'%20stroke-width='15'%20stroke-linecap='round'%20stroke-dasharray='0%2044%200%2044%200%2044%200%2044%200%20360'%20cx='100'%20cy='100'%20r='70'%20transform-origin='center'%3e%3canimateTransform%20type='rotate'%20attributeName='transform'%20calcMode='discrete'%20dur='2'%20values='360;324;288;252;216;180;144;108;72;36'%20repeatCount='indefinite'%3e%3c/animateTransform%3e%3c/circle%3e%3c/svg%3e%20--%3e%3csvg%20width='78'%20height='78'%20viewBox='0%200%2078%2078'%20fill='none'%20xmlns='http://www.w3.org/2000/svg'%3e%3crect%20x='14'%20y='17'%20width='48'%20height='44'%20fill='white'%20/%3e%3cpath%20d='M24.0741%2034.9365C21.432%2034.9365%2019.377%2037.0503%2019.377%2039.7365C19.377%2042.4228%2021.4466%2044.5512%2024.0741%2044.5512C26.7016%2044.5512%2028.7714%2042.4375%2028.7714%2039.7365C28.7714%2037.0356%2026.7016%2034.9365%2024.0741%2034.9365Z'%20fill='%235082AF'%20/%3e%3cpath%20d='M38.5614%200C17.2624%200%200%2017.2624%200%2038.5616C0%2059.8606%2017.2624%2077.123%2038.5614%2077.123C59.8606%2077.123%2077.123%2059.8606%2077.123%2038.5616C77.123%2017.2624%2059.8606%200%2038.5614%200ZM32.1469%2047.5597H28.7707V46.0624L28.6533%2046.1651C27.2734%2047.2661%2025.644%2047.8386%2023.8093%2047.8386C19.3469%2047.8386%2015.9853%2044.3597%2015.9853%2039.7506C15.9853%2035.1413%2019.3469%2031.6624%2023.8093%2031.6624C25.5853%2031.6624%2027.2734%2032.2349%2028.6533%2033.3358L28.7707%2033.4238V31.9267H32.1469V47.5597ZM43.0238%2044.5506C44.7707%2044.5506%2046.3413%2043.611%2047.1486%2042.0992H50.7891C49.7616%2045.5781%2046.723%2047.824%2043.0238%2047.824C38.4147%2047.824%2034.9358%2044.345%2034.9358%2039.7358C34.9358%2035.1267%2038.4147%2031.6477%2043.0238%2031.6477C46.7083%2031.6477%2049.7469%2033.8936%2050.7891%2037.3872H47.1634C46.356%2035.8459%2044.8147%2034.9211%2043.0093%2034.9211C40.367%2034.9211%2038.312%2037.0349%2038.312%2039.7358C38.312%2042.4368%2040.3818%2044.5506%2043.0093%2044.5506H43.0238ZM60.213%2035.2H56.9835V42.7157C56.9835%2043.5963%2057.6882%2044.2862%2058.5835%2044.2862H60.213V47.5597H58.5835C55.7506%2047.5597%2053.6074%2045.4754%2053.6074%2042.7157V29.2992H56.9835V31.9267H60.213V35.2Z'%20fill='%235082AF'%20/%3e%3c/svg%3e)
'%3e%3cpath%20d='M24.0741%2034.937C21.432%2034.937%2019.377%2037.0508%2019.377%2039.737C19.377%2042.4233%2021.4466%2044.5517%2024.0741%2044.5517C26.7016%2044.5517%2028.7714%2042.438%2028.7714%2039.737C28.7714%2037.0361%2026.7016%2034.937%2024.0741%2034.937Z'%20fill='%235082AF'/%3e%3cpath%20d='M38.5614%200C17.2624%200%200%2017.2624%200%2038.5616C0%2059.8606%2017.2624%2077.123%2038.5614%2077.123C59.8606%2077.123%2077.123%2059.8606%2077.123%2038.5616C77.123%2017.2624%2059.8606%200%2038.5614%200ZM32.1469%2047.5597H28.7707V46.0624L28.6533%2046.1651C27.2734%2047.2661%2025.644%2047.8386%2023.8093%2047.8386C19.3469%2047.8386%2015.9853%2044.3597%2015.9853%2039.7506C15.9853%2035.1413%2019.3469%2031.6624%2023.8093%2031.6624C25.5853%2031.6624%2027.2734%2032.2349%2028.6533%2033.3358L28.7707%2033.4238V31.9267H32.1469V47.5597ZM43.0238%2044.5506C44.7707%2044.5506%2046.3413%2043.611%2047.1486%2042.0992H50.7891C49.7616%2045.5781%2046.723%2047.824%2043.0238%2047.824C38.4147%2047.824%2034.9358%2044.345%2034.9358%2039.7358C34.9358%2035.1267%2038.4147%2031.6477%2043.0238%2031.6477C46.7083%2031.6477%2049.7469%2033.8936%2050.7891%2037.3872H47.1634C46.356%2035.8459%2044.8147%2034.9211%2043.0093%2034.9211C40.367%2034.9211%2038.312%2037.0349%2038.312%2039.7358C38.312%2042.4368%2040.3818%2044.5506%2043.0093%2044.5506H43.0238ZM60.213%2035.2H56.9835V42.7157