Privacy Policy Guide - GDPR

Overview

The privacy policy is the main document for informing data subjects under Articles 13 and 14 of the GDPR. It must be clear, accessible, and comprehensive.

Policy Objectives

Reference Resources

Templates

IMPORTANT: The default template sample_template_politique_confidentialite is designed for a brochure website without user accounts. If the request concerns an application or platform with users, additional data categories will need to be added, such as:

• User account management (creation, authentication, profile)
• Login data and activity history
• Data generated by application usage
• User-to-user communications (messages, comments, etc.)
• User preferences and settings

Adapt the template according to the platform type (brochure site, e-commerce, SaaS, mobile app, marketplace, etc.).

CNIL Documentation

Knowledge Base

Information to Collect from Client

IMPORTANT: Before drafting the policy, collect ALL the information below from the client.

1. Data Controller Information

• Full company name
• Legal form (SAS, SARL, Ltd, etc.)
• Company registration number (SIREN/SIRET)
• Registered office address
• Legal representative (name and title)
• General contact email
• DPO appointed? If yes, contact details

2. Nature of the Site/Application

• Existing website URL (for analysis)
• Platform type:
  • Brochure website
  • E-commerce
  • SaaS / Web application
  • Mobile application
  • Marketplace
  • Other: ___________
• Business sector
• Target audience (B2B, B2C, both)
• Target countries (France only, EU, international)

3. Data Collected

For each category, specify if applicable:

• IDENTIFICATION DATA

  • First name, last name
  • Email
  • Phone
  • Postal address
  • Date of birth
  • Photo / Avatar

• CONNECTION DATA

  • IP address
  • Connection logs
  • Device ID
  • Account identifiers

• BROWSING DATA

  • Pages visited
  • Time spent
  • Clicks
  • Traffic source

• TRANSACTION DATA

  • Order history
  • Payment data (via provider)
  • Invoices

• SENSITIVE DATA (special attention)

  • Health data
  • Political/religious opinions
  • Ethnic origin
  • Biometric data

4. Legal Bases for Processing

KEY QUESTION: For each processing activity, what is the legal basis?

TABLE TO COMPLETE WITH CLIENT:

5. Recipients and Processors

• TECHNICAL PROCESSORS

  • Host: ___________
  • Email provider: ___________
  • Payment provider: ___________
  • Analytics: ___________
  • CRM: ___________
  • Support/Ticketing: ___________

• TRANSFERS OUTSIDE EU

  • Yes / No
  • If yes, to which countries? ___________
  • Safeguards in place:
    • Standard contractual clauses
    • Adequacy decision
    • Other: ___________

6. Cookies and Trackers

• COOKIES USED

  • Strictly necessary cookies (session, cart, authentication)
  • Analytics cookies (Google Analytics, Matomo, etc.)
  • Advertising cookies (Facebook Pixel, Google Ads, etc.)
  • Social media cookies (share buttons)
  • Other: ___________

• CONSENT MANAGEMENT PLATFORM

  • None
  • Axeptio
  • Didomi
  • Cookiebot
  • Other: ___________

7. Retention Periods

Drafting Workflow

Step 1: Template Selection (MANDATORY)

NEVER DRAFT A POLICY FROM SCRATCH. Always start from a given template for drafting, either:

• the default template in assets/sample_template_politique_confidentialite.docx;
• another internal template provided by the user.

This template is your base reference. You must:

• Faithfully reproduce the template's structure and wording
• Keep the exact template phrasing (they are validated)
• Only replace placeholders with client information
• Do NOT rewrite sentences even if you think you can phrase them better
• Do NOT add sections that are not in the template

The collected information (T&Cs, site, etc.) is used to fill in the template, not to rewrite it.

1. FIRST ACTION: Confirm the template to use BEFORE any drafting. Ask the user:

"I will draft the privacy policy starting from the provided default template. Do you have an internal template that would be more suitable as a starting point?"

2. Consider the user's choice and select the starting template.

Step 2: Understand the Client's Business

MAIN OBJECTIVE: Truly understand what the client does, their business, the user journey on their platform.

1. Ask the lawyer for available information:

"To draft a perfectly tailored policy, please provide:
- Information you have about the client and their business
- Existing documents (T&Cs, sales conditions, order forms, contracts...)
- Exchanges or key points raised by the client
- The site/application URL (if accessible)
- Points that must absolutely be included according to you

You may anonymize this information if necessary for confidentiality reasons.

The more information you provide, the better adapted the policy will be to the actual case. Otherwise, we will conduct our own research but it will be limited to publicly accessible information."

2. Analyze the documents provided:

3. Additional research on the site (if accessible):

Note: Some sites only display a "Request a quote" form without access to the platform. In that case, rely primarily on the documents provided.

The objective is to understand the business AND identify technical elements:

• Understand what the company actually does
• Read the existing privacy policy (if present)
• Read the existing T&Cs/Legal notices
• Identify the typical user journey (if visible)
• Identify data collection forms (registration, contact, order...)
• Spot cookies/trackers via the banner
• List features (account, newsletter, chat, payment...)

4. Summary before drafting:

CLIENT: [Name]
BUSINESS: [Description in 2-3 sentences]
PLATFORM TYPE: [SaaS, e-commerce, mobile app, etc.]
USER JOURNEY: [Key steps]
DATA COLLECTED: [List by collection point]
COOKIES IDENTIFIED: [Types of cookies spotted]
FORMS: [List of collection points]
KEY LAWYER POINTS: [What must absolutely be included]
SPECIFICITIES: [What makes this case particular]

Once the summary is ready → Proceed to Draft 1

Step 3: Draft 1

ABSOLUTE RULE: The template is your validated base.

