Assistance with the toolkit

Good afternoon,
I have bought the EU GDPR Website toolkit and would need some help to go through it.
Anyway, I am now working at the Privacy Policy, and here are my questions. I hope you can answer them.
In the Privacy Policy template, I have found it difficult to understand the following side notes. Could you, please, explain in simple words?
You state there are 3 ways to use the Privacy Policy/Privacy notes.
First of all, it would be good to understand what you mean with Privacy Notices. Are they those numbered sections that I can see in the Privacy Policy template?

The privacy notice is a mandatory document that needs to be displayed on your website. The sections of the privacy notice in the template reflect the necessary content which is required by article 13 GDPR. 

You need to adapt the toolkit template to your current situation. If you have a website you might need a privacy notice to state to website users how you are going to process their data through the use of the website.
If they subscribe to a newsletter you will need to add this info, if you have an e-commerce, you may need to develop a privacy notice linked to the general terms of sale you have because the data processing of clients will be different from the website users.

And to make things easier, could you, please, let me know which of the three options I should choose, based on my situation?
I live and work in the UK but with my website I aim to offer my services to the entire world.
I already have made a Privacy Policy, which I have published on my website, but I need to review it to be sure it is compliant (that's why I also bought this toolkit). However, since my website will be accessed from any part of the world, I would need to comply with CCPA and the other privacy legislations too.

If you are based in the UK please remember to insert references also to the UK GDPR and the UK Data Protection Act 2018. Please verify if the CCPA applies to your current situation, because for controllers based outside California the requirements are pretty high: processing data of more than 50 000 Californian consumers, 25 billion $ turnover, etc.

Here you can find some information about GDPR and the CCPA:
The differences between the California Consumer Privacy Act and the GDPR https://advisera.com/eugdpracademy/blog/2020/04/13/gdpr-vs-ccpa-what-are-the-main-differences/

Instead of having a dedicated page to the Cookie Policy and linking to it from the Privacy Policy, can I just include it in the Privacy Policy?

Yes, you may insert a section of cookies in your privacy notice, especially if you installed technical and statistical cookies. You should list all of them, describe their functionality and give the data retention period.

Once ready, can I simply link to my website Privacy Policy from a Google survey I have created, rather than writing a new, specific Privacy Policy for that purpose?
Similarly, should I place this link in all the emails I send to my leads and clients?

Privacy policy and Privacy notice are different things. While the privacy policy is a document that explains how your company processes all data of your organization giving rules to your staff, the privacy notice aim is to inform data subjects about data processing.

From your question I understand that you are referring to the privacy notice being published on your website and not to the privacy police. There are no specific requirements for publishing the privacy notice, however, I would publish it on the website and make it as clear and simple as possible. Your users should not be forced to go outside your website, to a third-party website (Google) in order to read your privacy notice, because more and different data might be processed (i.e. Cookies on Google survey might be different than yours).  ¸

In the Privacy Policy side notes you wrote: "If you do not have a Data Protection Officer, you can specify another person who is in charge of personal data protection." Since I am self-employed (not a company), so I am on my own and using my name there, too, would not look very professional, would it be fine if instead of writing my name there I just use the more generic "us"? The context makes the visitor understand that "us" refers to the name+surname written at the beginning of the Privacy Policy. Similarly at 1c: "You can contact us" instead of "You can contact our Data Protection Officer".

Yes, you don’t need a Data Protection Officer for a small website.

Under section 2 (Processing of Personal Data during Your Use of Our Website), could you please explain the following terms in simple words?
- access control
- segregation of duties
- internal audit
Also, is encryption to be listed here if I only have a SSL certificate? (I do not know whether there are other ways to do encryption.

These are security measures that apply to larger organizations.
Access control means if there is any control on access (password management, control of access in the company premises, video surveillance). Clearly, it does not apply to your situation.

However, if you want to know more about implementing access control, you can find more information in this article

How to handle access control according to ISO 27001 https://advisera.com/27001academy/blog/2015/07/27/how-to-handle-access-control-according-to-iso-27001/
 
Segregation of duties means if there is any policy that avoids mixing different data processing. If you are a software company you should avoid mixing data of different clients. For example, you should not mix data of newsletter subscribers with data of clients who did not give you consent for the newsletter.

