privacy-policy-malik-taiar

# Privacy Policy Guide - GDPR

## Overview

The privacy policy is the main document for informing data subjects under Articles 13 and 14 of the GDPR. It must be clear, accessible, and comprehensive.

### Policy Objectives

| Objective | GDPR Requirement |
|-----------|------------------|
| **Transparency** | Clearly inform about data processing (Art. 12) |
| **Information** | Provide all mandatory disclosures (Art. 13-14) |
| **Rights** | Enable exercise of data subject rights (Art. 15-22) |
| **Trust** | Reassure users about data protection |

---

## Reference Resources

### Templates

| Template | Description |
|----------|-------------|
| `assets/sample_template_politique_confidentialite.docx` | Default template to use if no private template is provided |
| Internal template provided by lawyer | Use if the lawyer has a more suitable private template |

> **IMPORTANT**: The default template `sample_template_politique_confidentialite` is designed for a **brochure website without user accounts**. If the request concerns an **application or platform with users**, additional data categories will need to be added, such as:
> - User account management (creation, authentication, profile)
> - Login data and activity history
> - Data generated by application usage
> - User-to-user communications (messages, comments, etc.)
> - User preferences and settings
>
> Adapt the template according to the platform type (brochure site, e-commerce, SaaS, mobile app, marketplace, etc.).

### CNIL Documentation

| Document | Content |
|----------|---------|
| **[CNIL_droits_personnes.pdf](./assets/CNIL_droits_personnes.pdf)** | Guide on data subject rights (access, rectification, erasure, etc.) |
| **[CNIL_durees_conservation.pdf](./assets/CNIL_durees_conservation.pdf)** | Retention period recommendations by data type |
| **[CNIL_finalites.pdf](./assets/CNIL_finalites.pdf)** | How to properly define processing purposes |
| **[CNIL_transparence.pdf](./assets/CNIL_transparence.pdf)** | Guide on information and transparency towards data subjects |
| **[CNIL_principes_rgpd.pdf](./assets/CNIL_principes_rgpd.pdf)** | Fundamental GDPR principles |
| **[RGPD_texte_officiel.pdf](./assets/RGPD_texte_officiel.pdf)** | Full text of EU Regulation 2016/679 |

### Knowledge Base

| Document | Content |
|----------|---------|
| **[BASES_LEGALES.md](./references/BASES_LEGALES.md)** | The 6 legal bases for processing (Art. 6 GDPR) with examples and wording |
| **[DROITS_PERSONNES.md](./references/DROITS_PERSONNES.md)** | The 8 data subject rights (Art. 15-22 GDPR) with exercise procedures |
| **[COOKIES.md](./references/COOKIES.md)** | CNIL 2020 recommendations on cookies, categories, banners, sanctions |
| **[DUREES_CONSERVATION.md](./references/DUREES_CONSERVATION.md)** | Retention period tables by data type with legal justifications |

---

## Information to Collect from Client

> **IMPORTANT**: Before drafting the policy, collect ALL the information below from the client.

### 1. Data Controller Information

- [ ] Full company name
- [ ] Legal form (SAS, SARL, Ltd, etc.)
- [ ] Company registration number (SIREN/SIRET)
- [ ] Registered office address
- [ ] Legal representative (name and title)
- [ ] General contact email
- [ ] DPO appointed? If yes, contact details

### 2. Nature of the Site/Application

- [ ] Existing website URL (for analysis)
- [ ] Platform type:
  - Brochure website
  - E-commerce
  - SaaS / Web application
  - Mobile application
  - Marketplace
  - Other: ___________
- [ ] Business sector
- [ ] Target audience (B2B, B2C, both)
- [ ] Target countries (France only, EU, international)

### 3. Data Collected

For each category, specify if applicable:

- IDENTIFICATION DATA
  - [ ] First name, last name
  - [ ] Email
  - [ ] Phone
  - [ ] Postal address
  - [ ] Date of birth
  - [ ] Photo / Avatar

- CONNECTION DATA
  - [ ] IP address
  - [ ] Connection logs
  - [ ] Device ID
  - [ ] Account identifiers

- BROWSING DATA
  - [ ] Pages visited
  - [ ] Time spent
  - [ ] Clicks
  - [ ] Traffic source

- TRANSACTION DATA
  - [ ] Order history
  - [ ] Payment data (via provider)
  - [ ] Invoices

