top of page
Search

Privacy policies 101: why you need them and what to include

  • Writer: FIO Legal Solutions
    FIO Legal Solutions
  • 4 days ago
  • 7 min read


As a business owner, you’ve likely heard the term "privacy policy" thrown around. But is it just another legal formality, or is it something more?

In today’s digital world, besides being a legal requirement, a privacy policy can also be a good tool to build trust and strengthens your reputation as a privacy-conscious business.


In this post, we’ll dive into the essential role a privacy policy plays in your business, breaking down what needs to be included and why it matters. Whether you're just getting started or reviewing your current policy, we'll guide you through the key steps to ensure that your policy isn't just a legal document, but an effective communication tool that puts your customers' minds at ease.



Why do I need a privacy policy?


If your business handles personal data, a privacy policy can be a key tool to showcase your awareness towards data protection principles.

Indeed, being mindful of data protection rules and informing your stakeholders of how you process their data can provide many benefits, such as:


  • It builds transparency and customer trust: Customers expect transparency when it comes to how companies process their information and the first thing they check is if the company has a privacy policy. When you’re upfront about these processes, you build trust, which encourages loyalty and deeper engagement with your business.

  • It also strengthens your reputation: In today’s competitive market, businesses that prioritize data protection stand out. A well-crafted policy shows customers, partners, and regulators that you take data protection seriously. 

  • It’s a good starting point for managing risks of your data processing activities: A well-drafted privacy policy is part of your overall risk management strategy; by helping you spot weaknesses in your data handling, such as storage practices or access controls.

  • You foster compliance with data protection laws: In the EU, we have the General Data Protection Regulation (“GDPR”) that imposes on businesses the obligation to inform data subjects of their processing activities. A privacy policy tailored to your practices helps you stay compliant with this legal framework. 

  • You also help safeguard fundamental rights: Last but not least, having a privacy policy shows your respect for the fundamental rights to privacy and data protection. People care about how their data is handled. A clear privacy policy proves you care too.


This means that if you do not have privacy policies in place, or you’re unsure if they are complete, now is the time to start or review them. You can take some easy steps in this direction by outlining what personal data you collect, how you use it, and why, as well as following the to-do’s we describe below. 



What to include


To achieve these goals, your policy must comply with the requirements outlined in the GDPR.

Let’s break these elements down step by step.


Start with an introduction: identify your company and the scope of the privacy policy

Your policy should begin by presenting your company as the one responsible for the data processing. Additionally, since these documents should be tailored to specific audiences (i.e. your team members, your clients, website users), it is also important to explain the scope of the document and to what data processing activities it applies to.

Here's a simple example:

 

"This document explains how we collect, use, and protect your personal data when you use our website. Unless stated otherwise, [Company name], located at [address], is the controller of the data processing described in this policy." 

 

If your company has a Data Protection Officer (DPO) and/or an EU representative, make it easy for users to identify and reach them: 

 

"For any data-related inquiries, you can contact our Data Protection Officer at: [DPO’s e-mail].”

 

“In the EU, [company], located at [address] is our representative. For any inquiries regarding our data protection practices, you can contact them at: [EU Representative e-mail].”

 

This ensures users know who to turn to if they have questions or need clarity about your data protection practices.


Explain what personal data you process

Next, you need to describe what personal data you collect. Here, categories are sufficient, if it is understandable what personal data falls within that category.


It is also important for you to be particularly clear when it comes to special categories of data. These include i.e. health data, biometric data, political and philosophical opinions. The GDPR adds stricter requirements for these categories of data, so it is important for you to be transparent towards data subjects from the start.


This section can be written as follows:

 

“We process the following categories of personal data:

  • Contact details (i.e. e-mail, phone number, address);

  • Online identifiers (i.e. IP address, cookie identifiers);

  • Customer interactions (i.e. the content of your inquiries and feedback);

  • Health data (i.e. medical records, sick leaves).”


Explain how you collect it

There may be cases where you collect personal information from other sources than the data subject. This can happen, for example, when you use social media, recruitment agencies, through KYC service providers, etc.

When this occurs, it is important to inform data subjects where you get their personal data from. For example:

 

“We collect personal data from third parties. These include:

  • Social media platforms;

  • Public registers, internet searches and other public sources.”

 

Although not strictly necessary, you can also add an additional layer of transparency by clarifying the means through which you get personal data directly from them.

