8 things you have to include in your GDPR policy


Adib Hosseini
Närbild på händer som knappar på en dator med GDPR på skärmen.
It’s important you have an air-tight policy.

All companies that in any way process and store personal data has to have a data protection policy, i.e. a GDPR policy. All information that has a connection to you in some way, whether directly or indirectly, is considered personal data. It can be anything from name, address, phone number and social security details to email address containing your name, ID card number and even your IP address. Even pictures, videos and sound recordings are considered as personal data.

In your GDPR policy, there are a number of details you must have easily accessible to your users. The information has to be straight-forward and easy to understand. Otherwise, the risk is you can be fined for violating GDPR. And above all, there has to be a legal ground that allows you to collect other people’s personal data.

There are six legal grounds that allows you to process personal data. Organizations that process personal data in any way has to fulfill at least one of these grounds:

  • You need consent from the user to be able to save their data.
  • You need to have an agreement with the user that requires their personal data to be saved.
  • You need to have a legal obligation that requires you to save certain personal data by law.
  • You need to show that you’re processing personal data to be able to protect peoples fundamental interests, for example to save their lives. This mainly applies to healthcare.
  • You need to be an authority and process personal data as part of your work as an authority and in the interest of the public.
  • You need to have your interests to process personal data outweigh the interests of your users making processing personal data necessary. This can apply to when your organisation is part of a large group and you having to share personal data with others within the group in order to be able to pay salaries and the like.

1. Your GDPR policy must include who’s responsible of the personal data

Who’s responsible for personal data depends on the form of the company. It’s usually not a person, but the organization itself. If you’re a company, then the company is responsible for personal data. If you’re an association, it’s the association who’s responsible. One individual can also be responsible for personal data, such as in individual companies.

2. Why do you collect personal data?

Different organizations have different reasons for collecting personal data. What’s important to keep in mind is that the personal data you collect doesn’t only apply to your users, but also to your employees. For example, data you collect in payroll systems has to comply with GDPR. The same goes for when you want to communicate with your users, for example through a newsletter.

Regardless of the reason, it’s particularly important to be clear about why you’re collecting personal data. Both so your users can easily get that information, but also because you can’t use the information you’ve collected in any other way than how you’ve specified. For example, you can’t collect email addresses when your users create accounts at your webpage and then at a later stage use the same information to start sending newsletters to them. If you want to change the purpose, you have to disclose the information to your users and be clear about how the changes affects them and why you’ll collect their personal data going further.

3. Where do you store the personal data?

Do you store the data within the EU or do you store it in a country outside of the EU? Depending on where you store the data, you need to check that the country has a sufficiently high level of protection of personal data according to the EU/EEA standard. If the country doesn’t, you can’t store personal data in that country. So you need to check whether there is a decision from the European Commission regarding the level of protection in the country you want to store the data in. If there’s no such decision, you need to have standard contract clauses that the European Commission has decided on. But since such clauses sometimes means you also need to take other protective measures according to the EU Court, it would be a good idea to bring in a GDPR expert who can make sure that your GDPR policy is air-tight.

4. The type of personal data you collect has to be included in your GDPR policy

Even when it comes to which personal data you collect, you have to be clear and can’t change and collect other personal data without approval. If there’s a change in your systems that causes you to collect new personal data, you have to share that information with your users. Remember that it’s important to be clear and include exactly all information that’s considered personal data. All information that can in any way be linked to individuals is personal data and must be categorized in your GDPR policy.

5. Who will have access to the personal data?

Are there other parties who will have access to the data? Do you have external suppliers who have access to them? Or are there other parties you collaborate with who will have access to the personal data you collect? Then this has to be stated in your policy. You also have to clarify rights and obligations your partners have. The important thing here is that the personal data you collect isn’t at risk of being misused by partners using it for purposes other than what you’ve informed your users about.

6. How long will you store the data?

Depending on how you intend to use the personal data, the period for how long you intend to store it varies. Simply put, you can save the data as long as you need it for the purpose you’ve specified in your policy. When the purpose is no longer relevant, you have to delete the data.

Sometimes, however, you may need to state that you don’t know how long you’ll need to store the personal data. Then you instead have to state why you can’t limit the storage in time.

7. Your users’ rights have to be stated in your GDPR policy

According to the GDPR, everyone has the right to access their personal data from organizations collecting them. Everyone has the right to both receive an extract and have information changed if it’s incorrect. In addition, everyone has the right to request to have their data deleted in the vast majority of cases. It’s only if there are no other legal obstacles that prevent you from deleting the data that this doesn’t apply. However, this exception mainly applies to authorities. For most companies, if a user wants the company to delete the person’s data, the company has to do so.

8. Where do users submit any complaints?

In January 2021, the Data Inspectorate changed its name to The Swedish Authority for Privacy Protection. They’re the ones who ensure that Swedish organizations comply with the GDPR. It’s also where private individuals can report complaints if they’re concerned about how an organization handles their personal data. That’s why you have to include contact information to the Authority for Privacy Protection in your policy so that your users can easily contact them about any questions, concerns and complaints.

Download the Kliently app for legal help today