- SENSITIVE DATA (special attention)
  - [ ] Health data
  - [ ] Political/religious opinions
  - [ ] Ethnic origin
  - [ ] Biometric data

### 4. Legal Bases for Processing

> **KEY QUESTION**: For each processing activity, what is the legal basis?

| Legal Basis | When to Use | Example |
|-------------|-------------|---------|
| **Contract Performance** (Art. 6.1.b) | Processing necessary to provide the service | Order delivery, account creation |
| **Consent** (Art. 6.1.a) | Free choice by the person, withdrawable at any time | Newsletter, marketing cookies, sharing with partners |
| **Legitimate Interest** (Art. 6.1.f) | Company interest, balanced against data subject rights | Anonymized statistics, security, B2B prospecting |
| **Legal Obligation** (Art. 6.1.c) | Required by law | Invoice retention 10 years, tax obligations |


**TABLE TO COMPLETE WITH CLIENT:**

| Processing Purpose | Legal Basis | Data Concerned |
|--------------------|-------------|----------------|
| Order management   |             |                |
| Account creation   |             |                |
| Newsletter         |             |                |
| Statistics         |             |                |
| Customer service   |             |                |
| Commercial prospecting |         |                |
| ___________________  |           |                |

### 5. Recipients and Processors

- TECHNICAL PROCESSORS
  - [ ] Host: ___________
  - [ ] Email provider: ___________
  - [ ] Payment provider: ___________
  - [ ] Analytics: ___________
  - [ ] CRM: ___________
  - [ ] Support/Ticketing: ___________

- TRANSFERS OUTSIDE EU
  - [ ] Yes / No
  - [ ] If yes, to which countries? ___________
  - [ ] Safeguards in place:
    - [ ] Standard contractual clauses
    - [ ] Adequacy decision
    - [ ] Other: ___________

### 6. Cookies and Trackers

- COOKIES USED
  - [ ] Strictly necessary cookies (session, cart, authentication)
  - [ ] Analytics cookies (Google Analytics, Matomo, etc.)
  - [ ] Advertising cookies (Facebook Pixel, Google Ads, etc.)
  - [ ] Social media cookies (share buttons)
  - [ ] Other: ___________

- CONSENT MANAGEMENT PLATFORM
  - [ ] None
  - [ ] Axeptio
  - [ ] Didomi
  - [ ] Cookiebot
  - [ ] Other: ___________

### 7. Retention Periods

| Data Type | Proposed Duration | Justification |
|-----------|-------------------|---------------|
| Active customer account | Duration of relationship |  |
| Inactive customer account | 3 years after last activity | Prospecting |
| Prospects | 3 years without interaction | CNIL recommendation |
| Invoices | 10 years | Legal obligation |
| Connection logs | 1 year | LCEN |
| Cookies | 13 months max | CNIL recommendation |

---

## Drafting Workflow

### Step 1: Template Selection (MANDATORY)

> **NEVER DRAFT A POLICY FROM SCRATCH.**
> Always start from a given template for drafting, either:
> - the default template in `assets/sample_template_politique_confidentialite.docx`;
> - another internal template provided by the user.
>
> This template is your base reference. You must:
> - **Faithfully reproduce the template's structure and wording**
> - **Keep the exact template phrasing** (they are validated)
> - **Only replace placeholders** with client information
> - **Do NOT rewrite sentences** even if you think you can phrase them better
> - **Do NOT add sections** that are not in the template
>
> The collected information (T&Cs, site, etc.) is used to **fill in** the template, **not to rewrite it**.

**1. FIRST ACTION: Confirm the template to use BEFORE any drafting. Ask the user:**
```
"I will draft the privacy policy starting from the provided default template. Do you have an internal template that would be more suitable as a starting point?"
```

| Option | Action |
|--------|--------|
| Default template | Use `assets/sample_template_politique_confidentialite.docx` |
| Internal template | Use the document provided by the lawyer |

**2. Consider the user's choice and select the starting template.**

---

### Step 2: Understand the Client's Business

> **MAIN OBJECTIVE**: Truly understand what the client does, their business, the user journey on their platform.