 

“We collect personal data directly from you when you interact with us. This occurs when:

  • You fill in forms provided by us;

  • You contact us;

  • We recruit you.”


Then, explain why you process it

Next, you need to be upfront about why you collect personal data and the legal basis applicable to these purposes, such as consent, fulfilling a contract with the data subject, or to pursue your legitimate interest. Try to be as specific as possible for data subjects to understand how their personal data will be used.

For example: 

 

We process your personal data in order to fulfil a contract with you or to take steps to enter into a contract with you, at your request. This includes:

  • To process the payment of the service you acquired;

  • To provide you with customer support;

  • To provide our services;

  • To recruit you.”


For how long you store it

Disclose how long you will store personal data or explain the criteria used to determine the retention period.


Clear timelines reassure users that their personal data won’t be stored indefinitely.


And don’t forget to explain who you share it with

You also need to inform users if their personal data will be shared with third parties. As with the description of the personal data you process, it is enough to mention the categories of third parties, as long as the category is understandable. You can write:

 

“We share data with secure third-party service providers who assist us in providing our services. These include:

  • Cloud hosting services (i.e. Microsoft);

  • Analytics service providers (i.e. Google)

  • E-mail marketing providers (i.e. Mailchimp).”

 

Additionally, you need to explain whether you transfer data outside of the EU/EEA and what safeguards are in place (i.e. there is an adequacy decision from the EU Commission, or you adopt standard contractual clauses or adequacy decisions with the third-party).


Lastly, inform individuals of their rights 

Your policy must inform users of their rights afforded by the GDPR. These rights include: 

  • Access: Users can ask for details on how you process their personal data. 

  • Rectification: They can ask for the correction of errors in their personal data. 

  • Erasure: Under specific conditions, they can request that their data be deleted (also known as the “right to be forgotten”).

  • Withdraw consent: if consent was the legal basis for the data processing, data subjects must be informed that they can remove it at any time, affecting your future processing. 

  • Restriction: Users can limit how their data is used in certain situations, such as when they contest its accuracy. 

  • Objection: They can object to data processing for purposes like marketing or when the legal basis is your legitimate interest. 

  • Data portability: Users can request their data in a commonly used, transferable format.

  • Right to file a complaint with a supervisory authority: if individuals believe your data processing violates data protection laws, they can file a complaint with the supervisory authority i.e. in their country of residence.


Other elements to include

Depending on your data processing activities, you may need to add more details. This is the case, for example, if you use cookies and similar technologies on your website, or if you do automated decision-making. In the case of automated decision-making, for example, you will need to inform data subjects of the logic behind the automated system and the potential impact these decisions may have on them.



How to show your privacy policy


Users need to know of your data processing before it takes place. To this end, the privacy policy must be easily accessible and written in a way that data subjects understand its content.


Because of this, your privacy policy should be: 

  • Concise and easy to read: Avoid unnecessary legal jargon. Use simple, plain language so that individuals clearly understand it. 

  • Tailored to your audience: Besides making it simpler, adapt the language to whom you are addressing. For instance, if your services are aimed at children, ensure the policy is appropriately simplified. 

  • Accessible across platforms: Make your privacy policy easy to find on all channels users engage with, such as websites, mobile apps, or customer support systems.


To enhance user experience, consider these actions as well: Offer an oral explanation of the policy when requested (e.g., via customer support). Respond to personal data rights requests, such as access or deletion, within 30 days unless an extension is required due to complexity. This is not just a GDPR requirement, but also a good practice to adopt when answering queries from your clients regarding data protection topics.


Creating a user-friendly privacy policy goes a long way in meeting the standards of the GDPR and building trust with your stakeholders. Besides ensuring that it has the elements the GDPR demands, make sure it is also understandable so that data subjects understand that their rights are important to you.


So, take the time to review your current privacy policy or create one from scratch using these guidelines!


By Francisco Arga e Lima

Contact

Lets Figure it Out Together!

Start Your Next Chapter in Portugal.


Let us know how we can assist, and we’ll handle the rest!

What's your name?

How can we help you?

Please select the subject that best describes the matter you need our support with.

Where do you live?

Feel free to share any additional details or information that you think would be helpful for us to know. Please mention if there is anyone in our team that you wants to speak with.

bottom of page