Background

----------

ISO/IEC 27002:2022 clause 5.34 indicates that "The organization should establish
and communicate a topic-specific policy on privacy and protection of PII
[Personally Identifiable Information] to all relevant interested parties."

Policy statements
-----------------

1. We collect your personal data when you:

- Visit our website or use our mobile app
- Create an account with us
- Sign up for the our marketing and promotional communications
- Purchase products (goods and/or services) from us
- Call on us for customer support

2. We use personal data for purposes such as:

- Processing your payments and providing our products to you
- Monitoring and improving our products
- Sending you marketing and promotional communications
- Preventing fraud and other illegal activities
- Complying with our legal and regulatory obligations

3. We may disclose your personal data to:

- Service providers in connection with the marketing, provision and delivery
of our products
- Law enforcement and other authorities in response to lawful requests

4. You can manage your consent to the processing of your personal data by:
- Updating your account preferences through our website or mobile app
- Clicking the unsubscribe link in any of our marketing and promotional
communications sent directly to you
- Otherwise contacting our Data Protection Officer [provide contact details]

5. We protect your personal data against unauthorized access, use or disclosure by:
- Encrypting it during communications and storage
- Restricting access to authorized individuals using logical, physical and
procedural access controls
- Guiding workers on their privacy obligations through internal policies
coupled with an awareness and training program, with management oversight

Notes
-----

This is a �skeleton� policy providing just the bare bones, the basic foundations on
which to construct a custom policy for your organisation. It is written in the
first person, the style typically used by privacy policies published on corporate
websites. As hinted at by the standard's mention of communicating the policy to
all relevant interested parties, it would normally be supplemented by classical
internal/corporate security policies and procedures expanding on the obligations,
requirements and practicalities for workers handling personal information (not just
digital computer data, remember).

IMPORTANT DISCLAIMER; given the compliance and risk implications, the policy MUST
be customised/adapted, extended and approved by competent specialist advisors
familiar with the particular laws, regulations and risks applicable to your
organisation. This generic and incomplete skeleton policy is simply provided to
get you started: it is NOT advice.

Jump-start the process by visiting www.SecAware.com for more comprehensive

customisable privacy policy templates in MS Word.