: Privacy Policy for an english site that is located in france but is owned people in Italy I'm really having some difficulties with the Privacy Policy for my site, the website in question is

@Moriarity557

"Does my website have to publish a privacy policy?"
What Gisle Hannemyr's comment states might be misleading. Technically speaking you need to inform your users, but the standard way to do so is by having a privacy policy posted on your website.
As further addition, consider that the California Online Privacy Protection Act (in practice reflecting on any website localized in English), clearly states:


An operator of a commercial Web site or online service that collects
personally identifiable information through the Internet about
individual consumers residing in California who use or visit its
commercial Web site or online service shall conspicuously post its
privacy policy on its Web site


So, the practical answer is: any website collecting personal data (including Cookies) should provide a privacy policy.

"How does data location impact the privacy policy?"
If European Union laws are your your law of reference, you have to inform your users in case any data is transferred outside the European Union. It's also a good practice to inform users about where the personal data is stored, particularly in case there's a third-party provider (e.g. Google with Google Analytics) involved.

"Which language should I localize the privacy policy into?"
Translate the policy into the languages used by your websites. In case your website is in English and Italian, translate into both. As Gisle Hannemyr writes, the goal is to inform the user, and the user must be informed in a language that he's capable of understanding.

"What's my law of reference?"
The law of reference is defined by the Country in which you base your operations. If the data collector is, therefore, based in Italy, you have to refer to Italian Privacy laws (D.Lgs. 196/2003). Cross country privacy enforcement is a sort of grey area, and US based large companies often don't comply with this general rule, but this is my practical suggestion:
EU laws (and Italian laws, that come from them) are very strict and already require to inform users in a deeper and more comprehensive way than other Countries' laws. Be sure to comply with your law of reference and, in case it's EU, also keep an eye to the California OPPA which adds a few more - very simple - requirements.

Also note that I'm the founder of iubenda, a service that lets you generate a privacy policy that reflects all these requirements, and is of course customizable (no copy and paste of repetitive and not compliant text). The service is backed by lawyers and localized in English and Italian.

Vote Up Vote Down

@Caterina187

If your site is handling personal data then it must (i.e. its practices for handling personal data must) comply with EU data protection laws (see the EU Data Protection Directive 95/46/EC for the definition of personal data). However, there is nowhere in the European Union a requirement for a website to have its privacy policy posted - except for "cookies". The directive 2009/136/EC (aka "The Cookie Law") state it is necessary to obtain "informed consent" from the users if you intend to use cookies to track information on your website.

And there is no explicit language requirement in The Cookie Law, but the word "informed" implies that your users must be able to understand your policy. This means that the posted policy must be in a language your users should be able to understand.

Since your site is entirely in English, I believe that your users can be assumed to understand English. I.e. having the cookie policy and opt-in instructions in English is the logical choice, and in compliance with the legal requirement of your users being "informed".

Looking beyond cookies, there is (currently) no legal requirement to have a public privacy policy posted - but doing so is certainly a good idea. I would say that having it in the language of the website is the logical choice that best fulfils the objective of making your users informed about how your site treats personal data. The word "informed" is very important in EU data protection laws - and will be even more so when the projected changes to Data Protection regulation that is currently winding its way through the EU legislative process, where the major shifts seems to be from regulation towards informed consent.

Edit: For avoidance of misunderstanding: There is no formal requirement in the current Italian Privacy Law (i.e. D.Lgs. 196/2003) to have a public privacy policy posted on an Italian website. The Italian privacy law only say the same thing as all other legislation in compliance with Directive 95/46/EC: The data subject whose data is processed has the right to be told what the data controller do with his/her personal data. No current EU law, including the Italian, go into a details about how the data controller shall fulfil this obligation. In other words, if the data controller responds to email that requests this information in a timely manner, the obligation is met.

However, having a well-written public Privacy Policy page on the site may be a better and more economical way of fulfilling this obligation than having to deal with a lot of individual requests for this information.

Vote Up Vote Down