Why?
The role of a website in business is manifold – by putting your business online, you expand your presence, effectively present your services and products to a wider audience, and enhance your market presence (and branding) of your company.
We can even state that in today’s digital world, putting your business on the online map has become a necessity. What everyone who wants to digitize their business needs to know is that they are subject to certain rules and accordingly need to place necessary notifications on their website.
You’ve probably heard terms like Privacy Policy, Cookie Policy, and Terms of Use many times before. Since 2018, when the General Data Protection Regulation (GDPR) came into effect, there has been a global shift in understanding personal data protection. Based on the GDPR, the Law on Personal Data Protection has been adopted in our country.
GDPR has extraterritorial effect, meaning it doesn’t matter where you are located if you offer services and products to EU users.
Do I need to have a Privacy Policy?
Yes – if you are located in the Republic of Serbia and are subject to the legal rules of the Law on Personal Data Protection, or if you collect data from anyone in the EU and are subject to GDPR rules, you need to create a Privacy Policy.
Personal data collection can be done in various ways – through contact forms, cookies, pixels, Google Analytics, and so on.
What is personal data?
Our Law on Personal Data Protection defines personal data as any data relating to an identified or identifiable natural person, directly or indirectly, in particular by reference to an identifier such as name and identification number, location data, identifiers in electronic communication networks, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
For example, personal data can be a name, address, email address, phone number, bank account number, and similar, but also an IP address if there is a reasonable expectation that the controller can determine to whom that address belongs, as established by the judgment of the European Court of Justice in Case C-582/14 Patrick Breyer v Bundesrepublik Deutschland, as well as in the opinion of our Commissioner for Information of Public Importance and Personal Data Protection in Publication No. 6 Personal Data Protection: Commissioner’s Opinions and Views No. 073-14-2369/2019-02 dated January 15, 2020. If it is possible to identify a specific natural person through an IP address, directly or indirectly, that data is considered personal data under our Law.
How should a Privacy Policy be written?
If we look at our Law as well as European practices in data protection, we find information that a Privacy Policy should be written in a concise and transparent manner using simple and easy-to-understand language in a written form that is easily accessible.
Therefore, it is best to start from the basics – personal data must be processed lawfully and in a manner that ensures appropriate protection. Data collection must be for purposes that are specifically determined, explicit, justified, and lawful, and the data must be limited to what is necessary for processing purposes. Besides being accurate and updated by taking all reasonable measures, data must be kept for a period necessary to achieve the purpose of processing. All these are the basic principles of processing defined by our Law.
A Privacy Policy is a legal document that needs to be accurate, so it is essential to approach its drafting in an individualized manner. It is necessary to define in a clear and understandable manner what data you collect from your users, the purpose of collection and processing, as well as how they are stored and protected.
The precondition for data processing is its lawfulness, and there are six grounds here. When writing a Privacy Policy, it is important to first define the basis on which the controller processes the data. For example, if data processing is based on user consent, the request for consent must be presented in a clear and easily accessible form using simple words and in a way that distinguishes it from other questions.
Furthermore, it is important to inform the user about their rights in accordance with legal provisions, about potential recipients of personal data if they exist, about the right to complain to the Commissioner, and so on. Also, as a controller, it is important to know your obligations.
As a conclusion, only one sentence comes to mind – a well-done Privacy Policy implies a good understanding of legal regulations in the field of personal data protection.
How do I inform users about the use of cookies?
If you have a website already or are about to locate your business online, you surely know that cookies are small text files stored in a web browser that enable the smooth functioning of a website and allow the site to track user interaction, provide a better user experience, and display personalized content.
A cookie notice can be an integral part of the Privacy Policy or created as a separate policy. It is important that the cookie rules are tailored to your website, informing users which cookies you use and for what purpose.
The appearance and structure of a Cookie Policy depends on the cookies used (session/persistent, first-party/third-party cookies, necessary cookies, marketing and analytical cookies…). For example, if you use Google Analytics, Google AdSense, or Remarketing, it is important to highlight and describe them. Don’t forget about other technologies similar to cookies, such as pixel tags and tracking scripts.
As the owner of a website, you are obliged to inform users about the cookies you use, their purposes, and their duration. That’s not enough – you must obtain the user’s consent. This brings us to the well-known term ‘Cookie Banner‘ or notification to users about cookies, which has been widely mentioned in European case law. Since, unless you only use necessary cookies for site functionality, you must seek the user’s consent, that notification should be made in accordance with the rules. This could be extensively covered in a separate text, but the essence is that users must have the option to accept or reject cookies, and this notification must appear during the first visit to the website in a clear and unambiguous manner that does not mislead users.
Do I need to have Terms of use?
Terms of use, also known by the English term ‘Terms of Service‘ or ‘Terms & Conditions‘, are not mandatory. So, you don’t have to have them, but they are useful. Let’s explain why.
Terms of use define, as the name suggests, the rules for using a website. They are usually found at the bottom of a website in the form of a link, known as a ‘browsewrap agreement‘, but some websites have a pop-up notice about their Terms of use, known as a ‘clickwrap agreement‘.
Through Terms of use, you protect your website and your business. You present users with detailed rules on what constitutes unacceptable behavior on the site, how they can use your website, and how you protect your intellectual property. For example, if the website allows user interaction such as commenting, you can legally disclaim liability for content users post on your site, such as inappropriate comments, hate speech, and the like. Besides disclaiming liability, you can specify in the Terms of use what constitutes a violation of your rules and the measures you will take.
Protection of content and intellectual property is one of the most common reasons why website owners decide to create Terms of use. If you define this clause properly, you will protect your intellectual property in case of unauthorized use.
Furthermore, as the website owner, you present yourself in the Terms of use, which is especially important if you are involved in e-commerce. One of the common clauses in Terms of use is the choice of governing law. Since you are on the internet and users from all over the world access your site, we cannot exclude the possibility of legal issues arising. By choosing governing law and jurisdiction (or alternative dispute resolution methods such as arbitration), you ensure that potential disputes will be subject to your domestic law with which you are already familiar, as well as domestic jurisdiction.
What rules apply to me if I engage in e-commerce?
In addition to the Law on Personal Data Protection, the Law on Electronic Commerce, the Law on Consumer Protection, and the Law on Obligations apply to you. Electronic commerce in goods and services represents a form of distance selling.
A provider of electronic commerce services must provide users with direct and constantly accessible information about themselves, their registered office, their contact details, as well as information about registration in the Register of Business Entities and other information prescribed by legal regulations. If you list prices, they must be clearly indicated, and you must particularly specify whether delivery costs and other costs that may affect the price are included.
Before concluding a contract, you must provide the user with certain information in a clear and understandable manner, such as the procedure for concluding a contract, contractual terms, the languages in which the contract is concluded, and so on.
Here we come to the question of whether someone engaged in e-commerce needs to highlight general terms of business – to fulfill all the obligations imposed on you by law, you need to provide all the information that the law requires users to see. Keep in mind that what applies to a physically accessible store also applies to an online store.
Similarly, through Terms of use, you define the rules that users need to accept if they want to use your services and protect the content on the site.
To be prepared for the opening of your webshop, it is important to provide security regarding electronic transactions, to provide users with all essential information in an understandable and easily accessible manner, and to comply with all legal regulations that apply to you.
We will write more about the legal rules of electronic commerce in one of the upcoming articles. The conclusion is that creating documentation that you will post on your website in a visible and easily accessible manner protects you and provides legal security to you and your users.
Note: This text does not provide legal advice but represents the author’s opinion.