Privacy Policy Guide - GDPR

Overview

The privacy policy is the main document for informing data subjects under Articles 13 and 14 of the GDPR. It must be clear, accessible, and comprehensive.

Policy Objectives

Objective GDPR Requirement

Transparency Clearly inform about data processing (Art. 12)

Information Provide all mandatory disclosures (Art. 13-14)

Rights Enable exercise of data subject rights (Art. 15-22)

Trust Reassure users about data protection

Reference Resources

Templates

Template Description

assets/sample_template_politique_confidentialite.docx

Default template to use if no private template is provided

Internal template provided by lawyer Use if the lawyer has a more suitable private template

IMPORTANT: The default template sample_template_politique_confidentialite is designed for a brochure website without user accounts. If the request concerns an application or platform with users, additional data categories will need to be added, such as:

• User account management (creation, authentication, profile)

• Login data and activity history

• Data generated by application usage

• User-to-user communications (messages, comments, etc.)

• User preferences and settings

Adapt the template according to the platform type (brochure site, e-commerce, SaaS, mobile app, marketplace, etc.).

CNIL Documentation

Document Content

CNIL_droits_personnes.pdf Guide on data subject rights (access, rectification, erasure, etc.)

CNIL_durees_conservation.pdf Retention period recommendations by data type

CNIL_finalites.pdf How to properly define processing purposes

CNIL_transparence.pdf Guide on information and transparency towards data subjects

CNIL_principes_rgpd.pdf Fundamental GDPR principles

RGPD_texte_officiel.pdf Full text of EU Regulation 2016/679

Knowledge Base

Document Content

BASES_LEGALES.md The 6 legal bases for processing (Art. 6 GDPR) with examples and wording

DROITS_PERSONNES.md The 8 data subject rights (Art. 15-22 GDPR) with exercise procedures

COOKIES.md CNIL 2020 recommendations on cookies, categories, banners, sanctions

DUREES_CONSERVATION.md Retention period tables by data type with legal justifications

Information to Collect from Client

IMPORTANT: Before drafting the policy, collect ALL the information below from the client.

1. Data Controller Information

• Full company name

• Legal form (SAS, SARL, Ltd, etc.)

• Company registration number (SIREN/SIRET)

• Registered office address

• Legal representative (name and title)

• General contact email

• DPO appointed? If yes, contact details

2. Nature of the Site/Application

• Existing website URL (for analysis)

• Platform type:

• Brochure website

• E-commerce

• SaaS / Web application

• Mobile application

• Marketplace

• Other: ___________

• Business sector

• Target audience (B2B, B2C, both)

• Target countries (France only, EU, international)

3. Data Collected

For each category, specify if applicable:

IDENTIFICATION DATA

• First name, last name

• Email

• Phone

• Postal address

• Date of birth

• Photo / Avatar

CONNECTION DATA

• IP address

• Connection logs

• Device ID

• Account identifiers

BROWSING DATA

• Pages visited

• Time spent

• Clicks

• Traffic source

TRANSACTION DATA

• Order history

• Payment data (via provider)

• Invoices

SENSITIVE DATA (special attention)

• Health data

• Political/religious opinions

• Ethnic origin

• Biometric data

4. Legal Bases for Processing

KEY QUESTION: For each processing activity, what is the legal basis?

Legal Basis When to Use Example

Contract Performance (Art. 6.1.b) Processing necessary to provide the service Order delivery, account creation

Consent (Art. 6.1.a) Free choice by the person, withdrawable at any time Newsletter, marketing cookies, sharing with partners

Legitimate Interest (Art. 6.1.f) Company interest, balanced against data subject rights Anonymized statistics, security, B2B prospecting

Legal Obligation (Art. 6.1.c) Required by law Invoice retention 10 years, tax obligations

TABLE TO COMPLETE WITH CLIENT:

Processing Purpose Legal Basis Data Concerned

Order management

Account creation

Newsletter

Statistics

Customer service

Commercial prospecting

5. Recipients and Processors

TECHNICAL PROCESSORS

• Host: ___________

• Email provider: ___________

• Payment provider: ___________

• Analytics: ___________

• CRM: ___________

• Support/Ticketing: ___________

TRANSFERS OUTSIDE EU

• Yes / No

• If yes, to which countries? ___________

• Safeguards in place:

• Standard contractual clauses

• Adequacy decision

• Other: ___________

6. Cookies and Trackers

COOKIES USED

• Strictly necessary cookies (session, cart, authentication)

• Analytics cookies (Google Analytics, Matomo, etc.)

• Advertising cookies (Facebook Pixel, Google Ads, etc.)

