It’s easy to make your own privacy notice now with the Chino.io template.Why doing it?
It’s a good way to show people that you care about their data privacy.
And it’s also a key requirement under the GDPR to be open with people about how you use their data.
[Write a small introduction explaining why you are writing this privacy notice - the purpose of it and what you are going to write in it]
Who are we?
[Say who you are and how individuals can contact your Company][If applicable: insert contact details of EU representative].[If applicable: insert also contact details of the DPO].
What data do we collect and process?
[Explain the type of data that you collect and process eg: name, surname, address,]
[If applicable, mention special categories of personal data processed]
[If applicable, mention data related to criminal offences and/or criminal convictions and offences]
[Make sure that your list is exhaustive and refers to the service you are offering][If applicable, mention cookies]
How do we collect your personal data?
[Explain how and when the data is collected e.g.: directly from the user when visiting our website etc.]
[If applicable, Tell people if they are required by law, or under contract, to provide personal data to you, and what will happen if they don’t provide that data.]
Why do we collect your personal data?
[In this section you shall describe why you use people’s personal data being clear about each different purpose and which lawful basis are you relying on in order to collect and use those data][If applicable, explain what the legitimate interests for the processing are.These are the interests pursued by your organisation, or a third party, if you are relying on the lawful basis for processing under Article 6(1)(f) of the GDPR.]
Some examples may include:
- Provide your services [Provide explanations and legal basis which allows you to process the data related to this specific purpose]
- Complying with legal obligations [Provide explanations and legal basis which allows you to process the data related to this specific purpose]
- Answer your requests for information
[Provide explanations and legal basis which allows you to process the data related to this specific purpose]
- [Any other purpose such as marketing etc.]
How do we process your personal data?
[specify if data will be processed automatically, manually or both - in case of processing based solely on automated processing, including profiling,make sure you explain how this works. Specify who processes the data and why)
Do we disclose your personal data to third parties?
[Describe the categories of recipients to whom you may disclose personal data e.g. personnel, hosting providers, consultants etc.].
Do we transfer your personal data?
[Explain if you transfer personal data to any countries or organisations outside the EU][Explain whether the transfer is made on the basis of an adequacy decision by the European Commission under Article 45 of the GDPR. If the transfer is not made on the basis of an adequacy decision, give people brief information on the safeguards put in place in accordance with Article 46, 47 or 49 of the GDPR. You must also tell people how to get a copy of the safeguards].
How long do we keep your personal data?
[Describe how long you will keep the personal data for].[If you don’t have a specific retention period then you need to tell people the criteria you use to decide how long you will keep their information].
Data subject’s rights
[Tell people which rights they have in relation to your use of their personal data, e.g. access, rectification, erasure, restriction, objection, and data portability].[The rights will differ depending on the lawful basis for processing – make sure what you tell people accurately reflects this].[The right to object must be explicitly brought to people’s attention clearly and separately from any other information].[The right to withdraw consent: let people know that they can withdraw their consent for your processing of their personal data at any time].[Consent must be as easy to withdraw as it is to give - Tell people how they can do this]. [The right to lodge a complaint with a supervisory authority - Tell people that they can complain to a supervisory authority].[Each EU Member State has a designated data protection supervisory authority].[Individuals have the right to raise a complaint with the supervisory authority in the Member State where they live, where they work, or where the infringement took place].
[It is good practice to provide the name and contact details of the supervisory authority that individuals are most likely to complain to if they have a problem].