‍1. Data Subject Rights (User Rights Section)

You need to create a dedicated section/page (or expand Privacy Policy) explicitly listing user rights with clarity and actionability.

A. Rights to be Defined

Include clearly explained, non-ambiguous descriptions of:

• Right of Access
  Users can request a copy of their personal data being processed.
• Right to Rectification
  Users can request correction of inaccurate or incomplete data.
• Right to Erasure (Right to be Forgotten)
  Users can request deletion of their personal data (subject to legal exceptions).
• Right to Restriction of Processing
  Users can request limitation on how their data is used.
• Right to Data Portability
  Users can request their data in a structured, machine-readable format.
• Right to Object
  Users can object to processing (e.g., marketing or legitimate interest cases).

B. Action Mechanism (Critical for Compliance)

• Provide a clear CTA:
  • “Submit a Data Request”
• Link to:
  • Request form OR
  • Dedicated email (e.g., can be privacy@fortunaidentity.com)

C. Request Handling Information

• Define:
  • Expected response timeline (e.g., 7–30 days)
  • Verification process (to confirm identity)
• Mention any conditions or limitations (legal/regulatory).

D. UX & Placement

• Place in:
  • Privacy Policy (mandatory)
  • Optional standalone “Your Rights” page
• Use simple headings + bullet structure for readability.

E. Audit Requirement

• Ensure:
  • Each right is explicitly stated (no generic wording)
  • Mechanism to exercise rights is clearly visible

2. Data Processing Principles (Compliance Statement Section)

You need to document core data protection principles governing how data is handled.

A. Principles to be Covered

• Lawfulness
  Data is processed only with valid legal basis (consent, contract, etc.)
• Fairness
  Processing does not adversely affect users or misuse data.
• Transparency
  Users are clearly informed about what data is collected and why.
• Purpose Limitation
  Data is collected only for specific, explicit purposes and not reused arbitrarily.
• Data Minimization
  Only necessary data is collected; no excessive or irrelevant data gathering.

B. Content Structuring

• Each principle should include:
  • Definition (1–2 lines)
  • How FID applies it (practical explanation)

C. Alignment with Other Sections

• Ensure consistency with:
  • Consent mechanisms
  • Cookie policy
  • Contact form data collection

D. Placement

• Include within:
  • Privacy Policy (mandatory)
  • Optionally highlight in a separate “Data Protection Commitment” section

E. Audit Expectation

• Language must be:
  • Explicit (not implied)
  • Structured and traceable to implementation practices