What is the difference between a privacy policy and a cookie policy and how do you draw them up?

Including checklist for your privacy policy and privacy statement according to GDPR.

We often get questions at CookieInfo whether the privacy policy is sufficient in relation to the cookie statement. We also see that the terms are used interchangeably.

To help you with this, a blog about the differences between these 3 and how you can interpret them.

A privacy policy or a privacy statement?

Since the introduction of the General Data Protection Regulation (GDPR) on 25 May 2018, many websites of organizations contain a reference or link to their privacy statement or their privacy policy. What exactly is meant by these terms under the GDPR?

Privacy statement and privacy policy are not explicitly mentioned in the GDPR. However, there is a clear distinction between these two terms.

• A privacy statement is addressed to data subjects (those whose personal data is processed, or your website visitor).
• A privacy policy is intended as a manual for employees in the organization who work with personal data.

What is a privacy statement and is it mandatory?

The GDPR uses the term privacy statement in the context of the obligation to provide information (Article 12-14 GDPR). Personal data of a person (the data subject) may only be processed if it is transparent what happens to these personal data (principle of transparency).

According to Article 12-14 GDPR, this means that the controller is obliged to provide information to data subjects about the data processing. Although no formal requirement is prescribed for this information obligation, as the controller you usually inform the data subject (your website visitor) via a privacy statement. This means that a privacy statement is mandatory if you process data.

Privacy statement example and checklist

You can include the points below in the privacy statement for your website.

1. The identity and contact details of the controller;
   Listed ☐ Not Listed ☐
   
2. If applicable; the contact details of the Data Protection Officer (DPO);
   Listed ☐ Not Listed ☐
   
3. The processing purposes and the legal bases;
   Listed ☐ Not Listed ☐
   
4. The legitimate interests of the controller or of a third party, if the processing is based on Article 6(1)(f) GDPR;
   Listed ☐ Not Listed ☐
   
5. If applicable, the recipients of the personal data include people or organizations. These are the ones to whom the controller gives personal data. Examples include a payroll office, tax office, or cloud service
   Listed ☐ Not Listed ☐
   
6. If applicable, the controller plans to transfer personal data to a third country or an international organization. If so, what extra measures have been taken?
   Listed ☐ Not Listed ☐
   
7. The retention period of the personal data, or if that is not possible, the criteria for determining that period;
   Listed ☐ Not Listed ☐
   
8. Information about the rights of data subjects;
   Listed ☐ Not Listed ☐
   
9. Where the processing is based on consent, that the data subject has the right to withdraw consent at any time;
   Listed ☐ Not Listed ☐
   
10. That the data subject has the right to lodge a complaint with a supervisory authority;
    Listed ☐ Not Listed ☐
    
11. Whether the provision of personal data is a legal or contractual obligation or a necessary condition to conclude a contract, and whether the data subject is obliged to provide the personal data and what the possible consequences are if this data is not provided;
    Listed ☐ Not Listed ☐
    
12. The existence of automated decision-making, and if it exists; useful information about the underlying logic, importance and expected consequences of that processing for the data subject;
    Listed ☐ Not Listed ☐
    
13. All other information that is required to guarantee transparency in processing (this must be determined by the controller himself).

The privacy statement should be clear and easy to understand. It should not use vague terms. The information must stand out from other details, like contract terms or general terms of use. The information should be clear for an average person in the target group. For example, it should explain the difference between children and professionals. It also needs to be easy to find. You comply with this by including a privacy statement in your website, often in the footer, and by referring to it.

As an example you can view the CookieInfo privacy statement here.

What is a privacy policy?

Data Protection Authorities use the term privacy policy in the context of Article 24 of the GDPR. Under this article, a controller is obliged to take measures to demonstrate compliance with each of the principles and requirements set out in the GDPR: the so-called ‘accountability’.

It also follows from this article that in order to map out the measures taken, the controller is in certain cases obliged to draw up a data protection policy, or a privacy policy. This is in fact a further elaboration of the accountability obligation.

The controller is obliged to draw up a privacy policy if it is proportionate to the processing activities. The nature, scope, context and purpose of the data processing must be taken into account.

Privacy policy not required, but…

Even though the controller does not have to create a privacy policy, it is still a good idea to make one. This helps meet the accountability requirement.

This is how you as an organization demonstrate that you comply with the GDPR.

In addition, a privacy policy makes it possible for every employee to know his or her responsibility when processing personal data and to be aware of working in accordance with the requirements of the GDPR. It thus reduces risks, such as a data leak.

A privacy statement is for data subjects. These are the people whose personal data is used.
In contrast, a privacy policy is a guide for employees. It helps them understand how to handle personal data.

