Every website needs a privacy policy

How do you create the perfect privacy policy for a website?

A guest contribution by lawyer Martin Steiger, Steiger Legal AG

Almost every website has a privacy policy. Most cookie banners link to a privacy policy. Incidentally, the data protection declaration is linked in the footer of a website.

Why does a website need a privacy policy?

The following applies in data protection law always The principle of transparency: the procurement of personal data and the purpose or purposes for which this personal data is processed must be recognizable to the data subjects, as the current Swiss Data Protection Act (DSG) formulates (Art. 4 para. 4 DSG).

Personal data is all information that relates to a specific or determinable Refer to person (Art. 3 lit. a DSG). Affected persons are those persons whose personal data are obtained and processed (Art. 3 lit. b DSG). Editing includes everyone Handling of personal data (Art. 3 lit. e DSG).

The General Data Protection Regulation (GDPR) of the European Union (EU) and the revised Swiss Data Protection Act (DSG), which will come into force in 2020 at the earliest, contain explicit information obligations. The GDPR is already in force and applies not only in the EU, but in the entire European Economic Area (EEA) including the Principality of Liechtenstein.

Operating a website without processing personal data is hardly conceivable. So can IP addresses that are recorded in server log files already represent personal data. The common means of informing website visitors about the acquisition and processing of their personal data is to publish a data protection declaration.

The first rule of thumb is:

Every website needs a privacy policy.

A privacy policy is, as the name suggests, one Explanation. It's about information. A data protection declaration is therefore not a contract that requires consent. It is a typical mistake to have your consent to a data protection declaration confirmed, possibly even expressly with a box.

What information must a privacy policy contain?

On the one hand, the data subjects must be informed which personal data is being obtained, how, for what and where the personal data is being processed and where the personal data is being transmitted. This includes, for example, information about the use of cookies, server log files and tracking pixels, but also about the use of contact forms, newsletters and services from Google and other third parties that are common on websites.

On the other hand, the data subjects must be informed of the rights that data protection law gives them. These include, for example, the right to information and the right to object. The GDPR also requires that the legal basis for data processing be stated.

The GDPR states the following minimum content for a data protection declaration:

  • Name and contact details of the person responsible, i.e. the website operator
  • Contact details of any company or external data protection officer
  • Contact details of any EU data protection representative
  • Purposes for which personal data are processed
  • Duration for which the personal data is stored, or at least the criteria for determining the duration
  • Legal basis for data processing, for example the predominant legitimate interests of the website operator in accordance with Art. 6 Para. 1 lit. f GDPR
  • Recipient of the personal data obtained
  • Intended transfer of personal data to a third country and to what extent adequate data protection is guaranteed there
  • Information about any automated decision-making including profiling
  • Clarification of the extent to which the provision of personal data is absolutely necessary, for example for legal reasons or for the fulfillment of certain contracts
  • Right to information, right to correction or deletion and right to data portability
  • Right to restriction of data processing and right to object to data processing
  • Right of withdrawal after consent has been given
  • Right to complain to a data protection supervisory authority

This comprehensive information is in accordance with the GDPR "To be transmitted in a precise, transparent, understandable and easily accessible form in clear and simple language." The revised GDPR does not go as far, but it is advisable to also use the GDPR as the "gold standard" for data protection declarations.

There are different opinions on how exactly the requirements of the GDPR should be implemented. For example, the more detailed a data protection declaration is, the more likely it is not to be read. The creation of a data protection declaration is not only a question of law, but also a question of style.

Nevertheless, a data protection declaration should cover all points in accordance with the prescribed minimum content. Otherwise, website operators risk unwanted contact with data subjects, data protection supervisory authorities and consumer protection organizations. Warnings in data protection law are possible, so far but much less often than in copyright law.

In any case, it is important that a data protection declaration is always up-to-date, correct and complete. In order not to let the content get out of hand, further information can be linked. It is not mandatory to only publish a general data protection declaration. It would be conceivable, for example, to publish an additional data protection declaration for sending newsletters.

The second rule of thumb is:

The data protection declaration of a website must provide up-to-date, correct and complete information about the acquisition and processing of personal data and the rights of the data subjects.

Since a data protection declaration must always be up-to-date, it makes no sense to provide it with a date. A date means that a data protection declaration is immediately recognizable as out of date. There are many data protection declarations with the date of May 25, 2018, because on this date the GDPR became applicable. I consider the probability that such a data protection declaration is still up-to-date and correct today to be low.

What are typical contents of a website privacy policy?

Every website is different and so is the privacy policy. However, there is some typical content that must be listed in almost every website privacy policy.

