What is a privacy policy and why do you need one?
A privacy policy describes which data is to be processed by a company, as well as the reason and the purpose. It explains how this data is gathered and used, and whether it is transfered to other people or companies and/or third parties. It also describes the measures that the company takes to ensure the privacy of its customers and who is responsible for data processing within the company.
A privacy policy is needed to create transparency. According to the revised Data Protection Act, companies generally have the duty to inform. That means that they are obligated to suitably inform the affected person about the collection of their personal data; this applies, in particular, with regard to the scope and processing purpose for the collected data. With a privacy policy, you meet this legal obligation and ensure that your customers and business partners are informed correctly.
It is important that the privacy policy is always kept up to date, and is complete and correct. Ensure that it is reviewed regularly and updated if necessary.
Why do you need a privacy policy?
In general, a privacy policy is needed wherever personal data is gathered or processed. Possible examples include:
- Websites:
A privacy policy is required for websites, regardless of whether it is a contact form, registration for a newsletter, cookies, or other tracking tools. Albeit wide-ranging, personal data is always collected on websites. - Agreements with private persons (especially customers)
- Newsletters
- Marketing campaigns, etc.
Checklist: What should be included in a privacy policy?
The revised Data Protection Act stipulates a certain minimum content for privacy policies. It must at least include the following:
- Who is responsible? That means the identity and contact details of the person responsible for data processing must be indicated.
- What kind of personal data does the company gather? Categories such as name, contact details, health data, etc., must be listed.
- Who does the privacy policy apply to and whose data is gathered? The categories of data subjects, such as customers, employees, suppliers, etc. must be listed.
- Why is data gathered? The purpose of processing, such as for the fulfillment of customer contracts, cookies to ensure the functioning of the website, etc., must be listed as well as how long the data will be saved for.
- Who besides the company will receive the gathered personal data? Recipients of the data, such as subcontractors, service providers, insurance companies, partner companies, or the like, must be listed.
- The cross-border transmission of data must also be reported transparently.
- If you only operate in Switzerland, this information is enough to be compliant with data protection law. Since you may in some circumstances fall under the jurisdiction of the EU’s General Data Protection Regulation (GDPR), it may be a good idea to make a complete privacy policy from the start (this applies, in particular, to online shops!). Expand your privacy policy to include the following points:
- What is the legal basis for the processing of data in accordance with the GDPR? It includes the prospecting or implementation of an agreement, existence of a legal basis, consent from the affected person or their authorized representative, as well as an overriding or justified interest for your company.
- Information on profiling. If the company gathers profile data, this must be made transparent.
- What is the reasoning why data processing is mandatory?
- What rights do the affected people have? The rights of data subjects, such as the right to information, must be described in detail.