C56.9835%2043.5963%2057.6882%2044.2862%2058.5835%2044.2862H60.213V47.5597H58.5835C55.7506%2047.5597%2053.6074%2045.4754%2053.6074%2042.7157V29.2992H56.9835V31.9267H60.213V35.2Z'%20fill='%235082AF'/%3e%3cpath%20d='M160%2026.3203H156.463V47.4579H160V26.3203Z'%20fill='%235082AF'/%3e%3cpath%20d='M149.946%2033.0427C148.595%2031.9859%20146.907%2031.3547%20145.028%2031.3547C140.536%2031.3547%20137.102%2034.8923%20137.102%2039.5456C137.102%2044.1987%20140.536%2047.7363%20145.028%2047.7363C146.907%2047.7363%20148.595%2047.1051%20149.946%2046.0483V47.4722H153.483V31.6189H149.946V33.0427ZM145.292%2044.2869C142.65%2044.2869%20140.639%2042.2319%20140.639%2039.5309C140.639%2036.8299%20142.65%2034.7749%20145.292%2034.7749C147.935%2034.7749%20149.946%2036.8299%20149.946%2039.5309C149.946%2042.2319%20147.935%2044.2869%20145.292%2044.2869Z'%20fill='%235082AF'/%3e%3cpath%20d='M131.642%2033.0427C130.291%2031.9859%20128.603%2031.3547%20126.725%2031.3547C122.233%2031.3547%20118.798%2034.8923%20118.798%2039.5456C118.798%2044.1987%20122.233%2047.7363%20126.725%2047.7363C128.574%2047.7363%20130.262%2047.1346%20131.583%2046.0776C131.216%2048.3528%20129.235%2049.8501%20126.989%2049.8501C125.609%2049.8501%20124.141%2049.2923%20123.554%2047.7363H119.326C120.251%2050.9805%20123.187%2053.0208%20126.725%2053.0208C131.642%2053.0208%20135.18%2049.7474%20135.18%2044.8299V31.6189H131.642V33.0427ZM126.989%2044.2869C124.346%2044.2869%20122.336%2042.2319%20122.336%2039.5309C122.336%2036.8299%20124.346%2034.7749%20126.989%2034.7749C129.631%2034.7749%20131.642%2036.8299%20131.642%2039.5309C131.642%2042.2319%20129.631%2044.2869%20126.989%2044.2869Z'%20fill='%235082AF'/%3e%3cpath%20d='M109.226%2031.3401C104.573%2031.3401%20101.035%2034.8778%20101.035%2039.531C101.035%2044.1842%20104.573%2047.7218%20109.226%2047.7218C112.764%2047.7218%20115.597%2045.6815%20116.786%2042.775H112.661C111.809%2043.7292%20110.606%2044.287%20109.226%2044.287C107.083%2044.287%20105.365%2042.9366%20104.793%2040.9842H117.285C117.358%2040.5145%20117.417%2040.0007%20117.417%2039.531C117.417%2034.8778%20113.879%2031.3401%20109.226%2031.3401ZM104.778%2038.0778C105.365%2036.1255%20107.083%2034.775%20109.211%2034.775C111.34%2034.775%20113.072%2036.1255%20113.644%2038.0778H104.763H104.778Z'%20fill='%235082AF'/%3e%3cpath%20d='M98.6138%2026.3203H95.0762V47.4579H98.6138V26.3203Z'%20fill='%235082AF'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_2008_12343'%3e%3crect%20width='160'%20height='78.4'%20fill='white'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
'%3e%3cg%20clip-path='url(%23clip1_1891_1163)'%3e%3crect%20width='22'%20height='16'%20rx='2'%20fill='white'/%3e%3cpath%20fill-rule='evenodd'%20clip-rule='evenodd'%20d='M0%2011H23V16H0V11Z'%20fill='%23477050'/%3e%3cpath%20fill-rule='evenodd'%20clip-rule='evenodd'%20d='M0%200H23V5H0V0Z'%20fill='%23CE2939'/%3e%3c/g%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_1891_1163'%3e%3crect%20width='22'%20height='16'%20fill='white'/%3e%3c/clipPath%3e%3cclipPath%20id='clip1_1891_1163'%3e%3crect%20width='22'%20height='16'%20rx='2'%20fill='white'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
Drafting
Drafting a privacy policy
In today’s data-driven world, transparency is essential. A well-drafted privacy policy is more than a legal requirement; it’s a cornerstone of responsible business conduct and compliance. It shows customers, employees, and partners that you handle personal data with care and in accordance with the EU and local data protection legislation.
