Background ---------- ISO/IEC 27002:2022 clause 5.34 indicates that "The organization should establish and communicate a topic-specific policy on privacy and protection of PII [Personally Identifiable Information] to all relevant interested parties." Policy statements ----------------- 1. We collect your personal data when you: - Visit our website or use our mobile app - Create an account with us - Sign up for the our marketing and promotional communications - Purchase products (goods and/or services) from us - Call on us for customer support 2. We use personal data for purposes such as: - Processing your payments and providing our products to you - Monitoring and improving our products - Sending you marketing and promotional communications - Preventing fraud and other illegal activities - Complying with our legal and regulatory obligations 3. We may disclose your personal data to: - Service providers in connection with the marketing, provision and delivery of our products - Law enforcement and other authorities in response to lawful requests 4. You can manage your consent to the processing of your personal data by: - Updating your account preferences through our website or mobile app - Clicking the unsubscribe link in any of our marketing and promotional communications sent directly to you - Otherwise contacting our Data Protection Officer [provide contact details] 5. We protect your personal data against unauthorized access, use or disclosure by: - Encrypting it during communications and storage - Restricting access to authorized individuals using logical, physical and procedural access controls - Guiding workers on their privacy obligations through internal policies coupled with an awareness and training program, with management oversight Notes ----- This is a “skeleton” policy providing just the bare bones, the basic foundations on which to construct a custom policy for your organisation. It is written in the first person, the style typically used by privacy policies published on corporate websites. As hinted at by the standard's mention of communicating the policy to all relevant interested parties, it would normally be supplemented by classical internal/corporate security policies and procedures expanding on the obligations, requirements and practicalities for workers handling personal information (not just digital computer data, remember). IMPORTANT DISCLAIMER; given the compliance and risk implications, the policy MUST be customised/adapted, extended and approved by competent specialist advisors familiar with the particular laws, regulations and risks applicable to your organisation. This generic and incomplete skeleton policy is simply provided to get you started: it is NOT advice. Jump-start the process by visiting www.SecAware.com for more comprehensive customisable privacy policy templates in MS Word.