To complete this template, you will need detailed information about how you or your organization uses personal data. For example, you will need to know what personal data is processed, the purposes for which that personal data is used, the people or categories of people to whom that personal data can be disclosed and the periods during which that personal data will be retained. You must also establish the legality. bases of its processing.
Separate rules regulate the provision of information about cookies, and this document includes optional provisions regarding disclosures related to cookies. If you retain these provisions, you should know the purposes for which cookies and similar technologies are used on your website.
You should consider whether it is necessary to have specialized legal advice on data protection.
You can find more information about the information disclosure requirements of the data protection law with the following resources
El RGPD – https://eur-lex.europa.eu/legal-content/EN/TXT/?u...
European Data Protection Board (EDPB) guidance on transparency– https://ec.europa.eu/newsroom/article29/item-deta...
Office of the Information Commissioner of the United Kingdom guidance on the right to be informed https://ico.org.uk/for-organisations/guide-to-dat...
These introductory provisions can be used to draw people's attention to some of the key issues addressed in the document.
Personal data" is defined in the article 4 (1) del RGPD:
“‘ Personal data ’means any information related to an identified or identifiable individual (‘ subject data ’); An identifiable natural person is one that can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological , genetic, mental, economic, cultural or social identity of that individual ”.
Free document license warning
Optional item Although you need to retain credit, you must remove the online copyright warning from this document before use.
How we use your personal data
The GDPR requires that controllers disclose to interested parties detailed information about their processing of personal information.
Article 13 (1) of the GDPR states that:
“Where the personal data related to a data subject is collected from the data subject, the controller shall, at the time the personal data is obtained, provide the interested party with all the information the following information:… (c) the purposes of the processing for which personal data is intended, as well as the legal basis for processing; (re) when the treatment is based on article 6, paragraph 1, letter f), the interests pursued by the controller or by a third party ”.
Article 14 (1) of the GDPR states that:
“Where the personal data is not obtained from the interested party, the controller will provide the data subject to the following information:… (c) the purposes of the processing for which the personal data is intended, as well as the legal basis for the processing; (d) the categories of personal data in question… ”
Article 14 (2) of the GDPR, which also applies in the event that personal data has not been obtained from the data subject, states that:
“In addition to information referred to in section 1, the data controller shall provide the data subject to the following information necessary to guarantee a fair and transparency processing with respect to the interested party:… (b) where the processing is based on article 6 , paragraph 1, letter f), the legitimate interests pursued by the controller or by a third party ... (f) where the personal data originate, and if applicable, if it comes from sources of public access ... ".
Article 6 (1) (f) of the GDPR, referred to in articles 13 and 14, provides that:
“(1) The processing will be legal only if and to the extent that at least one of the following applies:… (f) the processing is necessary for the purposes of legitimate interests pursued by the controller or by a third party, except where such interests are nullified by the interests or fundamental rights and freedoms of the subject data that requires protection of personal data, in particular where the data the subject is a child ”.
Regarding the identification of the source of personal data in the event that no personal data is obtained from the interested party, the guidance of the European Data Protection Council states that:
"The specific source of the data should be provided unless it is not possible to do so ... If the specific source is not named, then the information provided should include: the nature of the sources (ie, public / private sources) and the types of organization / industrial sector. ”
Please note that, while Article 14 of the GDPR provides that information on “categories of personal data” must be given to interested parties, Article 13 does not include an equivalent provision. However, we have included references to general categories. of data in this document, because this facilitates the identification of particular purposes of the processing and the legal bases of the processing - information to be provided in accordance with Article 13.
The United Kingdom Information Commissioner The Office website provides a useful guide regarding the selection of legal bases for processing:https://ico.org.uk/for-organisations/guide-to-data...
Optional item Section 3.3
Optional item Section 3.4
Optional item Section 3.5
Optional item Section 3.6
Optional item Section 3.7
Optional item Section 3.8
Optional element Use this form of provision to identify and provide relevant information about other categories of personal data that you can process.
Optional item Section 3.10
Optional item Section 3.12
Provide your personal data to others.
Article 13 (1) (e) of the GDPR requires that when the personal data of the interested party is collected, the data must be provided by the controller to the interested party about the “recipients or categories of recipients of the personal data”.
Equivalent rules for data collected from someone other than the interested party are in the Article 14 (1) (e).