Here you can find more information about segregation of duties in your ISMS according to ISO 27001 A.6.1.2 https://advisera.com/27001academy/blog/2016/11/21/segregation-of-duties-in-your-isms-according-to-iso-27001-a-6-1-2/
 
Internal audits are procedures inside companies to verify if everything is compliant with GDPR requirements.

Here you can find more information about how to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
 

What should I write in "Confidentiality level" at the top right corner of the Privacy Policy?
And am I supposed to keep the footer, including the version number of the privacy policy and the license agreement for the template?

This template is usually stored inside a folder as a model to be used by a company. Companies generally keep and classify models and template of documents (contracts, letters, policies, etc.) with internal classification. The template is usually classified as internal use because the public version that will be published will have the same company layout (so the template file is not published, just a copy-paste of the content which is adapted to the brand identity with fonts, colors, layout of the company). 

Together with the link for the toolkit you have received access to video tutorials which show you how to fill out the documents.
 

7) I have Wordpress. Can you confirm that it is GDPR compliant? And, if so, is there a way to know which cookies WordPress sets without plugins installed?
I have read that it sets cookies to allow visitors comments, posts and for admins; should I mention them in the cookie policy, and how to find all information about them?

You can see cookies in the locket near the address bar of your browser. You can find information by just pasting their name on google. There are some services on the web like cookie bot that may help you.

Application like WordPress itself is not enough to be compliant with the GDPR - you need to set processes and responsibilities in order to be fully GDPR compliant. To see how the whole process looks like, see this article: 9 steps for implementing GDPR https://advisera.com/articles/9-steps-for-implementing-gdpr/
 

Considering that my Wordpress website does not allow comments and posts, and that the users have not to login to visit it, which cookies should I list in my cookie policy of those set by Wordpress?

They all are listed under "WordPress Users Cookie" and "WordPress Commenters Cookie" at https://www.cookielawinfo.com/wordpress-cookies-list-why-they-are-used/

Some cookies may be also installed by plugin or third-parties addons like Google Analytics, or Social Media integrations, so you will need to list and verify all the cookies that have been installed in your website.

Here you may find more information about the privacy notice:
Everything you need to know about the GDPR Privacy Notice: https://advisera.com/articles/gdpr-privacy-notice-6-key-elements-to-include/
If you want to know more about the EU GDPR, you can consider enrolling in our free online training EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

Dear Alessandra,

Thanks for your help so far.

Regarding my previous questions and your respective answers, I have marked with the same numbers those that still need some clarification or where further doubts have arisen in the meantime.

1) Can I simply include the Privacy Notices in the Privacy Policy? In fact, as far as I see, all the websites only have two links at the bottom of each page "Privacy Notice" and "Terms of services".

In the Privacy Notice template at point 1, what is the Personal Data Protection Policy I should link to? Is it already included in the Privacy Policy template?

On the side note of the same point it is written "If your company has multiple data processing activities, you will need to develop different notices based on this template, which will differ depending on the processing activity and the categories of personal data collected. 
For example, one Notice might be written for mailing purposes, and a different one for shipping purposes."

May I include all processing activities in only one Privacy Notice, by simply listing them all there and including this in the Privacy Policy for simplicity?

Or maybe, in section 2 of the Privacy Policy, in each subsection I can add a Privacy Notice specific to that topic. I am thinking of that solution since you say:
"If they subscribe to a newsletter you will need to add this info, if you have an e-commerce, you may need to develop a privacy notice linked to the general terms of sale you have because the data processing of clients will be different from the website users."

Sorry, but I find this really difficult to work out.

Also, in section 4 of the Privacy Notice template, I see I am supposed to insert a "Data Retention Policy" link. Again, wouldn't it easier and more common to have this included in the Privacy Policy, too (maybe as a dedicated section)? By the way, isn't it section 2g of the privacy policy? If not, where exactly in the privacy policy should I place it?
By the way, I cannot see any template for that. Maybe I am just supposed to write something like "We are going to keep data X for ...years, data Y for ...years, etc." Right?

