2024 07 31

Privacy policy – individual or using a generator?

Businesses and self-employed individuals need to address the privacy policy on their website as part of their online presence. This raises the question of whether using a generator to create the privacy policy is sufficient and advisable, or if having a customized privacy policy prepared by an expert is the better option. In this article, we take a closer look at the advantages and disadvantages of both approaches.

Privacy Policy – what is it and who needs one?

As soon as personal data is processed on a website, the creation and publication of a privacy policy is required (cf. Art. 13 GDPR). Personal data is all information that relates to an identified or identifiable living person (Art. 4 No. 1 GDPR). This includes, for example, the first and last name, telephone number, bank details or a customer number. The question of whether a privacy policy is required or not depends on whether the website is operated privately or commercially. The controller must be clearly identified in the privacy policy. It must provide clear and understandable information about which personal data is collected and processed on the website, for what purpose and on what legal basis. The duration of storage of the personal data must also be clear. A key component of the privacy policy is the explanation of the data subject’s rights, i.e. the rights that website users have with regard to the personal data collected from them (e.g. right of access, right to erasure, etc.). If you want to learn more about what a privacy policy actually is, you can read more in our blog post – Easy Data Protection.

The most common activities on websites that make a privacy policy necessary are the following:

Contact form

When integrating a contact form that collects the name, phone number, or email address of the person making contact, personal data is already being collected and processed.

Tools, Plug-Ins & Cookies

When creating a website, various tools and plugins are often used to add specific functions or to analyze user behavior. Many of these tools and plugins set cookies and transfer personal data. Well-known analytics tools, such as Google Analytics, are primarily used to collect and evaluate such data. Which cookies are set in the background can only be determined through a technical review of the website, as this is not visible through the standard interface. If the website is built using such tools and plugins, the privacy policy must clearly specify which data is collected and processed by which tool and for what purpose.

Offering a newsletter, which requires users to provide their email address and first and last name, also makes the creation of a privacy policy necessary.

E-Commerce / Online shops

A privacy policy is indispensable for online shops, which must collect names, addresses, and payment information to process sales. After all, contract fulfillment is also a data processing activity.

Registration, User Accounts, and Comment Functions

When users have the option to register, create an account, or post comments, the privacy policy must clearly explain which personal data is collected from them and for what purpose.

Create a privacy policy individually or using a generator?

A closer look quickly shows that almost every website meets one or more criteria requiring a privacy policy. The next question is how to create a legally compliant privacy policy. The privacy policy should always be drafted with great care and attention to ensure it meets legal requirements. In addition to legal expertise, a certain level of technical understanding is also necessary to correctly collect and prepare the privacy policy.

To create a privacy policy, all personal data collected and processed on the website must be fully identified. Each data must be assigned to a legally prescribed purpose for data collection and processing. Consequently, it must then be clearly categorized whether data is shared with third parties, such as hosting providers or payment service providers. A certain structure is then required that names and explains the required elements in the usual order.

For most website operators, the question arises whether to create the privacy policy using so-called generators or through a lawyer.

Privacy policy from the generator

A generator for creating privacy policies for website operators is an online tool that supports operators in creating their own privacy policies. The generator asks website operators questions and allows them to select various options for data processing on their website. For example, the website operator must specify which data is processed for what purpose and whether cookies are used. As a result, the generator creates a text that can be used as a privacy policy. This generated privacy policy can often be further customized and supplemented by the website operator with specific clauses.

Custom Privacy Policy

When a privacy policy for a website is created by an attorney, the process ideally involves an in-depth legal and technical review of the relevant website to ensure the correct collection and processing of personal data. The scope of services should be clearly explained to the website operator.
Initially, the attorney examines the user interface and the functionality of the website and its subpages for compliance with data protection regulations. Installed tools and plugins are carefully analyzed regarding the collection and processing of personal data. Additionally, the visual presentation of the cookie consent tool can be reviewed to ensure that manual adjustments of individual buttons, selection options, required links to legal texts, and the breakdown of used tools and plugins comply with the law.
A technical review is also essential to verify that cookies set in the background, which transfer personal data, correspond to the choices made in the cookie consent tool and to ensure that all data transfers are fully captured in the privacy policy.

This approach ensures that the privacy policy accurately reflects the actual data transfers occurring on the website.

Based on this comprehensive review, the attorney can then create an individual, website-specific, and legally compliant privacy policy.

Advantages and disadvantages

An advantage of creating a privacy policy using a generator is that it is initially more cost-effective than having it drafted by an attorney. Additionally, the generator can be used at any time, making the resulting privacy policy quickly available.

However, there is a risk of lacking individualization, as generators rely on general templates that usually cannot be adequately adapted to the specific data processing activities of the respective website. Another issue is that generators are often not up to date and may fail to account for the continuous and dynamic development of data protection laws and case law, which means the generated privacy policy might not be legally compliant from the outset.

Faulty or incomplete privacy policies can lead to warnings and fines, which can quickly amount to several thousand euros. Errors often occur when using a generator due to the incomplete recording of collected personal data and the insufficient, incorrect, or legally outdated classification of data processing activities—both by the website operator and by the generator itself.

When a privacy policy is drafted by an attorney, the costs are generally higher compared to using a generator, and the processing time will usually be longer.

Before drafting an individual privacy policy, a thorough review of various levels of the website is conducted to identify and document all collection and processing of personal data. The legal classification is then aligned with current legislation and case law, ensuring legally compliant solutions for specific issues.

Conclusion and recommendation

Warnings and fines for violations of the GDPR and other applicable data protection laws and regulations are a real and everyday risk, which companies and self-employed individuals should be particularly aware of. Fines from data protection authorities can be especially painful, particularly in the startup phase.

When creating a privacy policy using a generator, achieving a legally secure result largely depends on the website operator having the necessary legal and technical expertise to assess whether the resulting privacy policy is correct, complete, and resistant to warnings. A comprehensive and individualized review by an external expert does not take place when using a generator.

A privacy policy drafted by a lawyer should be based on a comprehensive legal and technical review and take current legislation into account. Since engaging a legal expert in the field of data protection will result in a legally compliant and customized privacy policy, we strongly recommend accepting the higher initial costs and, at the same time, gaining the security of not being subject to unforeseeable warnings and fines from data protection authorities. If companies and self-employed individuals are aware of their legal obligations and involve their legal counsel early on in the process, processing times can be determined and factored in, in addition to the resulting costs.

If you’re thinking about creating a customized privacy policy, contact us and tell us about your website and idea in a free initial consultation!

Privacy policy – ​​individual or using a generator?