• Social media cookies (share buttons)

• Other: ___________

CONSENT MANAGEMENT PLATFORM

• None

• Axeptio

• Didomi

• Cookiebot

• Other: ___________

7. Retention Periods

Data Type Proposed Duration Justification

Active customer account Duration of relationship

Inactive customer account 3 years after last activity Prospecting

Prospects 3 years without interaction CNIL recommendation

Invoices 10 years Legal obligation

Connection logs 1 year LCEN

Cookies 13 months max CNIL recommendation

Drafting Workflow

Step 1: Template Selection (MANDATORY)

NEVER DRAFT A POLICY FROM SCRATCH. Always start from a given template for drafting, either:

• the default template in assets/sample_template_politique_confidentialite.docx ;

• another internal template provided by the user.

This template is your base reference. You must:

• Faithfully reproduce the template's structure and wording

• Keep the exact template phrasing (they are validated)

• Only replace placeholders with client information

• Do NOT rewrite sentences even if you think you can phrase them better

• Do NOT add sections that are not in the template

The collected information (T&Cs, site, etc.) is used to fill in the template, not to rewrite it.

1. FIRST ACTION: Confirm the template to use BEFORE any drafting. Ask the user:

"I will draft the privacy policy starting from the provided default template. Do you have an internal template that would be more suitable as a starting point?"

Option Action

Default template Use assets/sample_template_politique_confidentialite.docx

Internal template Use the document provided by the lawyer

2. Consider the user's choice and select the starting template.

Step 2: Understand the Client's Business

MAIN OBJECTIVE: Truly understand what the client does, their business, the user journey on their platform.

1. Ask the lawyer for available information:

"To draft a perfectly tailored policy, please provide:

• Information you have about the client and their business
• Existing documents (T&Cs, sales conditions, order forms, contracts...)
• Exchanges or key points raised by the client
• The site/application URL (if accessible)
• Points that must absolutely be included according to you

You may anonymize this information if necessary for confidentiality reasons.

The more information you provide, the better adapted the policy will be to the actual case. Otherwise, we will conduct our own research but it will be limited to publicly accessible information."

2. Analyze the documents provided:

Document What we extract

T&Cs / Sales Conditions Platform operation, services offered, obligations

Order forms Data collected, services, potential processors

Client exchanges Key points, specific concerns, business particularities

3. Additional research on the site (if accessible):

Note: Some sites only display a "Request a quote" form without access to the platform. In that case, rely primarily on the documents provided.

The objective is to understand the business AND identify technical elements:

• Understand what the company actually does

• Read the existing privacy policy (if present)

• Read the existing T&Cs/Legal notices

• Identify the typical user journey (if visible)

• Identify data collection forms (registration, contact, order...)

• Spot cookies/trackers via the banner

• List features (account, newsletter, chat, payment...)

4. Summary before drafting:

CLIENT: [Name] BUSINESS: [Description in 2-3 sentences] PLATFORM TYPE: [SaaS, e-commerce, mobile app, etc.] USER JOURNEY: [Key steps] DATA COLLECTED: [List by collection point] COOKIES IDENTIFIED: [Types of cookies spotted] FORMS: [List of collection points] KEY LAWYER POINTS: [What must absolutely be included] SPECIFICITIES: [What makes this case particular]

Once the summary is ready → Proceed to Draft 1

Step 3: Draft 1

ABSOLUTE RULE: The template is your validated base.

• START from the template: structure, wording, tone → this is your reference

• ADAPT to the client case: integrate the specific information collected

• DO NOT rewrite everything: keep the template wording, only adapt what needs to be

In summary: Template + client information = Draft 1. Not a complete rewrite.

Complete the template section by section with the collected information:

• Identity of the data controller

• Data collected (by category)

• Purposes and legal bases (table)

• Recipients and processors

• International transfers

• Retention periods (table)

• Data subject rights

• How to exercise rights

• Cookies and trackers

• Data security

• Policy changes

• Contact

Immediate compliance check: Before presenting Draft 1, verify the mandatory disclosures checklist (Art. 13 GDPR):

• Controller identity and contact details

• DPO contact details (if appointed)

• Processing purposes

• Legal basis for each purpose

• Legitimate interests pursued (if applicable)

• Recipients or categories of recipients

• Transfers outside EU and safeguards

• Retention period or criteria for determination

• Data subject rights (access, rectification, erasure, restriction, portability, objection)

• Right to withdraw consent (if applicable)

• Right to lodge a complaint with the CNIL

• Whether data provision is mandatory/optional

• Existence of automated decision-making (if applicable)

If Draft 1 is compliant → Proceed to Step 3.

