Design your Privacy Policy
Home » IoT » Accountability and oversight » Design your Privacy Policy

The Privacy Policy is the public document that explains how your project processes personal data and how it applies data protection principles, according to articles 12-14 of the GDPR. All data subjects must have access to this Privacy Policy. It should be documented.

A non-official, but recommendable template can be found here:

Checklist. Privacy Policy

  • Contact the office/person who is keeping the records of processing for your organization.
    • If necessary, your Data Protection Officer can help establish the contact.
  • Inform them early on that you intend to process personal data.
    • Your processing activity needs to be entered in the records before processing starts.
  • Follow their instructions of
    • what information you need to provide for the records of processing,
    • when you need to send updates of this information.

Additional documentation pertaining to a single processing activity.

The following items must be documented:

  • Assessment whether the processing activity likely results in a high risk to the rights and freedoms of natural persons.
  • A Data Protection Impact Assessment where the above assessment yields an affirmative result.
  • Potential consultation of the competent supervisory authority prior to processing.
  • Requirements and acceptance tests for the purchase and/or development of the employed software, hardware, and infrastructure.
  • Implemented technical and organizational measures.
  • Regular testing, assessing and evaluating the effectiveness of technical and organizational measures.
  • Requirements and acceptance tests for the selection of processors.
  • Contracts stipulated with processors.
  • Possible inspections and audits of the processor.
  • Method to collect consent.
  • Demonstrations of individual expressions of consent.
  • Information provided to data subjects.
  • Implementation of data subject rights.
  • Actual handling of data subject rights.
  • Possible breach notifications to the competent supervisory authority.
  • Possible communication of data breaches to concerned data subject.
  • Any other communication with the competent supervisory authority.


Skip to content