the GDPR – this even extends to your users that are not based within the EU.

I’m a controller based outside of the EU

Then in principle you may choose to apply broader protection standards to all you users, or to grant them only in cases where the processing of personal data is subject to the GDPR. Please note that you must apply broader protection standards whenever the processing

  • concerns the Personal Data of users who are in the EU and is related to the offering of paid or unpaid goods or services, to such Users;
  • concerns the Personal Data of users who are in the EU and allows the Owner to monitor such users’ behavior taking place in the EU.
Let’s look at a practical example:
If you’re a US-based controller, you may choose to apply basic rights to your users, as required by US legislation. However, if part of your processing activities consists in the offering offering of paid or unpaid goods or services to EU-based users, or in monitoring user behavior taking place in the EU, then you’re obliged to apply broader protection standards in those cases.

Further implications of broader protection standards

The applicability of broader protection standards results in further implications, described as follows.

Transfer of data outside of the EU

If you collect Personal Data within the EU, you’re free to transfer them to other EU or EEA countries. However, if you plan to transfer them to other countries, such as Switzerland or the U.S., you need to name a valid legal basis allowing for such transfer.

Services to consider adding:

  • Data transfers from the EU to the U.S based on Privacy Shield
  • Data Transfers to countries that guarantee European standards
  • Data Transfer abroad based on standard contractual clauses
  • Data Transfer abroad based on consent
  • Other legal basis for Data transfer abroad
Some examples of data transfer:

  • Whenever you work with partners or add services based outside the EU/EEA (such as e.g. Google Analytics), you are transferring personal data outside of the EU. Services listed in our generator have an estimation of the service’s home base, and, if known to iubenda, information about Privacy Shield self-certification. The Google Analytics case would then warrant an addition of the following service “Data transfers from the EU and/or Switzerland to the U.S based on Privacy Shield”;
  • When adding a custom service that we don’t have inside the generator, for example a service in the US without Privacy Shield self-certification, indicate what the legal basis is for such a transfer;
  • If you’re a controller based outside of the EU, you’re transferring personal data outside of the EU each time you collect data of users based within the EU. Please make sure you do so according to one of the legal bases for transfer.

Legal bases for transfer

The GDPR provides for a set of valid legal bases to transfer data outside of the EU. The most relevant are:

Whenever the European Commission thinks that a specific country in the world guarantees data protection standards comparable to those applicable in the EU, it issues an adequacy decision. If you plan to transfer data into such a country, you may do so – you just need to tell your Users via your privacy policy.
Adequacy decisions have so far been adopted for Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay.

–> service to add in this case: “Data Transfers to countries that guarantee European standards”

Privacy Shield goes back to a EU-US treaty and represents a framework, which US entities planning to receive personal data imported from the EU can participate to if they commit to stricter data protection standards. The rules established by Privacy Shield have been considered “adequate” by the European Commission. Therefore, if a data importer based in the US is an active member to the Privacy Shield, you may transfer data to them – you just need to tell your Users via your privacy policy. Find out whether a data importer is listed in the Privacy Shield framework here. In theory you should also be able to find information about Privacy Shield in that service’s privacy policy as this is one of the requirements.

Please find out about the updated list of adequacy decisions on the European Commission’s website.

–> service to add in this case: “Data transfers from the EU and/or Switzerland to the U.S based on Privacy Shield”

If the country you plan to export data to does not seem to guarantee an adequate level of protection, you can make sure that the specific data importer (i.e. the company or individual you’re exporting data to) complies with stricter rules. To these ends, you will close a contract with the data importer, that includes standard contractual clauses drafted by the European Commission. In most cases, you’ll use the standard contractual clauses for Controllers based in the EU exporting data to Processors based elsewhere.

Here again: if you have such a contract in place, you may transfer personal data – but you have to mention this in your privacy policy.