• START from the template: structure, wording, tone → this is your reference
• ADAPT to the client case: integrate the specific information collected
• DO NOT rewrite everything: keep the template wording, only adapt what needs to be

In summary: Template + client information = Draft 1. Not a complete rewrite.

Complete the template section by section with the collected information:

1. Identity of the data controller
2. Data collected (by category)
3. Purposes and legal bases (table)
4. Recipients and processors
5. International transfers
6. Retention periods (table)
7. Data subject rights
8. How to exercise rights
9. Cookies and trackers
10. Data security
11. Policy changes
12. Contact

Immediate compliance check: Before presenting Draft 1, verify the mandatory disclosures checklist (Art. 13 GDPR):

• Controller identity and contact details
• DPO contact details (if appointed)
• Processing purposes
• Legal basis for each purpose
• Legitimate interests pursued (if applicable)
• Recipients or categories of recipients
• Transfers outside EU and safeguards
• Retention period or criteria for determination
• Data subject rights (access, rectification, erasure, restriction, portability, objection)
• Right to withdraw consent (if applicable)
• Right to lodge a complaint with the CNIL
• Whether data provision is mandatory/optional
• Existence of automated decision-making (if applicable)

If Draft 1 is compliant → Proceed to Step 3.

Step 4: Deliver Draft 1 + Benchmark + Improvement Suggestions

1. Deliver Draft 1 with explanation:

Here is Draft 1 of the privacy policy.

**What I took into account:**
- [Summary of key elements integrated]
- [Client specificities considered]
- [Particular points mentioned by the lawyer]

**Compliance:** The document meets Art. 13 GDPR requirements.

2. Present the benchmark (systematic):

Research 3-5 privacy policies from companies in the same sector, then present:

**Benchmark conducted:**

I analyzed the privacy policies of:
- [Company 1] - [what we noted]
- [Company 2] - [what we noted]
- [Company 3] - [what we noted]

**Identified possible improvements:**
- [Improvement 1]: [explanation]
- [Improvement 2]: [explanation]
- [Improvement 3]: [explanation]

Would you like to incorporate these elements into the provided Draft?

3. If the lawyer approves improvements → Produce Draft 2.

Step 5: Final Verification

Final review before definitive delivery:

• All Art. 13 GDPR disclosures present
• Client information correctly integrated
• Clear and accessible language
• No internal references (template, sources) in final document
• Update date present

Standard Policy Structure

PRIVACY POLICY
[Company Name]
Last updated: [DATE]

TABLE OF CONTENTS (if long document)

1. WHO ARE WE?
   - Controller identity
   - DPO contact details

2. WHAT DATA DO WE COLLECT?
   - Identification data
   - Browsing data
   - Transaction data
   - Etc.

3. WHY DO WE COLLECT YOUR DATA?
   - Purposes / legal bases table

4. WITH WHOM DO WE SHARE YOUR DATA?
   - Internal services
   - Processors
   - Partners (if consent)
   - Authorities (legal obligations)

5. IS YOUR DATA TRANSFERRED OUTSIDE THE EU?
   - Countries concerned
   - Safeguards

6. HOW LONG DO WE KEEP YOUR DATA?
   - Retention periods table by data type

7. WHAT ARE YOUR RIGHTS?
   - List of rights with simple explanation
   - How to exercise them

8. COOKIES AND TRACKERS
   - Types of cookies used
   - Preference management

9. SECURITY
   - Measures in place (without sensitive technical details)

10. CHANGES TO THIS POLICY
    - Notification procedure

11. CONTACT US
    - Email
    - Postal address
    - Link to form

Drafting Best Practices

Writing Style

Accessibility

• Clear language: understandable by a non-lawyer user
• Visible structure: table of contents, numbered headings
• Layered information: summary + details if needed
• Update date: visible at top of document

Common Mistakes to Avoid

CNIL Reference Sanctions

These sanctions illustrate the importance of a compliant policy and rigorous cookie management.

Frequently Asked Questions

1. Must the policy be in French?

Yes, if the site targets French users. It can be bilingual if the site is international.

2. Is a separate policy needed for the mobile app?

Not necessarily, but the policy must cover app-specific aspects (permissions, data collected by the device).

3. How to handle updates?

• Date each version
• Inform users of substantial changes
• Keep previous versions

4. Is a DPO mandatory?

Not systematically. Mandatory if:

• Public authority
• Large-scale processing of sensitive data
• Regular and systematic large-scale monitoring

Using This Guide

1. Step 1 - Choose the template: Default, or lawyer's internal template
2. Step 2 - Understand the business: Collect lawyer docs + site research
3. Step 3 - Draft Draft 1: Complete template + compliance check
4. Step 4 - Deliver + Benchmark: Present Draft 1 + systematic benchmark + improvement suggestions
5. Step 5 - Finalize: Integrate approved improvements + final verification

TEMPLATE REMINDER: Never draft from scratch. Always start from the template and adapt it.

SOURCES REMINDER: The CNIL and GDPR references in this guide are for the drafter. They should not appear in the final document, except for mandatory legal disclosures (right to lodge a complaint with CNIL, etc.).