Background information
Caution: As Base4NFDI does not give any binding legal advice, it is recommended to let the privacy policy be checked by the Institution’s responsible data protection officer.
Privacy policies must be provided by every website according to the law (Art. 12 GDPR/DSGVO). It must be accessible from every (sub)page of the website. We recommend linking it in the website footer.
A privacy policy is an informative document written for the users of a website (‘data subjects’). It informs about all personal data processing that occurs during the regular use of that website and beyond. Personal data is information that can be directly or indirectly used to identify a specific person, such as name, address, mail, ID-numbers, photos, location, or IP address (Art. 4(1) GDPR/DSGVO). There are specific regulations for so-called “special categories of personal data” such as data about religion, political opinions, health, genetics, race (Art. 9 GDPR/DSGVO).
A clear, easy-to-read, and accessible privacy policy not only ensures compliance but also fosters trust between the website and the users. Clearly state what ‘personal data’ includes in the privacy policy to help users understand what type of personal data is processed.
Privacy policies need to be up-to-date, and regularly reviewing privacy policies ensures compliance and protects against potential penalties. Any changes in data processing on a website require adjustments. This may be the case if, e.g.
Make sure that the privacy policy only reflects the specific jurisdiction(s) applicable to the website. Relevant law includes the General Data Protection Regulation (GDPR/DSGVO), the Federal Data Protection Act (Bundesdatenschutzgesetz - BDSG-neu), the applicable State Data Protection Laws (Landesdatenschutzgesetz - LDSG) as well as the Telecommunications and Telemedia Data Protection Act (Telekommunikations-Telemedien-Datenschutzgesetz - TTDSG) and the Digital Service Act (Digitale-Dienste-Gesetz - DDG).
Privacy policy generators usually only cover standard cases and default settings of third party services that need to be adjusted to the specific data processing. Also, using their content often requires a mandatory note with a link to the generator in the privacy policy. It is always a good practice to get the generated policy reviewed by a privacy specialist.
Art. 13 and 14 GDPR/DSGVO determine what information a privacy policy needs to provide.
Consequently, a privacy policy roughly consists of two parts:
The privacy policy template comes with an adjustable structure and content as well as examples for paragraphs on external data processing. Please skip third-party processing content and examples if no third-party data processing is involved.
General information, mandatory | External data processing by third parties, mandatory only if applicable |
---|---|
General information on data protection and the related use of the website | Cookies |
Legal basis and purpose(s) of data processing by the data controller (website operator) & third parties (see Art. 6 GDPR/DSGVO) | Server log files |
Rights of and contact options for data subjects (e.g. contact details of responsible data controller and data protection officer) | CMS (e.g. WordPress) / static site generator |
Information that privacy policy is subject to change | Fonts (e.g. Google Fonts) |
Explanation of terms if necessary (see Art. 4 GDPR/DSGVO) | Contact options (e.g. via mail, contact form) |
Interactive elements (e.g. comment fields) | |
Newsletter (incl. CAPTCHA, tracking) | |
Tracking & Analytics Tools (e.g. Matomo, Google Analytics, Google Adwords) | |
Maps (e.g. OpenStreetMap, Google Maps) | |
Plugins and other website extensions (e.g. social media, Open Project) | |
APIs | |
Account creation & login |
Likewise, paragraphs on external data processing must suffice the information requirements stated in Art. 13/14 GDPR/DSGVO if that information is not given elsewhere in the privacy policy. This typically includes, but is not limited to, the following information:
It is recommended by the Data Protection Authorities to use non-technical, user-friendly language and format so users better understand their rights and website privacy practices.
If personal data is collected and processed (e.g. if active indication of personal data is integrated and offered to the website users) the following data processing principles should be kept in mind:
Additionally, keep the following regulations in mind:
For further guidance on the language of the privacy policy and interpretation of GDPR please refer to the guidelines below by the European Data Protection Board (EDPB):
The Privacy Policy Template will be sent to the basic service teams separately.