Iubenda logo
Start generating

Documentation

Table of Contents

Picking the right privacy policy options

How can you know which options to apply to your privacy policy document inside the iubenda generator? We’ve got everything outlined in this guide. Read on to learn more.

Start with location

In picking the right privacy policy options, you must first consider the area that you are based in as well as the area where your users are located. You would also need to carefully consider if a Representative is to be appointed in a foreign jurisdiction and what considerations are to be made if your users’ personal data is to be transferred to third countries.

iubenda offers the opportunity to create various privacy policy options that cater to the GDPR (which also encompasses the UK GDPR), FADP, LGPD and US Law needs.

Follow these simple steps from your account

  • Once you have logged into your account and identified your area of operations and your target users, you can then access the privacy policy admin area.
  • From there, you can then edit your privacy policy by clicking on Dashboard > [your policy] > Edit
  • You will then find a box labelled “Legislation-specific standards” on the right hand side of the page, which will allow you to select the relevant disclosures for your users or the GDPR’s broader protection standards (which are further explained below) as the case may be.

It is that simple to modify your privacy policy options and to ensure that your privacy policy reflects your business operations and the privacy of your users.

iubenda’s System

iubenda has implemented a system that allows you to apply different rights to different user groups, whose personal data you collect and process as “controller” (that is the word that GDPR uses for whoever determines the purposes and means of the processing of personal data).

In particular:

  • You can decide to apply broader protection standards to all your users. In this case, you will generate a privacy policy that applies in all its parts to all your users and follows the GDPR.
  • You can decide to apply a basic set of rights to all users, and broader protection standards only to some of them. In this case, such broader protection standards will always apply whenever the processing of personal data is subject to the GDPR. In all other cases, a basic set of rights shall apply.

👋 If you target US based users, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) could apply to you. You can read all about the CCPA and take our free assessment here.

How do I make the right choice?

You can choose from “Apply GDPR’s broader protection standards to”:

  • EU only; or
  • All users

You can find the switch here:

  • Log into your privacy policy admin area
  • Enter the editing of your privacy policy, which can be found via Dashboard > [your policy] > Edit
  • There you’ll find a box housing the switch to enable the GDPR text labeled “Legislation-specific standards”
  • Under the heading “Apply GDPR’s broader protection standards to” choose from Apply to all users (default option) or Apply to EU users only
  • This allows you to consider your specific case and react to where your users/clients are based and choose accordingly

Once you have decided what rights to offer to whom, you can continue.

Then you must apply the broader protection standards to all your users, because all data processing activities you perform are subject to the GDPR – this even extends to your users that are not based within the EU.
Then in principle, you may choose to apply broader protection standards to all your users or to grant them only in cases where the processing of personal data is subject to the GDPR. Please note that you must apply broader protection standards whenever the processing
  • concerns the Personal Data of users who are in the EU and is related to the offering of paid or unpaid goods or services, to such Users;
  • concerns the Personal Data of users who are in the EU and allows the Owner to monitor such users’ behavior taking place in the EU.

💡 Let’s look at a practical example:

If you’re a US-based controller, you may choose to apply basic rights to your users, as required by US legislation. However, if part of your processing activities consists in the offering of paid or unpaid goods or services to EU-based users, or in monitoring user behavior taking place in the EU, then you’re obliged to apply broader protection standards in those cases.

The applicability of broader protection standards results in further implications, described below.

📌 Transfer of data outside of the EU

If you collect Personal Data within the EU, you’re free to transfer them to other EU or EEA countries. However, if you plan to transfer them to other countries, such as Switzerland or the U.S., you need to name a valid legal basis allowing for such transfer.

Services to consider adding:

  • Data Transfers to countries that guarantee European standards
  • Data Transfer abroad based on standard contractual clauses
  • Data Transfer abroad based on consent
  • Other legal basis for Data transfer abroad

With our Register of Data Processing Activities, you can specify for each service provider which is the legal basis for data transfer abroad.