Similarly, I cannot see any Data Subject Access Request Form in the toolkit. Is there anything standard I can find online and not subject to copyright?

Regarding the CCPA, I don't have such a high turnover, nor I manage contacts of so many people from California. Therefore, as far as I can see, I do not have to comply with it.

3) Sorry, I probably used the terms wrongly, but also think that part of my question was misunderstood and unanswered, as I was actually saying that the survey is outside my website (hosted in Google Surveys), and I was actually asking whether the relative privacy notice can be included in the privacy policy of the website for simplicity. Then I would link to the privacy policy from the Google survey. Again, I do not have experience of websites having more than a Privacy Policy and a Terms of services in their footer. Nothing such as privacy notices seems to me to be present. Am I wrong? Does that make sense? 
Also, what about the second part of my question? ("Should I place this link in all the emails I send to my leads and clients?", I mean the link to the website privacy policy containing the privacy notice related to newsletter and email contact.)

4) Sorry, but I have found the answer not clear. Do you mean that I should use "us" or that I can simply erase the section speaking about a DPO?

5) Thanks for clarifying this. But I would need an answer also to the second part of my question: is encryption to be listed here if I only have an SSL certificate? (I do not know whether there are other ways to do encryption.)
If that was not clear enough, I meant that I have an SSL certificate, which I believe has to do with the so-called "encryption". However, I am not sure whether this is enough to state that I am doing encryption. Could you, please, explain?

Also, you mentioned that access control has to do with password management (that I believe means how I would protect the passwords of my clients), and that it may be not my case since I own a small business. However, I might want to allow my clients to store their credit card data on my website instead of entering them every time. That would require a login with a username and password.
So, in that case, I believe that I should keep the phrase "access control" in that section. Can you please confirm that?

6) I have checked if the link to the tutorials was together with the link to the toolkit in the same email, but no I could not find it. Would you be so kind to send me that link?
For the rest, I understand I can erase all: Confidentiality levels and the footer (including the version number of the privacy policy and the license agreement for the template), as I do not need them.

"Dear Alessandra,
Thanks for your help so far.
Regarding my previous questions and your respective answers, I have marked with the same numbers those that still need some clarification or where further doubts have arisen in the meantime.

Can I simply include the Privacy Notices in the Privacy Policy? In fact, as far as I see, all the websites only have two links at the bottom of each page "Privacy Notice" and "Terms of services".
In the Privacy Notice template at point 1, what is the Personal Data Protection Policy I should link to? Is it already included in the Privacy Policy template?

On the side note of the same point it is written "If your company has multiple data processing activities, you will need to develop different notices based on this template, which will differ depending on the processing activity and the categories of personal data collected.
For example, one Notice might be written for mailing purposes, and a different one for shipping purposes."

May I include all processing activities in only one Privacy Notice, by simply listing them all there and including this in the Privacy Policy for simplicity?

Or maybe, in section 2 of the Privacy Policy, in each subsection I can add a Privacy Notice specific to that topic. I am thinking of that solution since you say:
"If they subscribe to a newsletter you will need to add this info, if you have an e-commerce, you may need to develop a privacy notice linked to the general terms of sale you have because the data processing of clients will be different from the website users."

Sorry, but I find this really difficult to work out.

If your activity is based on the website, despite the different channels you acquire clients, it makes sense to publish the privacy policy and the terms of use, because you will process most of the data through your website or digital instruments.

However, there are some organizations that mix local activities and digital activities, so they need a privacy policy that set general rules about how the organization processes data and privacy notice for the website because the processing of data of clients/website visitors is different from the individuals that enter the local brick and mortar shop and purchase goods (i.e., navigation data will not be processed).

The aim of the two documents are different: the privacy policy set the rules that your business follow in data processing, the privacy notice is specific for each kind of processing. Art. 12 GDPR requires the data Controller inform the data subject in a clear, concise and trasparent way for any data processing.

So you need to publish them as separate documents.

Personal data protection policy is another template that is part of the EU GDPR Toolkit which is suit to bring all the organization to EU GDPR compliance.

