The presence of organisations on the internet is constantly increasing and micro-enterprises are not an exception. There are many micro-enterprises providing their services online; from traditional businesses undertaking a digital transformation, to tech start-ups born in the digital age. However, due to the lack of resources, many micro-companies struggle with the General Data Protection Regulation (GDPR). Here is an Online Privacy Policies Decalogue to help them evolve in the online world while being GDPR compliant:
1. Who process personal data?
In privacy policies, companies need to disclose clearly who is processing the data. It is important to provide the customers with a contact person who will answer data related questions.
The contact can be provided with a contact form or an email address.
2. Purpose and legal basis for data processing
The privacy policies should include the purposes behind each data processing as well as the legal basis allowing it.
For many micro-enterprises, the purpose of processing customers data will be to provide a service or a product, such as an address to deliver a goods. In this case, the legal basis would be “necessary processing for the performance of a contract to which the data subject is a party” but other processing activities may need different considerations.
Some processing activities are allowed only under consent. In this case, the information should be provided under a separate section of the privacy policies
Pre-checked boxes or inaction are not a valid form of consent. Additionally, different consents should be gathered for different purposes and users shall be able to easily withdraw some of their previously given consent.
A micro-enterprise gathering customers’ consent to receive a newsletter with information about other activities, products or events should ask for the consent by requesting a clear affirmative action from the customer. Customers’ inaction does not mean consent.
4. Time period
Privacy policies should include information about the period of time during which the micro-enterprise will hold any personal data. If there is a legal obligation to hold data for a certain period, information about the law must be given.
If it is not possible to provide a fixed period of time, then a procedure to determine the length of the period should be determined and disclosed such as “the company will process the data until the end the contract”.
5. Data subject rights
The GDPR grants data subject with specific rights:
- the right to get copies of their data,
- the right to get their data corrected,
- the right to get their data deleted,
- the right to limit the usage of the data by the micro-enterprise,
- the right to data portability,
- the right to object to the use of their data and rights regarding automated processing (object the use of their data for direct marketing.)
Data subjects, i.e. customers, should be informed about their rights regarding their personal data.
Privacy policies should include clear instructions on how the data subject can exercise their rights, for example by sending an email or through a form on the website. A brief explanation about each right should also be provided.
6. Third parties
If any personal data is going to be disclosed to any third party for further processing purposes, data subjects have the right to be aware of it, so privacy policies must include this information.
Services provided by a third party as processing operations in the name of the micro-enterprise, like external labour advise or IT support, are not considered as data disclosure, but these services shall be regulated by a written contract or agreement between the two parties.
If personal data will only be disclosed to a third party due to a legal obligation of the micro-enterprise, this should also be indicated with a statement similar to “No personal data disclosure to any third party, except under a legal obligation”.
7. Necessary Processing
All the specific type of data processing should be disclosed in the privacy policies and clearly be distinguished from each other. For example, the necessary processing and the processing for other purposes (marketing) should be listed separately in the policies
Users should also be informed if there is a legal or contractual obligation to provide certain data or if it is required to subscribe to a contract. In such cases, indications about the consequences of not providing that information shall be given.
The user should have the option to only provide the data related to the processing activities he/she is interested in.
8. Automated decision-making process
If a micro-enterprise is making automated decisions based on personal data, or profiling, it must be written in the privacy policies. Information must also be provided about the rules and methods applied behind the automated-decision.
The presence of automated decision-making operations may be an indication of high risk and additional GDPR requirements may be triggered
9. International transfer
Any international transfer (transfer of personal data to an organisation outside of the European Union) must be clearly stated as well as the information related to any adequacy decision allowing such international transfer.
Micro-enterprises must be aware of any possible international transfer of the data they hold, in some cases, the use of cloud services may produce such unnoticed movement of data to a third country.
10. How should the information be presented?
Any Information related to the processing activities provided in privacy policies shall be disclosed in clear, accurate and plain After having been properly informed, the user can make better decisions. All the information shall be provided on a specific page or location inside the micro-enterprise website and should be clearly accessible from different parts of the website.
The recommendation is to adopt a two layers structure: a first layer with quick and basic information, a second layer with more detailed information.
Written by: AEPD
Related research efforts:
 Spanish Authority AEPD, Facilita tool