Every organisation that collects, stores, or processes personal data, whether it concerns client lists, employee records, or other personal data, must have a clear and accessible privacy policy, or separate policies tailored to specific target groups.
A. Legal framework in Belgium and the EU
Privacy policies are primarily governed by (i) the GDPR; (ii) the Belgian Data Protection Act of 30 July 2018, and related guidance from the European Data Protection Board (EDPB) and the Belgian data protection authority (DPA).
Individuals must be clearly informed about who processes their data, why, and for how long. Policies should be written in understandable language.
B. Key elements
1. Identity and contact details of the controller – Identify who is responsible for processing the data and how they can be contacted. This typically includes the company name, address, and email address of the Data Protection Officer (DPO) or privacy contact. If the organisation is part of a group, indicate which entity acts as data controller or whether any other companies act as joint controllers.
2. Categories of personal data – Describe what types of data are collected and processed (e.g. identification, contact, HR, financial, etc.). As a law firm, we can suggest relevant categories and good drafting practices based on our experience, but it is essential that each organisation develops a clear and practical understanding of its own data flows: who collects what, from whom, for which purpose, and where it is stored. This data mapping exercise forms the cornerstone of any compliance program: a privacy policy can only be accurate and effective if it reflects the organisation’s real-life data processing activities. Without this insight, even a well-written policy risks being legally insufficient or misleading.
3. Purposes and legal bases – Explain why personal data is processed and on what legal grounds. Common bases include consent, contractual necessity, legal obligation, legitimate interest, or (for sensitive data) explicit consent or substantial public interest.
4. Data sharing and transfers – Indicate whether personal data is shared with third parties (such as IT providers, accountants, or marketing platforms), affiliates, or external processors, and for what purpose. If personal data is transferred outside the European Economic Area (EEA), specify the safeguards in place (e.g. Standard Contractual Clauses, adequacy decisions, or other mechanisms). Clear disclosure of recipients and safeguards demonstrates compliance and builds user trust.
5. Retention periods – Indicate how long each category of data is retained or describe the criteria used to determine this. Retention must always be limited to what is necessary for the purpose. As an organisations, you can also choose to refer to internal retention policies.
6. Rights of data subjects – Outline the data subjects have, including access, rectification, erasure, restriction, objection, portability, and withdrawal of consent. Describe how these rights can be exercised and provide contact details for submitting a request. Also mention the right to lodge a complaint with the Belgian DPA.
7. Security measures – Summarise the technical and organisational measures in place to protect personal data from loss, misuse, or unauthorised access. Although it is not mandatory to include full details in the privacy policy, it is best practice to have a separate internal document describing these measures, both to demonstrate compliance upon request and to ensure the organisation actually adheres to them.
8. Cookies – If cookies or similar technologies are used, link to or include a separate cookie policy that details their types, purpose, duration, and consent mechanism. Remember that under the ePrivacy Directive, consent is required for non-essential cookies (analytics, advertising, social media, etc.). The Belgian DPA has made cookie compliance a key enforcement focus, particularly since 2022, when it issued several sanctions and detailed guidance on the use of cookie banners, transparency, and consent withdrawal.
9. Updates and version control – Mention how the policy may be updated and how data subjects will be informed of changes.
10. Language and accessibility – Ensure the policy is available in the languages relevant to your users (Dutch, French, English) and easily accessible online and internally. It should be easily accessible on your website, intranet, and/or onboarding materials.
As with many compliance documents, a privacy policy is not a one-off document but a living tool that evolves with your business. Reviewing it regularly ensures compliance and builds trust with clients, employees, and partners. At act legal Belgium, we help companies draft, review, and update privacy policies that meet GDPR requirements while remaining practical and tailored to your operations.