💡 Some examples of data transfer

  • Whenever you work with partners or add services based outside the EU/EEA (such as e.g. Google Analytics), you are transferring personal data outside of the EU. Services listed in our generator have an estimation of the service’s home base.

  • When adding a custom service (i.e a service written by you), be sure to indicate what the legal basis is for such a transfer.

  • If you’re a controller based outside of the EU, you’re transferring personal data outside of the EU each time you collect data of users based within the EU. Please make sure you do so according to one of the legal bases for transfer.

📌 Legal bases for transfer

The GDPR provides for a set of valid legal bases to transfer data outside of the EU. The most relevant are:

Whenever the European Commission thinks that a specific country in the world guarantees data protection standards comparable to those applicable in the EU, it issues an adequacy decision. If you plan to transfer data into such a country, you may do so – you just need to tell your Users via your privacy policy.

Adequacy decisions have so far been adopted for Andorra, Argentina, Canada (commercial organizations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and Japan.

Service to add in this case: “Data transfer to countries that guarantee European standards“.

If the country you plan to export data to does not seem to guarantee an adequate level of protection, you can make sure that the specific data importer (i.e. the company or individual you’re exporting data to) complies with stricter rules. To these ends, you will close a contract with the data importer, that includes standard contractual clauses drafted by the European Commission. In most cases, you’ll use the standard contractual clauses for Controllers based in the EU exporting data to Processors based elsewhere.

Here again: if you have such a contract in place, you may transfer personal data – but you have to mention this in your privacy policy.

Service to add in this case: “Data transfer abroad based on standard contractual clauses“.

Finally, if none of the above-mentioned options seems viable, you have to collect your Users’ consent to transfer their data outside of the EU. This is the most complicated scenario, because you have to make sure that their consent is – among other aspects – “informed”. Do you really know what is going to happen to User data once they are exported outside the EU? Can you tell, what kind of security measures are being provided by the local legislation or adopted at the data importer’s initiative to ensure protection of personal data?

If you’re able to provide such information, you may ask your Users to consent to the transfer of personal data, but if you’re not able to provide it, be careful: any consent collected would not be considered “informed” and therefore void.

Service to add in this case: “Data transfer abroad based on consent“.

Finally, a lesser known fact is that the GDPR mentions a few other (though less relevant) options for transferring data outside of the EU. If you’re basing your transfer on any such option, you should choose the service “Other legal basis for Data transfer abroad” and specify or add any relevant details by adding a custom clause.

What about transfers from Switzerland?

If you’re transferring personal data from Switzerland to another country, you have to do so according to one of the legal bases recognized under Swiss legislation. Among these the most relevant are:

  • Adequacy decisions;
  • Standard data protection clauses subject to the prior approval of the FDPIC;
  • Consent.

More information about data protection rules on a federal level in Switzerland can be found here.

💡 Read our dedicated guide to know how the iubenda solution can help you to provide transparency about the transfer of personal data from Switzerland to another country.

What about transfers from the United Kingdom?

If you’re transferring personal data from the United Kingdom to another country, you have to do so according to one of the legal bases recognized under the UK GDPR.

A guide to transfers outside of the United Kingdom can be found here.

Our Privacy and Cookie Policy Generator offers additional clauses related to the transfer of data outside of the United Kingdom. These clauses, if selected, will be shown in your privacy policy inside both the simplified and the complete versions, under the section “Transfer of Personal Data outside of the United Kingdom”.

  • Data transfers according to a UK adequacy regulation;
  • Data transfer abroad based on standard contractual clauses (UK);
  • Data transfer abroad based on consent (UK);
  • Other legal basis for Data transfer abroad (UK);

These additional clauses can be of great help, but they contain broad and generic descriptions since we do not know exactly how you transfer data abroad. Therefore, we highly recommend that you check if they apply to your case and, if needed, describe your data transfer activities in more detail by adding custom clauses.

💡With our Register of Data Processing Activities you can specify for each service provider which is the legal basis for data transfer abroad.

