- Agreements with private persons (especially customers)
- Marketing campaigns, etc.
The revised Data Protection Act stipulates a certain minimum content for privacy policies. It must at least include the following:
- Who is responsible? That means the identity and contact details of the person responsible for data processing must be indicated.
- What kind of personal data does the company gather? Categories such as name, contact details, health data, etc., must be listed.
- Why is data gathered? The purpose of processing, such as for the fulfillment of customer contracts, cookies to ensure the functioning of the website, etc., must be listed as well as how long the data will be saved for.
- Who besides the company will receive the gathered personal data? Recipients of the data, such as subcontractors, service providers, insurance companies, partner companies, or the like, must be listed.
- The cross-border transmission of data must also be reported transparently.
- What is the legal basis for the processing of data in accordance with the GDPR? It includes the prospecting or implementation of an agreement, existence of a legal basis, consent from the affected person or their authorized representative, as well as an overriding or justified interest for your company.
- Information on profiling. If the company gathers profile data, this must be made transparent.
- What is the reasoning why data processing is mandatory?
- What rights do the affected people have? The rights of data subjects, such as the right to information, must be described in detail.