GDPR Bite! Privacy Policy

Let’s talk about Privacy Policy – how this document may reveal shortcomings in legal compliance. This document is also commonly known as a Privacy Notice, Data Protection Terms, or Principles of Personal Data Processing.

If a company processes personal data, every individual has the right to know how and for what purpose the service provider, online store, or other organization collects and stores their data.

Similarly, if a company is recruiting new employees, it must make this information available to candidates before they submit their CVs. Such information must be included in the company’s privacy policy, and the document must be easily accessible, most commonly via the company’s website. It’s also important to remember that employees have the same rights – the privacy policy should be made available to them before signing the employment contract.

Control question! If you were a customer of your own company – would you understand how your data is actually processed?

Some signs in a privacy policy that your company might not be meeting data protection requirements:

• The document is missing or not accessible to individuals.
• The information is difficult to read, scattered, or incomplete. Something is there, but not everything – for instance, lists ending with “etc.” or “for example.”
• Personal data is stored indefinitely or “until the individual requests deletion.” Unlimited retention is prohibited!

Do a quick self-audit and check your transparency:

• The document itself is missing or unpublished on the website (is it available elsewhere?)
• The document contains deficiencies, meaning it lacks information required by law:
  • Missing contact details of the data controller. For example, large corporations may list only a brand name instead of a legal entity, making it unclear who and in which country is actually processing the data.
  • Incomplete legal bases. Every business activity involving personal data must rely on a specific and lawful basis.
    Example: Using surveillance cameras with audio recording is generally prohibited – there’s no valid legal basis, and such processing would be hard to justify.
  • Not all categories of personal data are listed. Lists are open-ended and include phrases like “e.g.” or “etc.”
    Example: “We process personal data such as name, personal ID code, etc.”
  • Sources of data are missing – where the personal data comes from: the data subject, a system, a partner, or a public source.
    If the source is the data subject, the policy should also state the basis for providing the data (e.g., voluntarily) and the consequence of not providing it (e.g., “if you don’t provide your data, we can’t deliver the service”).
  • Profiling and/or automated decision-making. Common in recruitment or credit decisions. Even if such activities aren’t carried out, the law requires this fact to be stated explicitly.
  • Partners and data transfers, including transfers to third countries.
  • Missing or indefinite retention periods. Phrases like “as long as necessary” or “until the purpose is fulfilled” are not compliant – indefinite retention is prohibited by law.
    Example: “We store user data indefinitely or until the customer requests deletion.”
• The document is difficult to read overall – it’s impossible to clearly link activities, purposes, legal bases, categories of personal data, and retention periods.
• Missing or outdated last-updated date – this is a red flag indicating whether data protection is being managed consistently and substantively within the company.