Privacy statement and cookie statement for your website according to GDPR

privacy policy

Including checklist for your privacy policy and privacy statement according to GDPR.

We are often asked at CookieInfo whether the privacy statement is sufficient in relation to the cookie statement. We also see that the terms are used interchangeably.


To help you with this, a blog about the differences between these 3 and how you can interpret them.

A privacy statement or a privacy policy?

Since the introduction of the General Data Protection Regulation (GDPR) on May 25, 2018, many organizations’ websites contain a reference or link to their ‘privacy statement’ or ‘privacy policy’. What exactly is meant by these terms under the GDPR?

Privacy statement and privacy policy are not explicitly mentioned in the GDPR. However, here in the Netherlands, we see the Dutch Data Protection Authority (AP) make a clear distinction between these two terms.

In short the difference is:

  • A privacy statement is addressed to data subjects (those whose personal data is processed, or your website visitor).
  • A privacy policy is intended as a manual for employees in the organization who work with personal data.

What is a privacy statement and is it mandatory?

The Dutch Data Protection Authority uses the term privacy statement in the context of the obligation to provide information (Article 12-14 GDPR). Personal data of a person (the data subject) may only be processed if it is transparent what happens to these personal data (principle of transparency).

According to Article 12-14 GDPR, this means that the controller (the organization) is obliged to provide information to data subjects about the data processing. Although no formal requirement is prescribed for this information obligation, as the controller (organization) you usually inform the data subject (your website visitor) via a privacy statement. This means that a privacy statement is mandatory if you process data.

Privacy statement example and checklist

You can include the points below in the privacy statement for your website.

  1. The identity and contact details of the controller;
    ☐ Listed ☐ Not Listed
  2. If applicable; the contact details of the Data Protection Officer (DPO);
    ☐ Listed ☐ Not Listed
  3. The processing purposes and the legal bases;
    ☐ Listed ☐ Not Listed
  4. The legitimate interests of the controller or of a third party, if the processing is based on Article 6(1)(f) GDPR;
    ☐ Listed ☐ Not Listed
  5. If applicable; the recipients or categories of recipients of the personal data (these are persons or organizations to whom the controller provides personal data, for example a payroll office, tax office, cloud service, etc.);
    ☐ Listed ☐ Not Listed
  6. If applicable; that the controller intends to transfer the personal data to a third country or an international organization (if so, what additional measures have been taken);
    ☐ Listed ☐ Not Listed
  7. The retention period of the personal data, or if that is not possible, the criteria for determining that period;
    ☐ Listed ☐ Not Listed
  8. Information about the rights of data subjects;
    ☐ Listed ☐ Not Listed
  9. Where the processing is based on consent, that the data subject has the right to withdraw consent at any time;
    ☐ Listed ☐ Not Listed
  10. That the data subject has the right to lodge a complaint with a supervisory authority;
    ☐ Listed ☐ Not Listed
  11. Whether the provision of personal data is a legal or contractual obligation or a necessary condition for entering into a contract, and whether the data subject is obliged to provide the personal data and what the possible consequences are if this data is not provided;
    ☐ Listed ☐ Not Listed
  12. The existence of automated decision-making, and if it exists; useful information about the underlying logic, importance and expected consequences of that processing for the data subject;
    ☐ Listed ☐ Not Listed
  13. All other information that is required to ensure transparency of processing (this must be determined by the controller itself).

Just as important as the factual content of the privacy statement is that the information is clear (no vague terms) and distinguishable from other non-privacy related information (such as contract terms or general terms of use). The information must be understandable for an average person from the target group (for example, the difference between children and professional professionals) and be easy to find. You comply with this by including a privacy statement in your website, often in the footer, and referring to it.

As an example you can view the CookieInfo privacy statement here.

What is a privacy policy?

The Dutch Data Protection Authority uses the term privacy policy in the context of Article 24 of the GDPR. Under this article, a controller is obliged to take measures to demonstrate compliance with each of the principles and requirements set out in the GDPR: the so-called ‘accountability’.

It also follows from this article that in order to map out the measures taken, the controller is in certain cases obliged to draw up a data protection policy, or a privacy policy. This is in fact a further elaboration of the accountability obligation.

The controller is obliged to draw up a privacy policy if it is proportionate to the processing activities. The nature, scope, context and purpose of the data processing must be taken into account.

Privacy policy not required, but…

Although the controller is not obliged to have a privacy policy, it is still advisable to draw up a privacy policy to comply with the accountability obligation.

This is how you as an organization demonstrate that you comply with the GDPR.

In addition, a privacy policy makes it possible for every employee to know his or her responsibility when processing personal data and to be aware of working in accordance with the requirements of the GDPR. It thus reduces risks, such as a data leak.

Unlike the privacy statement discussed above, which is addressed to data subjects (those whose personal data is processed), a privacy policy is intended as a manual for the employees in the organization who work with personal data.

Here in the Netherlands the Dutch Data Protection Authority recommends publishing the privacy policy in order to provide data subjects with insight into how the organization handles personal data. But you may wonder whether that is advisable. A privacy policy will often also contain company-sensitive information. The data subjects are already informed about the data processing via a privacy statement for the purpose of the information obligation.

