GDPR – Template of privacy policy (for the processing of personal data)

By Franck Beaudoin, avocat (solicitor admitted in France), FB Juris

idroit.co – 27 May 2018

Template of clauses

Privacy policy

This privacy policy applies to the processing of personal data carried out by XXX [identity] (hereafter referred to as the controller).

1 – General provisions

The following provisions apply to any processing of personal data carried out by the controller, unless the specific provisions provide otherwise.

# Compliance with the GDPR and with French law

The controller represents that he carries out the processing of personal data in compliance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) – « GDPR » and French law n° 78-17 dated 6 January 1978.

# Controller and other participants

The controller is identified above. His contact details are: XXX [contact details].

[Where applicable: The controller’s representative is: XXX [to be specified]. His contact details are: XXX [to be specified].]

[Where applicable: The data protection officer is: XXX [to be specified]. His contact details are: XXX [to be specified].]

# Recipients of the personal data

The XXX [recipients // categories of recipients] of the personal data are XXX [to be specified].

# Transfer of personal data

The controller XXX [intends // does not intend] to transfer personal data to a third country or international organisation.

[In case of transfer, specify the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1) of the GDPR, reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available : XXX.]

# Period for which the personal data will be stored

The personal data will be stored XXX [OPTION 1: for a period of XXX as from their collection // OPTION 2, criteria used to determine that period: XXX [to be specified]].

# Rights of the data subject

The data subject has the following rights:

– the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing;

– the right to data portability;

– the right to lodge a complaint with a supervisory authority;

– where the processing is based on point (a) of Article 6(1) or point (a) of Article 9(2) of the GDPR, the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

# Automated decision-making – profiling

The controller XXX [OPTION 1: intends // OPTION 2: does not intend]

[OPTION 1: The personal data will not be used for automated decision-making, including profiling. // OPTION 2: The personal data may be used for automated decision-making, including profiling. The relevant specific provisions detail the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.]

2 – Specific provisions

The following provisions are specific to each type of processing of personal data.

# Managing the relationship with our contacts and prospects

Personal data concerned – We process the following personal data: XXX [to be specified].

Purposes of the processing – The processing of personal data is intended to manage our relationship with our contacts and prospects. Notably, this processing tends to XXX [to be specified].

Legal basis for the processing – This processing of personal data is based on the consent of the data subject to the processing of his or her personal data for one or more specific purposes (point (a) of article 6 (1) of the GDPR). The provision of personal data is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. The data subject is not obliged to provide the personal data. Failure to provide such data, or withdrawing consent to the processing, would XXX [to be specified, for example: prevent the data subject from receiving information or news relating to our organisation, our products and services].

# Procedures of acceptance of clients

Personal data concerned – We process the following personal data: XXX [to be specified].

Purposes of the processing – The processing of personal data is intended to comply with our obligations regarding customer due diligence measures under French law, notably pursuant to articles L. 561-4-1 and R. 561-5 of the French monetary and financial code (transposing directive (EU) 2015/849 of the European Parliament and of the council of 20 May 2015 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing).

Legal basis for the processing – This processing of personal data is necessary for compliance with a legal obligation to which the controller is subject. It is based on point (c) of article 6 (1) of the GDPR. The provision of personal data is a requirement necessary to enter into a contract, in accordance with statutory requirements. The data subject is obliged to provide the personal data in order to enter into the contract. Failure to provide such data would prevent us from pursuing a relationship with the data subject and where applicable his or her organisation.

# Managing the relationship with our clients

Personal data concerned – We process the following personal data: XXX [to be specified].

Purposes of the processing – The processing of personal data is intended to manage our relationship with our clients. Notably, this processing tends to XXX [to be specified].

Legal basis for the processing – This processing of personal data is necessary for the performance of a contract to which the data subject is party or where applicable in order to take steps at the request of the data subject prior to entering into a contract. It is based on point (b) of article 6 (1) of the GDPR. The provision of personal data is a contractual requirement, or where applicable a requirement necessary to enter into a contract. The data subject is obliged to provide the personal data in order to XXX [enter into the contract // purchase our products or services]. Failure to provide such data would prevent the data subject and where applicable his or her organisation from XXX [entering into a contract with us // purchasing our products or benefiting from our services].