The person responsible for data processing - usually the website operator - must be named in the website's data protection declaration. Usually the information is the same as in the imprint, i.e. at least the company or name, address and an e-mail address must be given.

In addition, a possible EU data protection representative in accordance with Art. 27 GDPR and a possible data protection officer must be named. A data protection officer is usually not required for companies with fewer than 10 employees. On the other hand, many Swiss websites require an EU data protection representative, especially because their offer is also aimed at people in Germany, the Principality of Liechtenstein or elsewhere in the European Economic Area (EEA). Offers that are free of charge also fall under this so-called market location principle.

Whether an EU data protection representative has to be appointed for an individual website can be determined using the data protection partner's online questionnaire. (Data protection partner is an offer in which I am involved with my law firm.)

For almost all websites, personal data is processed with cookies, server log files and tracking pixels. That must be informed.

Information must be provided about existing contact options, for example via contact forms, as well as about the processing of personal data for newsletters. In the case of a newsletter, it should be noted that for sending e-mails as well as for measuring success and reach basically the consent of the recipients must be obtained. In the case of contact forms, on the other hand, consent is usually not required.

You must also be informed about services from third parties that are integrated into the website. These include services for analytics and tracking such as Google Analytics or Hotjar, content and plugins from social media platforms such as Facebook or Instagram, newsletter services such as CleverReach or MailChimp and services for map material, fonts or videos such as Google Maps, Adobe Fonts or Vimeo and YouTube. com.

In the case of services provided by third parties abroad, as well as the transfer of personal data to a third country, information must be provided to what extent adequate data protection is guaranteed there. From a Swiss point of view, almost all the services that are integrated into websites come from providers abroad.

This point is easy with a view to the EEA and Switzerland, which form a common data space, because data protection law is mutually recognized as appropriate. In the USA, on the other hand, adequate data protection is guaranteed - if at all - in particular if the respective provider has voluntarily submitted to the Privacy Shield or if contractual safeguards exist.

For some services from third parties, the website operator is jointly responsible with the third party, for example for social plugins from Facebook. Such joint responsibility presumably applies to all services in which personal data is not processed exclusively on behalf of the website operator, i.e. in particular to almost all free services from third parties.

Wherever there is adequate data protection in the world, one can find the Federal Data Protection and Information Commissioner (FDPIC) and the European Commission (EU Commission). The Privacy Shield List contains all American providers where basically Adequate data protection is guaranteed. From a Swiss point of view, it must be noted that there are American providers who have submitted to the Privacy Shield only in relation to the EU, so that from a Swiss point of view no adequate data protection is guaranteed.

How do you find out which services are being used by third parties?

A frequent problem is that website operators do not even know what personal data is being obtained on their website, why and for what purpose the personal data is being processed and where the personal data is being transmitted.

Anyone who develops and maintains their own website should actually have the relevant information. However, many website operators thoughtlessly incorporate countless third-party services. In some cases, plugins, which are particularly popular in the WordPress environment, also contain third-party services without declaring them.

Even web agencies often do not provide their customers with the information they need, for example for the precise configuration of Google Analytics. One cannot expect (competent) legal advice from web agencies, but they should always document the processing of personal data on a website for the attention of their customers. You should also provide for the publication and linking of a data protection declaration and, if applicable, a cookie banner.

Ultimately, however, each website operator is responsible for ensuring data protection on the respective website. In case of doubt, this includes a current, correct and complete data protection declaration.

Some information about the third-party services used can be found by surfing the website. For example, banners from Google AdSense, maps from Google Maps or videos from YouTube are easily visible. Advanced website operators use the browser console or content blockers such as uBlock Torrent to get more information. Content blockers show which third-party services are involved.

There are also useful online services that try to determine the processing of personal data, especially with cookies and third-party services. Webbkoll and PrivacyScore are particularly recommended.

The third rule of thumb is:

Website operators need to know what personal data is obtained on their website and how, for what and where such personal data is processed.

Many providers of third-party services, including Facebook and Google, expressly prescribe the information of the data subjects. Example: Section 7 of the Google Analytics Terms of Use.

What's the easiest way to create a website privacy policy?

The knowledge of what personal data is obtained on a website and how, for what and where such personal data is processed must be collected and published by website operators in the form of a data protection declaration. This knowledge is therefore the be-all and end-all for any successful data protection declaration.

If you don't know how to create a data protection declaration yourself and don't want to hire a specialist, you should use an up-to-date template. There are two recommended versions of such templates:

On the one hand, there are templates published online, in particular from data protection supervisory authorities or from specialists and companies who work in data protection. Current samples are available, for example, from the Data Protection Office for the Principality of Liechtenstein and the State Commissioner for Data Protection and Information Security.

