In the Policy, you’ll need to explain:
What data is gathered
Why is it gathered
For how long is it stored
On what legal grounds are you gathering the data
In addition to this, you’ll basically need to explain the whole GDPR – all data subjects rights, who they can contact in case of problems, etc.
Note that you must take into account how any of the WordPress plugins on your website process personal data. You (as the controller) are ultimately responsible for what the plugins on your site are doing. More on that below.
Obligation to give information (GDPR Art. 13 & Art. 14)
Depending on whether data is collected from the data subject (art 13) or from another source (art 14), you have the obligation to provide the following information to the data subjects:
Data Protection Officer’s contact (if you have one);
Purpose of processing data;
Legal basis for processing (e.g. consent, legitimate interest, law – see art 6(1));
Recipients of personal data (who you are sharing the data with or who has access to it);
How long data is stored;
Information about data subject’s rights (right to rectification, erasure, access, portability; right to withdraw consent any time; right to submit a complaint to a supervisory authority including the contact information of that supervisory authority);
If data is gathered for contractual obligation or other statutory reason, then information about the obligation and whether the data subject is obliged to give personal data and what are the consequences of failing to do so;
If any automated decision making or profiling is used, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject;
Information about personal data being transferred to third countries (outside the European Economic Area), the legal grounds for doing that and safety measures taken.
Note that if you are using legitimate interest as the grounds for processing data, then this has to be explained briefly.
If you do not know the exact period of storing personal data, then the criteria affecting it also have to be explained briefly.
If you gather any personal data about a data subject from an external source, then you must provide the data subject information regarding the source of the data.
What you should do now
Let’s go over each section, explain why it’s there and what you need to change (if anything).
Section 1: Definitions
This sections establishes clear definitions for certain terms used in the Policy.
Ideally, you should look up the legal definition of a “child” in your country (this varies between EU countries) and edit the age there if necessary. You probably don’t need to change anything else here.
Section 2: Data Protection Principles
This section covers the principles of GDPR. You don’t need to change anything here.
Section 3: Data Subject’s Rights
This section covers the rights granted to data subjects by GDPR. The contact information of your local supervisory authority as well as your Data Protection Officer (if you have one) have automatically been inserted. You don’t need to change anything here.
Section 4: Information we gather
This section describes the information your website gathers from data subjects. The default text covers a very wide set of information, however it’s not very specific. You should edit it to be as specific as possible. You can remove everything that doesn’t apply to your site and instead, describe which data your site gathers and in which situations it does so.
If you don’t know what data your website and plugins gather, the safest solution is to ask help from a developer. (We can help!)
Section 5: How we use your Personal Data
This section describes how you actually use the personal data your website gathers. Again, the default text is very wide. However, in this case might not want to remove anything. It’s better to have as many reasonable options here as possible. However, if anything important is missing, you should add it there.
Section 6: Who else can access your Personal Data
Fill in the list of partners you share data with. You should use their full business name here and ideally describe which data you share and why.
Processing partners are everyone who can access the data you have gathered, such as your web hosting provide or your web developer. Read the definition of a Processor here. This list should probably not remain empty.
Business partners are basically any other companies you do business with and share personal data. (If there aren’t any, you can remove this section.)
Connected third parties are everyone else who don’t fit the above categories. (If there aren’t any, you can remove this section.)
Section 7: How we secure your data
Review this section and describe additional security measures, if you have any.
What you should do in May