GDPR Framework Logo

Setting up the Privacy Policy

Chapter 5

One of the core requirements of GDPR is that you must provide data subjects detailed information about their rights related to their data as well as how exactly their personal data is used. You might be tempted to skip or hurry through this part – who reads the legal mumbo-jumbo anyway? Don’t do that. In the context of GDPR, the Privacy Policy is now a Very Important Thing.

In the Policy, you’ll need to explain:

  • What data is gathered
  • Why is it gathered
  • For how long is it stored
  • On what legal grounds are you gathering the data

In addition to this, you’ll basically need to explain the whole GDPR – all data subjects rights, who they can contact in case of problems, etc.

The GDPR Framework provides a privacy policy template that covers a wide array of potential uses of data and automatically displays some additional required information, for example the contact information of your country’s Data Protection Authority. You will definitely need to modify the template to suit your website. (You are also free to use a different Privacy Policy.)

Note that you must take into account how any of the WordPress plugins on your website process personal data. You (as the controller) are ultimately responsible for what the plugins on your site are doing. More on that below.


Obligation to give information (GDPR Art. 13 & Art. 14)

Depending on whether data is collected from the data subject (art 13) or from another source (art 14), you have the obligation to provide the following information to the data subjects:

  1. Controller’s contact (e.g. identity; name, address);
  2. Data Protection Officer’s contact (if you have one);
  3. Purpose of processing data;
  4. Legal basis for processing (e.g. consent, legitimate interest, law – see art 6(1));
  5. Recipients of personal data (who you are sharing the data with or who has access to it);
  6. How long data is stored;
  7. Information about data subject’s rights (right to rectification, erasure, access, portability; right to withdraw consent any time; right to submit a complaint to a supervisory authority including the contact information of that supervisory authority);
  8. If data is gathered for contractual obligation or other statutory reason, then information about the obligation and whether the data subject is obliged to give personal data and what are the consequences of failing to do so;
  9. If any automated decision making or profiling is used, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject;
  10.  Information about personal data being transferred to third countries (outside the European Economic Area), the legal grounds for doing that and safety measures taken.

Note that if you are using legitimate interest as the grounds for processing data, then this has to be explained briefly.

If you do not know the exact period of storing personal data, then the criteria affecting it also have to be explained briefly.

If you gather any personal data about a data subject from an external source, then you must provide the data subject information regarding the source of the data.

What you should do now

The GDPR Framework provides a Privacy Policy template for you as a starting point. It covers (almost) everything needed for a vanilla WordPress site. But because every site is different, you need to review it and add or remove content specific to your website and business.

Right now, you can configure and set up most of the Privacy Policy. If you know which data your plugins gather and why, then also add that information.

Both the Setup Wizard and Dashboard > Tools > Privacy > Privacy Policy pages allow you to fill in some fields and generate a Privacy Policy template. The generated template contains multiple places marked with [TODO] – edit these as you see fit.

Let’s go over each section, explain why it’s there and what you need to change (if anything).

Ideally, you should look up the legal definition of a “child” in your country (this varies between EU countries) and edit the age there if necessary. You probably don’t need to change anything else here.

If you don’t know what data your website and plugins gather, the safest solution is to ask help from a developer. (We can help!)

Processing partners are everyone who can access the data you have gathered, such as your web hosting provide or your web developer. Read the definition of a Processor here. This list should probably not remain empty.

Business partners are basically any other companies you do business with and share personal data. (If there aren’t any, you can remove this section.)

Connected third parties are everyone else who don’t fit the above categories. (If there aren’t any, you can remove this section.)

Review this section and describe additional security measures, if you have any.

If you do target children with your services, you should remove this section. In this case, make sure to read our knowledge base post on providing services to children under GDPR.

The template contains a notice about using Google Analytics. If you’re using other tools provided by Google such as the advertising tools, review this article for more information on what you should add to your Privacy Policy.

What you should do in May

Check back here and be prepared to add additional information to your Privacy Policy.

We’re hoping that by that time, WordPress will start asking plugin developers to include information regarding which data their plugin gathers, how it’s used and anything else that should be mentioned in the Privacy Policy.