📌 Profiling

Profiling means any form of automated processing of personal data performed to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

If you profile your users, you have to tell them. Therefore, you must pick the relevant clause from the privacy policy generator.

Services to consider adding:

  • Analysis and predictions based on the User’s Data (“profiling”)

💡 Practical example

If you’re selling products and keep record of users’ choices for marketing purposes, dividing them into meaningful categories, such as by age, gender, geographical origin etc., you’re profiling them.

📌 Automated decision making

Automated decision making, or ADM, is a process allowing you to make decisions that may produce legal or similarly significant effects on users in a fully automated manner, without human intervention. Such ADM may also be based on profiling (see above).

In case you’re implementing any ADM process, you have to tell your users. Therefore, you must pick the relevant clause in the privacy policy generator. Please note that users enjoy a specific right of opposition to ADM processes, specified in the section called regarding automated decision-making of the privacy policy you will generate.

Services to consider adding:

  • Automated decision-making
  • Analysis and predictions based on the User’s Data (“profiling”)

💡 Practical example

You are a bank. In order to decide whether users are eligible to receive a loan, you have them fill their personal data into a form. Thanks to an algorithm, such data is evaluated in a fully automated manner and the decision is made.

📌 Sourcing data from third parties

If you’re not collecting personal data directly from the user they refer to, but you’re sourcing them from a third party instead, you must inform the relevant user about such third party in addition to all other information duties. Please pick the relevant clause from the privacy policy generator.

This information must be given to the user no later than one month after having collected the data, and in particular

  • if the personal data are to be used for communication with the user, at the latest at the time of the first communication to that user; or
  • if a disclosure to another recipient is envisaged, at the latest when the personal data are first disclosed.

Services to consider adding:

  • Personal Data collected through sources other than the User

💡 Practical example

You are a head hunter. You find an interesting profile on LinkedIn. As soon as you contact the relevant candidate or transfer his/her data to the potential employer, and in any case within one month, you have to give the candidate all mandatory information, including mentioning LinkedIn as source of his/her data.

📌 Representative in the EU

If you are a controller based outside of the EU, you need to appoint any natural or legal person based in one of the EU countries where your users are, as EU representative. The appointment must be done in writing and the appointed representative must be mentioned in your privacy policy.

Therefore, please insert the representative’s details (name and contact details of your representative) in the field where you have your own company information.

📌 Representative in Switzerland

If you are a controller based outside of Switzerland and are involved in high risk processing of Swiss users, you need to appoint a person based in Switzerland as a representative.

Please insert the representative’s details (name and address of your representative) in the field where you have your own company information.

📌 Representative in the United Kingdom

If you are a controller based outside of the United Kingdom you need to appoint any natural or legal person based in the United Kingdom as a representative. The appointment must be done in writing and the appointed representative must be mentioned in your privacy policy as indicated in this guidance note.

Therefore, please insert the representative’s details (name and contact details of your representative) in the field where you have your own company information.

📌 Data protection officer

Under certain conditions, you must appoint a natural or legal person as data protection officer (or DPO), and mention it in your privacy policy. This applies whether you are following the GDPR, UK GDPR or the FADP (however Swiss law refers to them as Data Protection Advisors).

In particular, you must appoint a DPO whenever:

  • you are a public authority or body; or
  • your core activities consist in operations that require regular and systematic monitoring of users on a large scale; or
  • your core activities consist of processing on a large scale of sensitive data or data relating to criminal convictions and offences.

If any of the above-mentioned conditions applies to you, please insert the DPO’s details (contact details of your data protection officer) in the field where you have your own company information.

Please note that the GDPR allows EU Member States to provide for further conditions under which the appointment of a DPO is mandatory. Therefore, please check if you are subject to any national provisions of an EU Member State in addition to the GDPR and if such provisions require you to appoint a DPO.

More information about the data protection officer and other single topics can be found at our GDPR guide.

Create a privacy policy today!

Start generating