A second difference compared to the privacy statement is that the GDPR does not specify exactly what should be included in a privacy policy. If you want to draw up a privacy policy, you can include the points below.

Drafting privacy policy GDPR – checklist

If you want to draw up a privacy policy according to GDPR, you can take the following points into account.

  1. An introduction in which it is stated, among other things, why complying with the privacy regulation within the organization is important;
    ☐ Listed ☐Not Listed
  2. The purpose and scope of the privacy policy;
    ☐ Listed ☐Not Listed
  3. Explanation of terms (for example personal data, data leaks, transfer mechanism);
    ☐ Listed ☐ Not Listed
  4. What are the starting points/principles of the GDPR and how are they taken into account;
    ☐ Listed ☐ Not Listed ☐
  5. The three ‘mandatory parts’ of the data protection policy mentioned by the AP in its report (which are not mentioned as such in Article 24 of the GDPR):
    – A description of the (categories of) personal data;
    – A description of the purposes of the data processing;
    – A description of the rights of data subjects;
    ☐ Listed ☐ Not Listed
  6. A description of the functions and responsibilities, for example based on the RAS(C)I matrix;
    ☐ Listed ☐ Not Listed
  7. Supervision and enforcement (who monitors the policy, what are the consequences of non-compliance with the policy) ☐ Listed ☐ Not Listed

The privacy policy can then refer to or link directly to the various data protection and privacy policies, (for example, the data subject rights policy, data leak, retention periods and security policies) that are designed to improve privacy and data protection in an organization. so that the privacy policy document provides a complete picture of the controller’s policy for protecting personal data.

Please note: Failure to comply with the accountability obligation can be sanctioned by authorities with a fine of up to 10 million euros or 2% of the worldwide annual turnover, whichever is higher.

Privacy statement and Privacy policy the difference and conclusion

Although under the GDPR the term privacy statement actually means something different than the term privacy policy, in practice the distinction between these terms is still often confused. In principle, this is not a disaster and not wrong, provided that the controller correctly complies with its information obligation (Article 12-14 GDPR) and accountability (Article 24 GDPR) and not, for example, its privacy policy for its accountability on the website. and thus believes to have complied with the obligation to provide information to those involved.

Cookie declaration

In a cookie declaration you record which cookies your website places. Because the cookie declaration contains a lot of information, it is usually included as a separate page on your website.

You then refer to it from your privacy statement.

Because 30% of the cookies in use on your website change monthly, it is desirable to use a cookie statement that is automatically drawn up and maintained.

Example cookie declaration - CookieInfo
Example cookie declaration – CookieInfo

This is made possible in combination with a cookie scanner. This identifies all cookies and trackers present in a website. Cookies are classified in the appropriate category (Necessary, Functional, Marketing, Statistical).

This format is then automatically adopted and presented in a cookie declaration.

This saves a lot of time and prevents incorrect cookies from being loaded before consent has been given for placing cookies.

View an example of the CookieInfo cookie declaration here. This is set up automatically.

To keep everything a bit clear on your website, it is best to link to your cookie declaration from the privacy policy. Both contain a lot of text and so the difference is immediately clear to your website visitor.

For example, we have included the text below in our privacy statement to explain our cookie policy in regards to the use of cookies and trackers. A link is then made to the automatically generated cookie declaration.

“The CookieInfo website uses cookies. We use cookies to personalize content and advertisements, to provide social media features and to analyze our website traffic. We also share information about your use of our site with our social media, advertising and analytics partners. These partners may combine this information with other information that you have provided to them or that they have collected based on your use of their services.
As a visitor you can decide for yourself how you want to deal with cookies. Here you will find our Cookie statement, there you can also adjust or withdraw your consent.”

GDPR and cookies

Do you want to know more about the GDPR and cookies? Download the CookieInfo Cookie Guide. Or you can read more in this article on GDPR and Cookies.

Article 1-4 on the definitions of terms used in the Regulation,

Article 5-11 on the purpose of the Regulation,

Article 12-20 on the rights of individuals with regard to privacy and data,

Article 24-31 on the responsibilities of the controller and processor,

Article 37-39 on the requirement for a data protection officer,

Article 44-46 on transfers of data from the EU,

Article 82-83 on fines and penalties for non-compliance.

If you have any questions about this blog? We would love to hear from you.

Team Cookie Info.


Disclaimer

We have written the information in this blog article about privacy policy, privacy statement and cookie declaration based on our experiences. It is written to inform you, but not legal advice. If you have questions about your own policy or statements, please contact a lawyer or one of the CookieInfo legal partners.

30 day free trial Cookiebot

Cookie scanner, cookie banner, cookie declaration en cookie consent in one solution.

  • Use cookies on your website compliant with GDPR, ePrivacy and cookie legislation
  • Cookie management completely automated
  • Cookie banner based on your corporate identity
  • Automatic composed cookie declaration, always up to date

De Cookiebot solution runs on 350,000+ websites, manages 8,7 billion User Consents and supports 40+ languages. CookieInfo is the largest Cookiebot partner in Europe.