In the Policy, you’ll need to explain:
- What data is gathered
- Why is it gathered
- For how long is it stored
- On what legal grounds are you gathering the data
In addition to this, you’ll basically need to explain the whole GDPR – all data subjects rights, who they can contact in case of problems, etc.
Note that you must take into account how any of the WordPress plugins on your website process personal data. You (as the controller) are ultimately responsible for what the plugins on your site are doing. More on that below.
Obligation to give information (GDPR Art. 13 & Art. 14)
Depending on whether data is collected from the data subject (art 13) or from another source (art 14), you have the obligation to provide the following information to the data subjects:
- Controller’s contact (e.g. identity; name, address);
- Data Protection Officer’s contact (if you have one);
- Purpose of processing data;
- Legal basis for processing (e.g. consent, legitimate interest, law – see art 6(1));
- Recipients of personal data (who you are sharing the data with or who has access to it);
- How long data is stored;
- Information about data subject’s rights (right to rectification, erasure, access, portability; right to withdraw consent any time; right to submit a complaint to a supervisory authority including the contact information of that supervisory authority);
- If data is gathered for contractual obligation or other statutory reason, then information about the obligation and whether the data subject is obliged to give personal data and what are the consequences of failing to do so;
- If any automated decision making or profiling is used, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject;
- Information about personal data being transferred to third countries (outside the European Economic Area), the legal grounds for doing that and safety measures taken.
Note that if you are using legitimate interest as the grounds for processing data, then this has to be explained briefly.
If you do not know the exact period of storing personal data, then the criteria affecting it also have to be explained briefly.
If you gather any personal data about a data subject from an external source, then you must provide the data subject information regarding the source of the data.
What you should do now
Let’s go over each section, explain why it’s there and what you need to change (if anything).
Ideally, you should look up the legal definition of a “child” in your country (this varies between EU countries) and edit the age there if necessary. You probably don’t need to change anything else here.
If you don’t know what data your website and plugins gather, the safest solution is to ask help from a developer. (We can help!)
Processing partners are everyone who can access the data you have gathered, such as your web hosting provide or your web developer. Read the definition of a Processor here. This list should probably not remain empty.
Business partners are basically any other companies you do business with and share personal data. (If there aren’t any, you can remove this section.)
Connected third parties are everyone else who don’t fit the above categories. (If there aren’t any, you can remove this section.)
Review this section and describe additional security measures, if you have any.
If you do target children with your services, you should remove this section. In this case, make sure to read our knowledge base post on providing services to children under GDPR.
What you should do in May