Personal information comprises any information which allows for you to identify a user, such as e-mail addresses, physical addresses, names and the like.
What Personal information you collect
Why you need to collect Personal Information
A great example of this is Nestle (below):
Nestle provides a step by step account of why they need the Personal Information they collect.
Airbnb is another great example of a webshop that clearly defines what reasons the collection of Personal Information is needed for.
Who such Personal Information is shared with
Most websites use one or more third party tools to enhance site performance and user experience. Examples might include Google Analytics to understand your website visitors, or AdSense for personalized advertising.
Further, in order to fulfil the delivery of items ordered from your online store, you might have to appoint external couriers. In doing so, you will have to share at least the physical address of the user with the courier.
Here’s how Instagram does this:
How to Opt Out of Data Collection
In this disclosure, you must identify the cookies or data trackers, explain their purposes and detail the type of data retrieved from the cookies or data trackers.
You should also list all sites, companies and organizations that will collect or receive data retrieved from cookies or data trackers.
Orders from outside South Africa
What’s Your Legal Basis for Processing Data
The GDPR requires you to give at least one legal basis for processing personal data of customers. There are 6 legal bases, which are as follows:
The data subject has given consent to the processing
Processing is necessary for performance of a contract between the two parties
Processing is necessary for compliance with a legal obligation
Processing is necessary to protect the data subject’s vital interests
Processing is necessary in order to protect a public interest or exercise official authority
Processing is necessary for the purpose of legitimate interests, so long as fundamental rights and freedoms aren’t infringed
How long you’re going to store the data
The GDPR obliges you to inform your customers about “the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period”.
Who Your Data Controller is and Contact Information
If you control the personal information of your customers or you process it for some other company, inform your customers about it. Tell them who you are and what your role is when it comes to their data. If it is not you who processes the data, your policy should clearly state the name and details of the company that will be controlling and processing the personal data.
Whether You Use Data to Make Automated Decisions
If you use automated decision making (for example for credit scoring or for profiling users) to provide services/products to your users, disclose this.
Inform Users of the 8 Rights They Have Under the GDPR
The GDPR requires you to tell your users about their 8 rights under the GDPR, which are:
The right to be informed
The right of access
The right to rectification
The right to erasure
The right to restrict processing
The right to data portability
The right to object
Rights related to automated decision making and profiling
You can comply with this requirement by merely stating the rights of your customers as above or you can provide details about the rights afforded to them.
Whether You Transfer Data Internationally