Although the GDPR refers to "categories of recipients", the orientation of European data The Protection Board on this subject states:
“The term“ recipient ”is defined in Article 4.9 as‘ natural or legal person, public authority, agency or other body, to which personal data is disclosed, whether a third party or not ‘[emphasis added]. As such, a recipient does not have to be a third party. Therefore, other data controllers, joint controllers and processors for transferred or disclosed data are covered by the term "recipient" and information on such recipients must be provided in addition to information on external Recipients. Actual (named) recipients of personal data, or Recipient categories must be provided. In accordance with the principle of fairness, controllers must provide information on the recipients, which is more meaningful for those interested. In practice, this will generally be the named recipients, so that those interested know exactly who has their personal data. If the controllers choose to provide the categories of recipients, the information must be as specific as possible indicating the type of receiver (that is, by reference to the activities performed), the industry, sector and subsector and the location of the recipients . ”
Optional itemSection 4.2
Optional itemSection 4.3
International transfers of your personal data.
Article 13 (1) (f) of the GDPR requires that data controllers disclose to interested parties "where applicable, the fact that the controller intends to transfer personal data to a third country or international organization and the existence or absence of a decision of adequacy of the Commission, or in the case of transfers mentioned in Article 46 [transfers subject to appropriate guarantees] or 47 [binding corporate rules], or the second paragraph of Article 49 (1) [limited transfers for compelling legitimate interests ], reference to the appropriate or adequate guarantees and the means to obtain a copy of them or where they have been made available ”.
The European Data Protection Council The guidance on this topic establishes:
“The relevant GDPR article allowing the transfer and the corresponding mechanism… must be specified. Information on where and how the relevant or obtained document can be accessed should also be provided p. providing a link to the mechanism used. In accordance with the principle of fairness, the information provided in transfers to third countries should be as significant as possible for the subject data; This generally means that third countries will be appointed.”
Optional item Section 5.3
Optional item Section 5.4
Optional element ¿Will users have the opportunity to publish personal information on the website?
Retain and delete personal data
Article 5 (1) (e) of the GDPR sets outside the storage limitation, one of the fundamental rules of the regime:
“The personal data will be:… stored in a form that allows the identification of the interested parties for no more than is necessary for the purposes for which the personal data is processed; Personal data may be stored for longer periods to the extent that personal data will be processed solely for archival purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89 (1) subject to implementation. of the appropriate technique and organizational measures required by this Regulation to safeguard the rights and freedoms of the interested party …
Article 13 (2) of the GDPR establishes, in relation to the personal data collected from the interested party, that:“
.“… The controller must, at the time the personal data is obtained, provide the interested party with the following additional information necessary to guarantee a fair and transparency processing: (a) the period during which the personal data will be stored, or if that does not it is possible, the criteria used to determine that period… ”
Article 14 (2) of the GDPR establishes a similar provision in relation to personal data that is not collected from a data subject.
The European Data Protection Council The guidance on this topic establishes:
“This is linked to the data. minimization requirement in Article 5.1 (c) and storage limitation requirement in Article 5.1 (e). The storage period (or criteria to determine it) can be dictated by factors such as legal requirements or industry guidelines, but should be expressed in a way that allows the data subject to evaluate, based on their own situation, what the retention period for certain data / purposes. It is not enough for the data controller to generically declare that personal data will be retained for as long as necessary for processing purposes. Where appropriate, the different storage periods. must be stipulated for different categories of personal data and / or different processing purposes, including, where applicable, archival periods. ”
For guidance on setting retention periods, see:
Article 13 (2) of the GDPR establishes that, when personal data of an interested party is collected, certain information on the rights of the data subjects must be provided:
“In addition to information referred to in paragraph 1, the controller shall, at the time personal data is obtained, provide the interested party with the following additional information necessary to ensure fair and transparent processing:… (b) the existence of the right to request the controller access and rectification or deletion of personal data or restriction of the processing of the data subject or object of processing, as well as the right to data portability; c) when the treatment is based on article 6, paragraph 1, letter a), or article a) Article 9 (2), the existence of the right to withdraw consent at any time, without affecting the legality of the processing based in consent before its withdrawal;… ”
Similar provisions are set out in Article 14 in relation to personal data that is not collected from the relevant data subject.
