| ICT Recht

This is stipulated in the General Data Protection Regulation (‘GDPR’) and is usually set out in a privacy policy. Visitors should be able to find your privacy policy easily. When you run a website, you could, for example, include a hyperlink to your privacy policy at the bottom of each webpage. Do you have a web shop? Make sure that there is a reference to your privacy policy in the ordering process. In every situation in which you collect data from people, you have to provide them with a clear privacy policy.

A privacy policy should at least contain the following:

1. Identity. You are required to state the name of your business, including your business address details and your Chamber of Commerce number plus a contact address for privacy-related questions.
2. Purposes. For which purpose is personal data processed? Examples are “performance of the purchase agreement” or “website protection and optimization” (such as recording IP addresses). Every purpose needs to be listed separately, together with the legal ground for processing. For example:
3. Use of cookies: If your website uses cookies (as is virtually always the case), you are required to explain what cookies are and what you do with them, even if only to allow people to stay logged in. You also have to inform visitors about the storage duration of the cookies on their devices. The legal ground for this processing would be the performance of a contract or for the purpose of a legitimate (commercial) interest.
4.  Newsletters: If clients are placed on a newsletter subscription list, they are required to provide their explicit consent. Each newsletter should also state how to unsubscribe. The consent is the legal ground for processing in this case.

1. Rights of the data subjects. Under the GDPR, data subjects have certain rights regarding their data. They are, for example, entitled to access their data. Based on this access, they may request that their personal data should be corrected or deleted; data may however only be deleted if no longer relevant. Data subjects also have the right to complain and to transfer their data somewhere else. All those rights have to be listed in the privacy statement.

1. Protection. You are required to indicate that you have put technical and organisational measures you have in place to protect personal data against loss or any type of illegal processing. You can explain which measures these are. Examples are SSL-protocols or the use of passwords on your databases.
2. Recipients of the data. Do you use the services of third parties to process your data? Or do you share data with companies that use the data for their own purposes? In both cases you have to inform the data subjects.
3. Processing outside of the European Union. Do you want to process data outside of the European Union? You have to inform data subjects on this as well.
4. Retention periods. What are the retention periods of the data? When is the data deleted when there is no clear retention period? You have to include this information in your privacy statement as well.
5. Profiling. Do you profile or make use of automatic decision making? You have to mention this in your privacy statement, while explaining how these techniques work.

Would you like to know if your privacy policy is compliant? Or do you need a privacy policy from scratch? Generate a document tailored to your needs right now or contact us for further consultation.

If another party processes data on your behalf, you may need a data processing agreement.

WOULD YOU LIKE MORE INFORMATION? 

Send an e-mail to: info@legalict.com or call us at: +32 (0)2 535 77 55. You can also use the form below: one of our legal advisors will get back to you very soon.