Here you can see the EU GDPR Toolkit and all the documentation included:

EU GDPR Documentation Toolkit https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/

Also, in section 4 of the Privacy Notice template, I see I am supposed to insert a "Data Retention Policy" link. Again, wouldn't it easier and more common to have this included in the Privacy Policy, too (maybe as a dedicated section)? By the way, isn't it section 2g of the privacy policy? If not, where exactly in the privacy policy should I place it?
By the way, I cannot see any template for that. Maybe I am just supposed to write something like "We are going to keep data X for ...years, data Y for ...years, etc." Right?

You need to inform the data subject about data retention periods in your notice (or policy, depending on the solution you prefer). The Data Retention Policy, however, is another document, which helps larger organizations to set rules about data retention periods for all data processed (also paper-based documents, like contracts, invoices, etc.) Here you can find the template, it is not part of the Website Toolkit that you purchased which has been developed to help data controllers to make the website compliant to EU GDPR, so it is focused on data processing through the website:

EU GDPR document template: Data Retention Policy: https://advisera.com/eugdpracademy/documentation/data-retention-policy/

Similarly, I cannot see any Data Subject Access Request Form in the toolkit. Is there anything standard I can find online and not subject to copyright?

Documents related to Data subjects rights are included in our EU GDPR Documentation Toolkit https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/ 

Regarding the CCPA, I don't have such a high turnover, nor I manage contacts of so many people from California. Therefore, as far as I can see, I do not have to comply with it.

Sorry, I probably used the terms wrongly, but also think that part of my question was misunderstood and unanswered, as I was actually saying that the survey is outside my website (hosted in Google Surveys), and I was actually asking whether the relative privacy notice can be included in the privacy policy of the website for simplicity. Then I would link to the privacy policy from the Google survey. Again, I do not have experience of websites having more than a Privacy Policy and a Terms of services in their footer. Nothing such as privacy notices seems to me to be present. Am I wrong? Does that make sense?
Also, what about the second part of my question? ("Should I place this link in all the emails I send to my leads and clients?", I mean the link to the website privacy policy containing the privacy notice related to newsletter and email contact.)

Ok for the CCPA, I agree it seemed hard that from the situation you described the CCPA applied to your case.

Yes, you can include the data processing of the survey in the privacy policy of the website and yes, you can insert the link on your privacy policy in your email (you can add in your email signature).

Sorry, but I have found the answer not clear. Do you mean that I should use "us" or that I can simply erase the section speaking about a DPO?

You can erase the mention in section c) Data Protection Officer, but in paragraph “Your Rights” you need to say “As a data subject, you can contact us at” usually you can insert an email address like privacy@yourwebsitedomain.com

Thanks for clarifying this. But I would need an answer also to the second part of my question: is encryption to be listed here if I only have an SSL certificate? (I do not know whether there are other ways to do encryption.)
If that was not clear enough, I meant that I have an SSL certificate, which I believe has to do with the so-called "encryption". However, I am not sure whether this is enough to state that I am doing encryption. Could you, please, explain?

Also, you mentioned that access control has to do with password management (that I believe means how I would protect the passwords of my clients), and that it may be not my case since I own a small business. However, I might want to allow my clients to store their credit card data on my website instead of entering them every time. That would require a login with a username and password.
So, in that case, I believe that I should keep the phrase "access control" in that section. Can you please confirm that?

SSL Certificate is encryption of navigation data, but what about your database? Your harddisk? Data on your computer? Are they encrypted? If not, you can state that connection is encrypted through SSL protocol, you need to verify with your hosting provider if they offer encryption of data, also with your cloud system (for example, data stored on personal Google Drive, not on G-suits, are not encrypted). Does your newsletter provider do the encryption of the mailing list? As you can see, encryption is a wider theme than SSL protocol.

I have checked if the link to the tutorials was together with the link to the toolkit in the same email, but no I could not find it. Would you be so kind to send me that link?
For the rest, I understand I can erase all: Confidentiality levels and the footer (including the version number of the privacy policy and the license agreement for the template), as I do not need them."

My colleague has sent you the link to the video tutorial.