Step 4: Deliver Draft 1 + Benchmark + Improvement Suggestions

1. Deliver Draft 1 with explanation:

Here is Draft 1 of the privacy policy.

What I took into account:

• [Summary of key elements integrated]
• [Client specificities considered]
• [Particular points mentioned by the lawyer]

Compliance: The document meets Art. 13 GDPR requirements.

2. Present the benchmark (systematic):

Research 3-5 privacy policies from companies in the same sector, then present:

Benchmark conducted:

I analyzed the privacy policies of:

• [Company 1] - [what we noted]
• [Company 2] - [what we noted]
• [Company 3] - [what we noted]

Identified possible improvements:

Would you like to incorporate these elements into the provided Draft?

3. If the lawyer approves improvements → Produce Draft 2.

Step 5: Final Verification

Final review before definitive delivery:

• All Art. 13 GDPR disclosures present

• Client information correctly integrated

• Clear and accessible language

• No internal references (template, sources) in final document

• Update date present

Standard Policy Structure

PRIVACY POLICY [Company Name] Last updated: [DATE]

TABLE OF CONTENTS (if long document)

1. WHO ARE WE?

   • Controller identity
   • DPO contact details

2. WHAT DATA DO WE COLLECT?

   • Identification data
   • Browsing data
   • Transaction data
   • Etc.

3. WHY DO WE COLLECT YOUR DATA?

   • Purposes / legal bases table

4. WITH WHOM DO WE SHARE YOUR DATA?

   • Internal services
   • Processors
   • Partners (if consent)
   • Authorities (legal obligations)

5. IS YOUR DATA TRANSFERRED OUTSIDE THE EU?

   • Countries concerned
   • Safeguards

6. HOW LONG DO WE KEEP YOUR DATA?

   • Retention periods table by data type

7. WHAT ARE YOUR RIGHTS?

   • List of rights with simple explanation
   • How to exercise them

8. COOKIES AND TRACKERS

   • Types of cookies used
   • Preference management

9. SECURITY

   • Measures in place (without sensitive technical details)

10. CHANGES TO THIS POLICY

    • Notification procedure

11. CONTACT US

    • Email
    • Postal address
    • Link to form

Drafting Best Practices

Writing Style

Do Avoid

Use "you" / "your data" Use "the user" / "the data subject"

Short and simple sentences Excessive legal jargon

Concrete examples Vague wording ("various data")

Tables for clarity Dense paragraphs

Clear and explicit headings Multiple cross-references without explanation

Accessibility

• Clear language: understandable by a non-lawyer user

• Visible structure: table of contents, numbered headings

• Layered information: summary + details if needed

• Update date: visible at top of document

Common Mistakes to Avoid

Mistake Consequence Solution

Copy-paste from generic template Non-compliance, inconsistency Adapt to each case

Incorrect legal bases Unlawful processing Analyze each purpose

Missing retention periods Non-compliance Art. 13 Systematic table

Forgetting transfers outside EU Potential fine Check processors

Rights mentioned without procedures Rights unexercisable Dedicated email address

Cookie wall Prohibited by CNIL Refusing as easy as accepting

CNIL Reference Sanctions

Company Amount Main Reason

Google €150M Cookies: refusing more difficult than accepting

Facebook €60M Cookies: no "reject all" button

Carrefour €3M Insufficient information, excessive retention

Amazon €35M Cookies placed without consent

These sanctions illustrate the importance of a compliant policy and rigorous cookie management.

Frequently Asked Questions

1. Must the policy be in French?

Yes, if the site targets French users. It can be bilingual if the site is international.

2. Is a separate policy needed for the mobile app?

Not necessarily, but the policy must cover app-specific aspects (permissions, data collected by the device).

3. How to handle updates?

• Date each version

• Inform users of substantial changes

• Keep previous versions

4. Is a DPO mandatory?

Not systematically. Mandatory if:

• Public authority

• Large-scale processing of sensitive data

• Regular and systematic large-scale monitoring

Using This Guide

• Step 1 - Choose the template: Default, or lawyer's internal template

• Step 2 - Understand the business: Collect lawyer docs + site research

• Step 3 - Draft Draft 1: Complete template + compliance check

• Step 4 - Deliver + Benchmark: Present Draft 1 + systematic benchmark + improvement suggestions

• Step 5 - Finalize: Integrate approved improvements + final verification

TEMPLATE REMINDER: Never draft from scratch. Always start from the template and adapt it.

SOURCES REMINDER: The CNIL and GDPR references in this guide are for the drafter. They should not appear in the final document, except for mandatory legal disclosures (right to lodge a complaint with CNIL, etc.).