Whenever I fill in a form or buy something on-line, I am letting the website record my personal data. But what happens to my data afterwards? What is the company running the website allowed to do with it? It's a question that few internet users ask, but that anyone whose website gathers personal data really ought to consider.
Why have a privacy statement?
To protect internet shoppers and other website visitors, Dutch law requires anyone who gathers personal data on line to inform people before taking the data (Data Protection Act, Section 33). That requirement can be met by providing a privacy statement for the customer or visitor to read. The statement can be included in the organisation's terms and conditions, or it can take the form of a separate document. In the privacy statement, a website controller has to explain clearly what is going to happen to your personal data. Unfortunately, a lot of companies don't actually provide privacy statements. Either they don't know about the requirement, or they misinterpret it. A common mistake is not drawing the visitor's attention to the statement until after the personal data has been submitted.
Study of privacy statements in .nl
Last year, SIDN investigated the situation with privacy statements in the .nl zone. The study involved trawling through the entire zone. Using a 'crawler' and Chamber of Commerce data, we began by establishing how many .nl websites gathered personal data. We then counted the number of sites that had content that looked as if it could be some form of privacy statement. We took a broad view of what might be a privacy statement: we included terms and conditions documents, for example. We did not consider the quality of the content in question.
Most sites don't have privacy statements
Within the .nl zone, there are more than a million Dutch business websites. Our research revealed that 600,000 of those sites gather personal data. However, only about 160,000 have a page with legal info that could serve as a privacy statement, e.g. a privacy policy page, a legal page or a terms and conditions page. That is a strikingly small proportion, although we should point out that most of the major webshops familiar to the Dutch public are doing things correctly.
Does your website comply with the Data Protection Act?
Drawing up a privacy statement isn't difficult. Many companies already have privacy-related provisions in their terms and conditions, but are simply failing to display them on their websites as they should.
If you need help deciding what should go in your privacy statement, you'll find various tools on line. For example, Thuiswinkel.org and Veiliginternetten.nl has a privacy policy generator. Before publishing your statement, don't forget to clear it with your legal advisor.
