Further to an earlier Comsure posting that highlight the basic checks on a Privacy statement the following checklist offers a more detailed consideration of matters that is designed to help you gather the information you will need to put a GDPR-compliant privacy policy on your website or in-app.
Company information
1.What is the URL address of the site that the user’s information is collected from?
2.What is the full company name in control of the user information being processed (including trading names)?
3. Registered office address?
4. Business address?
Who are the data controllers?
1. Are there any joint controller arrangements? (If yes, include details of the essence of this arrangement)?
Website hosting and data location
1. Who is the website hosting provider?
2. Where is the website located?
3. Where is the data located?
Who will be using the website and other channels?
1.What channels are available? (e.g. website/app/other)?
2.Is the website directed at consumers/businesses/other?
3.Is the site/service directed at those under 16?
4.Can those under 16 access the site/service?
What information is collected about users? (indicate if electronic, audio or visual data)
1. Is registered user information collected?e.g.
- Registration information
- Profile information
- Are any decisions based solely on automated processing including profiling that significantly affect the subject or have legal effects for him/her
- Information from syncing with other software or services
- Interaction with social media (functional and/or marketing) and what information is available?
- Information about payments
- Access to social media profiles
- Demographic information
- Anonymous information
- Pseudonymous data
- ‘My account’ feature (describe the features and the settings including privacy settings available to the user within this user area of the site/service
- Device information (nature of device and/ or identifiers)
- Log information (including IP address)
- Location information (how is location collected/inferred)
- Device sensor information
- Site visited before arriving
- Browser type and or OS
- Interaction with email messages
- Referral or recommendation programmes
- Publicly accessible sources
- Essential login/authentication or navigation
- Functionality – remember settings
- Performance & Analytics – user behaviour
- Advertising/retargeting
- Any third party software served on users
- Other
Nature of any outbound communications with registered users
1.Email
2.Telephone (voice)
3.Telephone (text)
4.Other
Site security measures
Does the site comply with:
1.Cyber Essentials?
2.ISO/IEC 27000 Series?
3.Other standards?
Disclosures
1.What disclosures of information are made?
2.Are any external links included in the website?
3.Does the website have message boards, social or chat areas?
4.Can information be shared by the user?
5.Can information be shared by others?
6.What information is shared by the organisation?
- With group companies
- With partners (identified)
- With other third parties
7.Is information shared automatically?
8.Are there Third Party Applications (APIs)?
Rights and choices
1.How can a user remove content?
2.How can a user suspend, restrict or hide their account?
3.How can a user get data corrected or erased?
4.How can a user get access to their data?
5.Can users opt-out of uses for their information for purposes other than provision of the service?
6.How can a user opt-out of any marketing communications?
7.Can an account be deleted?
8.How long will specific account details be retained post account deletion?
9.How are data portability requests made and handled?
10.How can the user withdraw their consent to further processing?
Process for making changes to the policy
1.How will changes be alerted to new users?
2.How will user consent be collected (where relevant)?
3.Will an ‘at a glance’ summary of the key changes be available to users?
4.Will users be able to access past versions of the policy?
Data transfers outside the EEA
(NB : Exporting data for hosting or processing outside the EEA as well as access from outside the EEA to EU hosted data).
1.Is personal data transferred outside the EEA?
- By group companies?
- By service providers?
- Other?
What are the legal adequacy safeguards?
1.Country adequacy decision
2.Model transfer contracts
3.Binding Corporate Rules
4.Privacy Shield
5.Lawfulness condition (specify)
Contact details and information to provide
1.Who to contact
2.How (online)
3.How (mail)
4.Telephone
5.Physical address
6.Data Protection officer
7.Contact details (if different)
8.Right to lodge a complaint with the ICO
GDPR Privacy notice check sheet (basic considerations)
If your company is a data controller under the GDPR then your company will need to update its privacy policy or privacy notice. Under the GDPR privacy policies must contain more detailed disclosures, while also being understandable and accessible.
Use the checklist below to identify the key disclosure requirements for privacy policies.
GDPR Privacy Policy Checklist Information about processing of personal data
1.Purpose of processing Legal basis for processing (e.g., consent, performance of a contract, necessary for the purposes of the legitimate interests of the data controller)
2.Legitimate interests of the controller (if any)
3.Whether automated decision-making, including profiling, will take place (this includes details of the significance and the potential consequences of such processing for the individual)
Details about collection and use of personal data
1.Categories of personal data collected Recipients or categories of recipients that receive personal data
2.Any transfers of personal data to countries outside of the EEA (and the applicable safeguards in place) Data retention policy (i.e., how long the data will be stored for or the criteria used to determine that period) Any automated processing of personal data that will take place (including profiling) and how decisions will be made, the significance and any consequences of such processing
3.Whether provision of personal data is part of a statutory or contractual requirement and possible consequences if individual refuses to provide personal data
Existence of individual rights
1.Right of access to personal data Right to rectification of personal data held where it is incorrect or incomplete
2.Right of erasure of personal data (“right to be forgotten”) if certain grounds are met
3.Right to restrict/suspend processing of personal data
4.Right to complain to a supervisory authority Additional rights that may apply in certain instances:
5.Right of data portability (if processing is based on consent and automated means)
6.Right to withdraw consent at any time (if processing is based on consent)
7.Right to object to processing (if processing is based on legitimate interests)
8.Right to object to processing of personal data for direct marketing purposes
9.Contact information Name and contact details for data controller (and any representative)
10.Name and contact details for data protection officer (“DPO”), if a DPO is appointed
Contact Us
If you have questions about the checklist or for additional information on the GDPR, contact
Loading...