Data Protection Authorities recommend publishing the privacy policy in order to provide data subjects with insight into how the organization handles personal data. But you may wonder whether that is advisable. A privacy policy will often also contain company-sensitive information. The data subjects are already informed about the data processing via a privacy statement for the purpose of the information obligation.

A second difference compared to the privacy statement is that the GDPR does not specify exactly what should be included in a privacy policy. If you want to draw up a privacy policy, you can include the points below.

Drafting GDPR privacy policy – checklist

If you want to draw up a privacy policy according to AVG, you can take the following points into account.

1. An introduction in which it is stated, among other things, why complying with the privacy regulation within the organization is important;
   Listed ☐ Not Listed ☐
   
2. The purpose and scope of the privacy policy;
   Listed ☐ Not Listed ☐
   
3. Explanation of concepts (e.g. personal data, data leaks, transfer mechanism);
   Listed ☐ Not Listed ☐
   
4. What are the starting points/principles of the GDPR and how are they taken into account;
   Listed ☐ Not Listed ☐
   
5. The three ‘mandatory parts’ of the data protection policy mentioned by the AP in its report (which are not mentioned as such in Article 24 of the GDPR):
   – A description of the (categories of) personal data;
   – A description of the purposes of the data processing;
   – A description of the rights of data subjects;
   
   Listed ☐ Not Listed ☐
   
6. A description of the functions and responsibilities, for example based on the RAS(C)I matrix
   Listed ☐ Not Listed ☐
   
7. Supervision and enforcement (who monitors the policy, what are the consequences of non-compliance with the policy)
   Listed ☐ Not Listed ☐

The privacy policy can link to different data protection and privacy policies. These include the data subject rights policy, data leak policy, retention periods, and security policies. All these policies aim to improve privacy and data protection in an organization. so that the privacy policy document provides a complete picture of the controller’s policy for protecting personal data.

Please note: If you do not meet the accountability obligations, Data Protection Authorities can impose a fine. This fine can be up to 10 million euros or 2% of your total annual revenue, whichever amount is higher.

Privacy statement and Privacy policy the difference and conclusion

Although under the GDPR the term privacy statement actually means something different than the term privacy policy, in practice the distinction between these terms is still often confused. In principle, this is not a disaster and not wrong, provided that the controller correctly complies with its information obligation (Article 12-14 GDPR) and accountability (Article 24 GDPR) and not, for example, its privacy policy for its accountability on the website. and thus believes to have complied with the obligation to provide information to those involved.

Cookie statement

In a cookie statement you record which cookies your website places. Because the cookie statement contains a lot of information, it is usually included as a separate page on your website.

You then refer to it from your privacy statement.

Because 30% of the cookies in use on your website change monthly, it is desirable to use a cookie statement that is automatically drawn up and maintained .

This is made possible in combination with a cookie scanner. This identifies all cookies and trackers present in a website. Cookies are classified in the appropriate category (Necessary, Functional, Marketing, Statistical).

This format is then automatically adopted and presented in a cookie statement.

This saves a lot of time and prevents incorrect cookies from being loaded before consent has been given for placing cookies.

View an example of the CookieInfo cookie statement here. This is set up automatically .

Tip: Link from your privacy statement to the cookie statement

To keep everything a bit clear on your website, it is best to link to your cookie statement from the privacy policy. Both contain a lot of text and so the difference is immediately clear to your website visitor.

For example, we have included the text below in our privacy statement. A link is then made to the automatically generated cookie statement .

“The CookieInfo website uses cookies. We use cookies to personalize content and advertisements, to provide social media features and to analyze our website traffic. We also share information about your use of our site with our social media, advertising and analytics partners. These partners may combine this information with other information that you have provided to them or that they have collected based on your use of their services.

As a visitor you can decide for yourself how you want to deal with cookies. Here you will find our Cookie statement, there you can also adjust or withdraw your consent.” View an example of an automatically generated cookie statement here.

Would you like to read more about texts that you can use for your cookie notification or statement? Then take a look at the article for the best text for a cookie notification .

The GDPR and cookies

Do you want to know more about the GDPR and cookies? You can read more about it in the article below.

Article 1-4 on the definitions of terms used in the Regulation,

Article 5-11 on the purpose of the Regulation,

Article 12-20 on the rights of individuals with regard to privacy and data,

Article 24-31 on the responsibilities of the controller and the processor,

Article 37-39 on the requirement for a data protection officer,

Article 44-46 on the transfer of data from the EU,

Article 82-83 on fines and penalties for non-compliance.

What is the GDPR?

If you have any questions about this blog? We would like to hear from you.

Team Cookie Info.

Disclaimer

We have written the information in this blog article about privacy policy, privacy statement and cookie statement based on our experiences. It is written to inform you, but not legal advice. If you have questions about your own policy or statements, please contact a lawyer or one of the CookieInfo legal partners.