The European Data Protection Council The guidance on this topic establishes:
“This information must be specific to the processing scenario and includes a summary of what is correct implies and how the interested party can take measures to exercise it and any limitations to the right… In particular, the right to object to the processing must be explicitly communicated to the attention of the interested party no later than the first communication with the interested party and must be presented clearly and separately from any other information. ”
This requirement derives from Article 5 (3) of Directive 2002/58 / EC of the European Parliament and of the Council of 12 July 2002 on the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), which states that:
“Member States shall ensure that the use of electronic communications networks to store information or to obtain access to information stored on a subscriber's terminal equipment or the user is only allowed on condition that the subscriber or user in question is provided Clear and complete information in accordance with Directive 95/46 / EC, among other things about the purposes of processing, and you are offered the right to refuse such processing by the data controller. This will not prevent any technical storage or access for the sole purpose of carrying out or facilitating the transmission of a communication through an electronic communications network device, or as strictly necessary to provide an explicitly requested information society service. by the subscriber or user. ”
The requirement is implemented in the United Kingdom in the Privacy and Electronic Communications Regulations (EC Directive) 2003.
In its current (modified) form, Regulation 6 states:“(1) Subject to paragraph (4), a person shall not store or access the information stored in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met
(2) The requirements are that the subscriber or user of that terminal equipment: (a) is provided with clear information and complete information on the purposes of storage or access to, That information; and (b) has given his consent.
(3) When an electronics The same person uses the communications network to store or access information on the terminal equipment of a subscriber or user on more than one occasion, it is sufficient for the purposes of this regulation that the requirements of paragraph (2 ) are met with respect to initial use.
(3A) For the purposes of paragraph (2), consent may be indicated by a subscriber who modifies or establishes controls in the internet browser used by the subscriber or through another application or program to indicate consent.
(4) Paragraph (1) shall not apply for technical storage or access to information: (a) for the sole purpose of carrying out the transmission of a communication by an electronic communications network; or (b) where said storage or access is strictly necessary for the provision of a service of the information society requested by the subscriber or user ".
In their original form, these regulations can be found at:
UK companies must provide their corporate names, their registration numbers, their place of registration and the address of their registered office on their websites (although not necessarily in this document).
Unique merchants and associations that conduct a business in the United Kingdom with a “business name” (ie a name that is not the merchant's name / partner names or certain other specific kinds of name) must also make certain website disclosures: (a) in the case of a single merchant, the name of the individual; (b) in the case of a company, the name of each member of the company; and (c) in any case, in relation to each person named, an address in the United Kingdom in which the service of any document related in any way to the business will be effective. All websites covered by the Electronic Commerce Regulation (EC Directive) 2002 must provide a geographic address (not a post office box number) and an email address. All website operators covered by the 2009 Service Provision Regulation must also provide a telephone number.
What is the name of the company, company, natural person or other legal person or entity that owns and operates the website?
Optional element Is the relevant person a company?
In what jurisdiction is the company registered?
What is the company registration number or equivalent?
Where is the registered address of the company?
Optional itemWhere Is the head office of the relevant person or the main place of business?
By what means can they be contacted with the relevant person?
Where Is the postal address of the relevant person published?
Either specify a phone number or give details of where the relevant number can be found.
Either specify an email address or give details of where the relevant email address can be found.
Some data controllers and data processors will be required to appoint a data protection officer (DPO). The basic obligation is established in the article 37 (1) del RGPD:
“The controller and the processor will designate a data protection officer in any case where: (a) the processing is carried out by a public authority or body, except the courts acting in their judicial capacity; (b) the central activities of the controller or processor consist of processing operations that, by virtue of their nature, scope and / or their purposes, require regular and systematic monitoring of large-scale data subjects; or (c) the central activities of the controller or the processor consist of processing large-scale special categories of data in accordance with article 9 and personal data related to criminal convictions and the offenses referred to in article 10.
"Article 13 (1) of the GDPR states that:“Where the personal data related to a data subject is collected from the data subject, the controller shall, at the time the personal data is obtained, provide the interested party with all the information the following information… (b) the contact data of official data protection, when applicable ”.
8250 Exchange Dr Suite 120
Orlando, FL 32809, USA
Telf: (786) 828-5753
Av Lázaro Cárdenas 2225, Valle Oriente, San Pedro Garza García, N.L. 66260
We are an agency composed of passionate and innovative people whose dedication is to improve and generate sales for our clients’ businesses.