–> service to add in this case: “Data Transfer abroad based on standard contractual clauses”

Finally, if none of the above-mentioned options seems viable, you have to collect your Users’ consent to transfer their data outside of the EU. This is the most complicated scenario, because you have to make sure that their consent is – among other aspects – “informed”. Do you really know what is going to happen to User data once they are exported outside the EU? Can you tell, what kind of security measures are being provided by the local legislation or adopted at the data importer’s initiative to ensure protection of personal data?
If you’re able to provide such information, you may ask your Users to consent to the transfer of personal data, but if you’re not able to provide it, be careful: any consent collected would not be considered “informed” and therefore void.

–> service to add in this case: “Data Transfer abroad based on consent”

Finally, if you are a real privacy-freak, you’ll know that the GDPR mentions a couple of other – by far less relevant – options to transfer data outside of the EU. In case you’re basing your transfer on any such option, you should choose the service

–> “Other legal basis for Data transfer abroad”

and specify accordingly.

What about transfers from Switzerland?

If you’re transferring personal data from Switzerland to another country, you have to do so according to one of the legal bases recognized under Swiss legislation, including the US-CH Privacy Shield.

Information about data protection rules on a federal level in Switzerland can be found here.

Profiling

Profling means any form of automated processing of personal data performed to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
If you profile your users, you have to tell them. Therefore, you must pick the relevant clause from the privacy policy generator.

Services to consider adding:

  • Analysis and predictions based on the User’s Data (“profiling”)
Practical example:
If you’re selling products and keep record of users’ choices for marketing purposes, dividing them into meaningful categories, such as by age, gender, geographical origin etc., you’re profiling them.

Automated decision making

Automated decision making, or ADM, is a process allowing you to make decisions that may produce legal or similarly significant effects on users in a fully automated manner, without human intervention. Such ADM may also be based on profiling (see above).

In case you’re implementing any ADM process, you have to tell your users. Therefore, you must pick the relevant clause in the privacy policy generator. Please note that users enjoy a specific right of opposition to ADM processes, specified in the section called regarding automated decision-making of the privacy policy you will generate.

Services to consider adding:

  • Automated decision-making
  • Analysis and predictions based on the User’s Data (“profiling”)
Practical example:
You are a bank. In order to decide whether users are eligible to receive a loan, you have them fill their personal data into a form. Thanks to an algorithm, such data is evaluated in a fully automated manner and the decision is made.

Sourcing data from third parties

If you’re not collecting personal data directly from the user they refer to, but you’re sourcing them from a third party instead, you must inform the relevant user about such third party in addition to all other information duties. Please pick the relevant clause from the privacy policy generator.

This information must be given to the user no later than one month after having collected the data, and in particular

  • if the personal data are to be used for communication with the user, at the latest at the time of the first communication to that user; or
  • if a disclosure to another recipient is envisaged, at the latest when the personal data are first disclosed.

Services to consider adding:

  • Personal Data collected through sources other than the User
Practical example:
You are a head hunter. You find an interesting profile on LinkedIn. As soon as you contact the relevant candidate or transfer his/her data to the potential employer, and in any case within one month, you have to give the candidate all mandatory information, including mentioning LinkedIn as source of his/her data.

Representative in the EU

If you are a controller based outside of the EU, you need to appoint any natural or legal person based in one of the EU countries where your users are, as EU representative. The appointment must be done in writing and the appointed representative must be mentioned in your privacy policy.

Therefore, please insert the representative’s details (name and contact details of your representative) in the field where you have your own company information.

Data protection officer

Under certain conditions, you must appoint a natural or legal person as data protection officer (or DPO), and mention it in your privacy policy.

In particular, you must appoint a DPO whenever

  • you are a public authority or body; or
  • your core activities consist in operations that require regular and systematic monitoring of users on a large scale; or
  • your core activities consist of processing on a large scale of sensitive data or data relating to criminal convictions and offences.

If any of the above-mentioned conditions applies to you, please insert the DPO’s details (contact details of your data protection officer) in the field where you have your own company information.

Please note that the GDPR allows EU Member States to provide for further conditions under which the appointment of a DPO is mandatory. Therefore, please check if you are subject to any national provisions of an EU Member State in addition to the GDPR and if such provisions require you to appoint a DPO.

More information about the data protection officer and other single topics can be found at our GDPR guide.

Still have questions?

Visit our support forum Email us