After entering all data of an organization and building the record of processing, we proceed with the creation of privacy policies in respect to the GDPR principles.
The legislation on the protection of personal data requires the data controller to comply with the so-called "information duty", which consists in communicating to the data subject all the details of the processing activities that involves him or her.
One of the main ways to comply to this obligation is what we usually call ''privacy policy'', pursuant to articles 13 and 14 of the GDPR.
With the privacy policy, the data controller is able to ensure:
To create a Privacy policy register, go to Privacy policies menu and click the (+) button, specify the linked record of processing activities then click save.
Now you can add the a new privacy policy simply opening the privacy policy section, clicking the (+) button and selecting the data subject of your interest.
You only have a few more information to add:
Other information such as the roles involved in the processing activities (DPOs, representative of the controller, categories of data subjects or recipients), the purposes, legal basis, data retention or criteria and any transfers automatically come from the data in the section Processing activities.
When you set the privacy policy Active, all the information required by the law will be highlighted.
Try to reach 100% of completion and increase the privacy score of your organization.
Remember that you can also download the privacy policy in Word format (.docx).
You must inform the data subject every time a processing activity takes place, when you receive his or her data or at most, the first time you communicate with the data subject. If, later on, you want to process the data for different purposes, you will have to specify further information.
When personal data have not been obtained from the data subject, the privacy policy must be provided with the following criteria:
Finally, the style of communication, in accordance with the principles enshrined in the Regulation, must be clear and concise in order to help the understanding of those concerned.
The regulation specify some cases in which the policy is not necessary. This happens when:
Even in the case that the data come from another controller, there are some exception cases. In particular when:
Create your personal account in less than a minute and explore for free, during 14 days, the full potential of UTOPIA, without any limitations.
Crea il tuo account personale in meno di un minuto e scopri tutte le potenzialità di UTOPIA. Tutto incluso e senza alcuna limitazione, gratuitamente, per 14 giorni.