The published own data protection declarations by authorities and specialists are exemplary in the best case. However, data protection declarations from other websites should only serve as inspiration if the respective website operator can assess whether the content is legally compliant and suitable for their own website. Many incorrect or at least nonsensical formulations are spreading rapidly on the Internet because data protection declarations are copied and used without the required knowledge.

On the other hand, there are so-called data protection generators that can be used to create data protection declarations online. With most data protection generators you have to select or answer which personal data is obtained for the respective website and how, for what and where it is processed. Most data protection generators can be used completely or partially free of charge because they serve as advertising for other - paid - offers. Some data protection generators are chargeable, but are kept up-to-date, supplemented and improved.

Many data protection generators that were launched on the market on May 25, 2018 due to the validity of the GDPR, are visibly no longer maintained. An alarm signal is, for example, when the set Google+ can be selected or no longer existing providers of services such as Google Inc. or even YouTube LLC are named.

From a Swiss point of view, the problem with German data protection generators is that the differing legal situation in Switzerland is not sufficiently taken into account. German data protection generators normally assume that the GDPR and possibly the German Federal Data Protection Act (BDSG) are fully applicable. Anyone who publishes a corresponding data protection declaration risks losing their own website voluntarily and fully subject to the GDPR without being obliged to do so. As a result, data subjects have significantly more rights compared to Swiss data protection law. In some cases, German data protection generators promise to work for Switzerland too, but the results mostly show errors.

Data protection generators that are not kept up-to-date or do not suit Switzerland were the reason for me to participate with my law firm in the data protection generator of data protection partners. This data protection generator is expressly aimed at website operators in Switzerland (and only in Switzerland) and takes into account the actually applicable data protection law for the respective website. Created data protection declarations can be changed, supplemented or newly created.

The fourth rule of thumb is:

Anyone who creates a data protection declaration must know what they are doing - whether with a data protection generator, through inspiration from other websites or with templates from authorities and experts.

The publication of a created data protection declaration should take place on a separate page and not together with the imprint or even in general terms and conditions (GTC). The data protection declaration should be linked on every single page of the website concerned, usually as “data protection” or “data protection” in the footer. All languages ​​in which the website is available should be supported.

Introductory texts in the style of “The protection of your data is important to us” or “According to Article 13 of the Federal Constitution” should be avoided. Such texts have no legal significance and do not appear credible to most website visitors.

What are common mistakes in privacy statements?

If you don't know what you are doing, you inevitably make mistakes when creating data protection declarations.Beyond the case that there is no data protection declaration at all, the following errors in particular can often be observed:

  • Swiss websites submit voluntarily and completely of the GDPR and other foreign law, but do not comply with the corresponding obligations
  • The content of the data protection declaration is visibly out of date, possibly due to a date
  • The web link to the data protection declaration cannot be found, for example because the web link is hidden in a menu
  • The web link to the data protection declaration is hidden, for example by a banner or a responsive layout element
  • The content of the data protection declaration is incomplete, and integrated third-party services are often affected
  • The content of the data protection declaration is incorrect, for example it is claimed that IP addresses are anonymized, which is not done at all
  • Data protection declaration asserts consents which have not been given and which cannot be legally given simply by being mentioned in the data protection declaration
  • Express consent to the data protection declaration, which turns it into a contract and adjustments, as they regularly occur in a well-maintained data protection declaration, how changes to the contract must be treated
  • Opposition options do not work, for example with Google Analytics, where the previous "opt-out" with a JavaScript web link is no longer available
  • Facebook pages and other social media presence are not mentioned or it is forgotten to link the data protection declaration on the Facebook page
  • Swiss websites, some of which actually have to comply with the GDPR, have not appointed an EU data protection representative
  • The data protection declaration is created once and then no longer maintained, so that over time it contains errors, is incomplete and appears out of date

Data protection declarations: Don’t panic!

"Don't panic!" also applies to data protection declarations. For most websites, there is no getting around creating, publishing and maintaining a data protection declaration. The data protection declaration is an important part of complying with data protection law. The perfect Unfortunately, there is no data protection declaration, because data protection law is too excessive and contradictory for that.

Data protection declarations serve to inform the data subjects. They should know who is collecting their personal data and how, for what and where it is being processed. They should also know their rights, for example the right to information.

In order to fulfill these information obligations, website operators need to know how personal data is obtained and processed on their websites. With this knowledge, a data protection declaration can be created, which is usually good enough, provided that the recommendations in this amount are heeded and typical errors are avoided. If you want to improve legal security, you can have your data protection declaration drawn up or at least checked by a qualified specialist.

Note: For clarifications in individual cases, in the event of ambiguity and in case of doubt, we recommend that you seek advice from an experienced and qualified specialist such as a lawyer.