How to create a privacy policy

After entering all data of an organization and building the record of processing, we proceed with the creation of privacy policies in respect to the GDPR principles.

‍

The privacy policy

The legislation on the protection of personal data requires the data controller to comply with the so-called "information duty", which consists in communicating to the data subject all the details of the processing activities that involves him or her.

‍

One of the main ways to comply to this obligation is what we usually call ''privacy policy'', pursuant to articles 13 and 14 of the GDPR.

‍

With the privacy policy, the data controller is able to ensure:

‍

• ‍Transparency and correctness by design.
• Respect of the data subject’s rights.

‍

Create a privacy policy with UTOPIA

To create a Privacy policy register, go to Privacy policies menu and click the (+) button, specify the linked record of processing activities then click save.

‍

Now you can add the a new privacy policy simply opening the privacy policy section, clicking the (+) button and selecting the data subject of your interest.

‍

You only have a few more information to add:

‍

• Data subject's rights: you can specify whether a particular right is granted in relation to the type of processing activity, also indicating the modalities of exercise.
• The existence or not of an automated decision-making process to which add, if any, the logic used and any consequences for the data subjects.

‍

Other information such as the roles involved in the processing activities (DPOs, representative of the controller, categories of data subjects or recipients), the purposes, legal basis, data retention or criteria and any transfers automatically come from the data in the section Processing activities.

‍

‍

When you set the privacy policy Active, all the information required by the law will be highlighted.

‍

Try to reach 100% of completion and increase the privacy score of your organization.

‍

Remember that you can also download the privacy policy in Word format (.docx).

‍

When and how to inform the data subject

You must inform the data subject every time a processing activity takes place, when you receive his or her data or at most, the first time you communicate with the data subject. If, later on, you want to process the data for different purposes, you will have to specify further information.  

‍

When personal data have not been obtained from the data subject, the privacy policy must be provided with the following criteria:

‍

• Within a reasonable time after obtaining the data and in any case no later than one month after they were collected.
• At the time of the first contact if the data are intended for communication with the data subject.
• No later than the first communication of the data if they will be communicated to another recipient.

‍

Finally, the style of communication, in accordance with the principles enshrined in the Regulation, must be clear and concise in order to help the understanding of those concerned.

‍

Is the privacy policy always mandatory?

The regulation specify some cases in which the policy is not necessary. This happens when:  

‍

• The data subject already has the necessary information.
• The registration or the communication of the data are required by law.
• Informing the data subject would be impossible or would require a disproportionate effort.

‍

Even in the case that the data come from another controller, there are some exception cases. In particular when:

‍

• The data has to be reserved because of an obligation regarding a professional privilege or a secrecy obligation provisioned by law.
• Obtaining or communicating is required by Union law or by the law of the Member State to which the controller is subject.

‍