**1. Ask the lawyer for available information:**
```
"To draft a perfectly tailored policy, please provide:
- Information you have about the client and their business
- Existing documents (T&Cs, sales conditions, order forms, contracts...)
- Exchanges or key points raised by the client
- The site/application URL (if accessible)
- Points that must absolutely be included according to you

You may anonymize this information if necessary for confidentiality reasons.

The more information you provide, the better adapted the policy will be to the actual case. Otherwise, we will conduct our own research but it will be limited to publicly accessible information."
```

**2. Analyze the documents provided:**

| Document | What we extract |
|----------|-----------------|
| T&Cs / Sales Conditions | Platform operation, services offered, obligations |
| Order forms | Data collected, services, potential processors |
| Client exchanges | Key points, specific concerns, business particularities |

**3. Additional research on the site (if accessible):**

> Note: Some sites only display a "Request a quote" form without access to the platform. In that case, rely primarily on the documents provided.

The objective is to **understand the business** AND **identify technical elements**:
- Understand what the company actually does
- Read the existing privacy policy (if present)
- Read the existing T&Cs/Legal notices
- Identify the typical user journey (if visible)
- **Identify data collection forms** (registration, contact, order...)
- **Spot cookies/trackers** via the banner
- **List features** (account, newsletter, chat, payment...)

**4. Summary before drafting:**

```
CLIENT: [Name]
BUSINESS: [Description in 2-3 sentences]
PLATFORM TYPE: [SaaS, e-commerce, mobile app, etc.]
USER JOURNEY: [Key steps]
DATA COLLECTED: [List by collection point]
COOKIES IDENTIFIED: [Types of cookies spotted]
FORMS: [List of collection points]
KEY LAWYER POINTS: [What must absolutely be included]
SPECIFICITIES: [What makes this case particular]
```

> Once the summary is ready → Proceed to Draft 1

---

### Step 3: Draft 1

> **ABSOLUTE RULE**: The template is your validated base.
>
> - **START from the template**: structure, wording, tone → this is your reference
> - **ADAPT to the client case**: integrate the specific information collected
> - **DO NOT rewrite everything**: keep the template wording, only adapt what needs to be
>
> In summary: Template + client information = Draft 1. Not a complete rewrite.

Complete the template section by section with the collected information:

1. **Identity of the data controller**
2. **Data collected** (by category)
3. **Purposes and legal bases** (table)
4. **Recipients and processors**
5. **International transfers**
6. **Retention periods** (table)
7. **Data subject rights**
8. **How to exercise rights**
9. **Cookies and trackers**
10. **Data security**
11. **Policy changes**
12. **Contact**

> **Immediate compliance check:** Before presenting Draft 1, verify the mandatory disclosures checklist (Art. 13 GDPR):
> - [ ] Controller identity and contact details
> - [ ] DPO contact details (if appointed)
> - [ ] Processing purposes
> - [ ] Legal basis for each purpose
> - [ ] Legitimate interests pursued (if applicable)
> - [ ] Recipients or categories of recipients
> - [ ] Transfers outside EU and safeguards
> - [ ] Retention period or criteria for determination
> - [ ] Data subject rights (access, rectification, erasure, restriction, portability, objection)
> - [ ] Right to withdraw consent (if applicable)
> - [ ] Right to lodge a complaint with the CNIL
> - [ ] Whether data provision is mandatory/optional
> - [ ] Existence of automated decision-making (if applicable)
>
> If Draft 1 is compliant → Proceed to Step 3.

---

### Step 4: Deliver Draft 1 + Benchmark + Improvement Suggestions

**1. Deliver Draft 1 with explanation:**
```
Here is Draft 1 of the privacy policy.

**What I took into account:**
- [Summary of key elements integrated]
- [Client specificities considered]
- [Particular points mentioned by the lawyer]

**Compliance:** The document meets Art. 13 GDPR requirements.
```

**2. Present the benchmark (systematic):**

Research 3-5 privacy policies from companies in the same sector, then present:
```
**Benchmark conducted:**

I analyzed the privacy policies of:
- [Company 1] - [what we noted]
- [Company 2] - [what we noted]
- [Company 3] - [what we noted]

**Identified possible improvements:**
- [Improvement 1]: [explanation]
- [Improvement 2]: [explanation]
- [Improvement 3]: [explanation]

Would you like to incorporate these elements into the provided Draft?
```

**3. If the lawyer approves improvements → Produce Draft 2.**

---

### Step 5: Final Verification

Final review before definitive delivery:

- [ ] All Art. 13 GDPR disclosures present
- [ ] Client information correctly integrated
- [ ] Clear and accessible language
- [ ] No internal references (template, sources) in final document
- [ ] Update date present

---

## Standard Policy Structure

```
PRIVACY POLICY
[Company Name]
Last updated: [DATE]

TABLE OF CONTENTS (if long document)

1. WHO ARE WE?
   - Controller identity
   - DPO contact details

2. WHAT DATA DO WE COLLECT?
   - Identification data
   - Browsing data
   - Transaction data
   - Etc.

3. WHY DO WE COLLECT YOUR DATA?
   - Purposes / legal bases table

4. WITH WHOM DO WE SHARE YOUR DATA?
   - Internal services
   - Processors
   - Partners (if consent)
   - Authorities (legal obligations)

5. IS YOUR DATA TRANSFERRED OUTSIDE THE EU?
   - Countries concerned
   - Safeguards

6. HOW LONG DO WE KEEP YOUR DATA?
   - Retention periods table by data type

7. WHAT ARE YOUR RIGHTS?
   - List of rights with simple explanation
   - How to exercise them

8. COOKIES AND TRACKERS
   - Types of cookies used
   - Preference management

9. SECURITY
   - Measures in place (without sensitive technical details)

10. CHANGES TO THIS POLICY
    - Notification procedure

11. CONTACT US
    - Email
    - Postal address
    - Link to form
```

---

## Drafting Best Practices

### Writing Style

| Do | Avoid |
|-----|-------|
| Use "you" / "your data" | Use "the user" / "the data subject" |
| Short and simple sentences | Excessive legal jargon |
| Concrete examples | Vague wording ("various data") |
| Tables for clarity | Dense paragraphs |
| Clear and explicit headings | Multiple cross-references without explanation |

### Accessibility

- **Clear language**: understandable by a non-lawyer user
- **Visible structure**: table of contents, numbered headings
- **Layered information**: summary + details if needed
- **Update date**: visible at top of document

---

## Common Mistakes to Avoid

| Mistake | Consequence | Solution |
|---------|-------------|----------|
| Copy-paste from generic template | Non-compliance, inconsistency | Adapt to each case |
| Incorrect legal bases | Unlawful processing | Analyze each purpose |
| Missing retention periods | Non-compliance Art. 13 | Systematic table |
| Forgetting transfers outside EU | Potential fine | Check processors |
| Rights mentioned without procedures | Rights unexercisable | Dedicated email address |
| Cookie wall | Prohibited by CNIL | Refusing as easy as accepting |

---

## CNIL Reference Sanctions

| Company | Amount | Main Reason |
|---------|--------|-------------|
| Google | €150M | Cookies: refusing more difficult than accepting |
| Facebook | €60M | Cookies: no "reject all" button |
| Carrefour | €3M | Insufficient information, excessive retention |
| Amazon | €35M | Cookies placed without consent |

> These sanctions illustrate the importance of a compliant policy and rigorous cookie management.

---

## Frequently Asked Questions

### 1. Must the policy be in French?

**Yes**, if the site targets French users. It can be bilingual if the site is international.

### 2. Is a separate policy needed for the mobile app?

**Not necessarily**, but the policy must cover app-specific aspects (permissions, data collected by the device).

### 3. How to handle updates?

- Date each version
- Inform users of substantial changes
- Keep previous versions

### 4. Is a DPO mandatory?

**Not systematically.** Mandatory if:
- Public authority
- Large-scale processing of sensitive data
- Regular and systematic large-scale monitoring

---

## Using This Guide

1. **Step 1 - Choose the template**: Default, or lawyer's internal template
2. **Step 2 - Understand the business**: Collect lawyer docs + site research
3. **Step 3 - Draft Draft 1**: Complete template + compliance check
4. **Step 4 - Deliver + Benchmark**: Present Draft 1 + systematic benchmark + improvement suggestions
5. **Step 5 - Finalize**: Integrate approved improvements + final verification

> **TEMPLATE REMINDER**: Never draft from scratch. Always start from the template and adapt it.
>
> **SOURCES REMINDER**: The CNIL and GDPR references in this guide are for the drafter. They should not appear in the final document, except for mandatory legal disclosures (right to lodge a complaint with CNIL, etc.).