Privacy Policy
1. Scope of application
The GDPR applies to all organizations that process personal data within the EU, whether or not they are located in the EU.
It also applies to non-EU organizations that provide goods or services to EU residents, or monitor their behavior.
2. Definition of personal data
Personal data refers to any information that can directly or indirectly identify a natural person, such as:
Name, address, email address, telephone number.
IP address, location data, cookie identifier.
Health information, financial information, biometric data, etc.
3. Data processing principles
According to the GDPR, data processing must comply with the following principles:
Lawfulness, fairness and transparency: Data processing must be lawful and transparent to the data subject.
Purpose limitation: Data can only be used for clear and legitimate purposes.
Data minimization: Only necessary data is collected and processed.
Accuracy: Ensure that data is accurate and updated in a timely manner.
Storage limitation: Data should not be kept for longer than is necessary to achieve the purpose.
Integrity and confidentiality: Ensure data security and prevent unauthorized access or disclosure.
4. Rights of data subjects
GDPR grants data subjects the following rights:
Right to be informed: to know how their data is processed.
Right to access: to obtain a copy of their personal data.
Right to rectification: to request rectification of inaccurate or incomplete data.
Right to erasure (right to be forgotten): to request deletion of their personal data.
Right to restriction of processing: to request restriction of processing of their data.
Right to data portability: to obtain their data and transmit it to another controller in a structured, commonly used format.
Right to object: to object to data processing for a specific purpose.
Right to automated decision-making: to object to decisions based solely on automated processing.
5. Responsibilities of data controllers and processors
Data controller: an organization or individual that determines the purpose and means of data processing.
Data processor: an organization or individual that processes data on behalf of a controller.
The controller and processor must enter into a written agreement that specifies the responsibilities of both parties.
The processor must process the data in accordance with the controller's instructions and ensure data security.
6. Data Protection Officer (DPO)
Certain organizations must appoint a data protection officer, for example:
Public bodies.
Organizations that process sensitive data on a large scale.
Organizations that monitor personal data on a large scale.
The DPO is responsible for monitoring compliance with the GDPR and providing advice.
7. Data Breach Notification
If a data breach occurs, the controller must report it to the supervisory authority within 72 hours.
If the breach is likely to result in a high risk to the rights and freedoms of data subjects, the controller must also notify affected individuals.
8. Cross-border data transfers
When transferring personal data outside the EU, it is necessary to ensure that the recipient provides a level of protection comparable to that under the GDPR.
Common lawful transfer mechanisms include:
EU Standard Contractual Clauses (SCCs).
Binding Corporate Rules (BCRs).
Obtaining explicit consent from the data subject.
9. Content requirements for privacy policies
Under the GDPR, a privacy policy must contain the following information:
The identity and contact details of the data controller.
The purposes and legal basis for the processing of the data.
The recipients or categories of recipients of the data.
Data storage period.
Rights of the data subject and how to exercise them.
If the data is transferred to a third country, the transfer mechanism and safeguards.
10. Lawful basis for data processing
Data processing must be based on one of the following lawful bases:
Explicit consent of the data subject.
Necessary for the performance of a contract.
Compliance with a legal obligation.
To protect the vital interests of the data subject or of another person.
Performance of a task in the public interest or in the exercise of official authority.
Legitimate interests of the controller or of a third party (unless the interests of the data subject prevail).