Whenever a website collects personal data, it's essential for users to be able to read the privacy charter, also known as the privacy policy. This document lets them know how their data is processed, in compliance with the General Data Protection Regulation (GDPR). Discover a template here.
Privacy policy: what is the legal framework?
A privacy statement, also known as a confidentiality policy or personal data protection policy, is a legal requirement for any company that collects personal data, either directly or indirectly.
Consequently, any website collecting personal data must draw up a confidentiality charter and communicate it to users/web surfers who visit the site.
The collection and processing of personal data are governed by the French Data Protection Act (Loi Informatique et Libertés) in force since 1978, which has been rewritten to apply from June 1, 2019, and by the General Data Protection Regulation, known as the RGPD.
The French Data Protection Act (Loi Informatique et Libertés) requires companies to declare files containing personal data to the French Data Protection Authority (Commission Nationale de l'Informatique et des Libertés - CNIL), to ensure the security of such data, and to inform Internet users, in the case of a website, not only of the collection of data, but also of their right to access, modify or delete it.
The RGPD, meanwhile, establishes a legal framework concerning the collection and processing of data on a European scale. It is, in a way, an extension of the Data Protection Act, and offers enhanced data protection to citizens.
What is personal data?
According to the definition given by the French Data Protection Act, personal data is information relating to a natural person, enabling that person to be identified directly or indirectly.
This very broad definition therefore encompasses diverse elements: name, postal address, e-mail address, IP address, connection identifiers, telephone number, customer number, biometric data, photo, voice recording are all personal data subject to the RGPD.
As soon as several pieces of data can be cross-referenced to identify a person, they are all considered to be of a personal nature. Thus, a database containing information on consumers' tastes, habits, geolocation, gender or age is considered to be processing personal data, even if the names of the individuals concerned are not mentioned.
The law also defines the processing of personal data very broadly. It doesn't matter what the process is, whether it's organizing, recording or modifying data: as soon as an action is carried out, the law considers that we can speak of data processing.
To be legal, such processing must have a purpose consistent with the nature of the company's activity. For example, the simple management of customers by issuing invoices or delivering orders requires the collection and processing of personal data.
Lastly, although websites are concerned, they are not the only ones, since the rules governing data processing apply equally to paper and digital media.
Handling confidential data: what are the rules?
To comply with data processing regulations, a company or website must apply a number of principles.
First of all, all data processed must be used for a specific purpose, and only data essential to the achievement of that purpose must be collected.
The people whose data is collected must be informed. They also need to know how it will be used, and what their rights are. It is therefore essential to tell them how to access, modify or delete their data.
Personal data must also be secure. For example, in the case of a website, users must be asked to use a complex password, and to change it regularly. Connections must be secure, and data encrypted for sensitive operations.
How do you draw up a confidentiality charter?
A website's privacy policy must include a number of elements:
- Company identity and contact details;
- The aim of the collection ;
- The legal basis(s) for data processing provided by the RGPD;
- Data retention period ;
- Recipients of this data ;
- The rights available to users (in particular the rights of access, rectification and deletion);
- Rights of complaint to the CNIL ;
- Contact details of the person responsible for data protection within the company;
- The consequences of any refusal to collect data, and whether such collection is mandatory or optional.
The privacy policy may be the subject of a dedicated page, or may be integrated into the general conditions of use.
Users must also be informed about cookies. While cookies that are essential to the provision of an online service do not require the user's consent, all other cookies are subject to this obligation, which takes the form of a window with a box to click on for approval.
As far as cookies are concerned, the site's confidentiality policy does not aim to obtain consent, which must have been obtained from the moment the visitor arrived on the site, but to provide additional information. For example, the privacy policy may define a cookie and mention the different types of cookies used, their purpose and how long they are stored.
Sample privacy policy
We provide a sample privacy policy. You are free to download it, modify it and use it on your site, adjusting it to your specific needs and modifying the parts between braces { ... }. This model serves only as a basis and does not constitute legal advice.
What are the penalties for not having a confidentiality charter?
A company that fails to comply with its obligations in terms of privacy policy and personal data protection is exposed to two types of sanctions: administrative sanctions and criminal sanctions.
Administrative sanctions include fines of up to 4% of the company's sales. The website may also be suspended.
Penalties are those set out in the French Penal Code. They can result in up to 5 years' imprisonment and a fine of 300,000 euros.