This indicator in the Privacy Scorecard evaluates whether an organization has been formally registered with the designated data protection regulator in their jurisdiction. Registration with the national regulator is often a foundational step towards demonstrating an organization’s commitment to protecting individuals’ privacy rights.

This indicator underscores the importance of regulatory compliance in safeguarding individuals’ privacy rights. By ensuring that organizations register with the national regulator and maintain active registration status, stakeholders can have greater confidence in the organization’s commitment to protecting personal data and complying with applicable data protection laws.

To earn a credit under this indicator, an organization must fulfill the following;

• The organization’s jurisdiction must have data protection laws that mandate registration with the national regulator before collecting any personal data. This requirement may vary from one jurisdiction to another, as not all countries have mandatory registration systems.
• The organization’s registration status with the national regulator must be indicated as “Active.” This signifies that the organization has completed the registration process and is in compliance with the regulatory requirements.

The indicator assesses the extent to which organizations prioritize transparency and accountability in their data handling practices. To qualify for credit under this indicator, organizations must meet stringent criteria, ensuring that their privacy policies are readily accessible, publicly available, noticeable, and easily understandable to the general public.

A publicly available and understandable privacy policy fosters trust and accountability between organizations and their users. It demonstrates a commitment to transparency and ethical data handling practices, enhancing the organization’s reputation and credibility in the eyes of stakeholders. Ultimately, organizations that fulfill the criteria earn a credit within the Privacy Scorecard report, signaling their dedication to promoting transparency, accountability, and user empowerment in the realm of data privacy.

This evaluation only involves the privacy policy and it has meet the following;

Public and published
Organizations must have a publicly accessible privacy policy, typically hosted on their website or other prominent platforms. This policy should be easily discoverable by users seeking information about the organization’s data handling practices. If it exists, then it’s considered public and published
Noticeable
The privacy policy should be prominently displayed and easily noticeable to users. Whether it’s through a dedicated webpage, a link in the website footer, or incorporated into the signup process, the policy should not be hidden or difficult to find.
Readable
The language used in the privacy policy should be clear, concise, and comprehensible to the average user. Technical jargon and legalese should be minimized, ensuring that individuals without specialized knowledge can grasp the content and implications of the policy. The Hemingway Editor will be used to evaluate the readability of the privacy policy. Only if the privacy policy scores good on the platform, it will be considered readable.
Length
Length of the privacy policy for a company will be collected. If it’s below 200 words. The company won’t get a star.

To earn a star in this category, companies/agencies must promise to oblige with the provisions of the respective Data Protection Laws and inform users clearly at the time of collecting their data about at least:

• — who your company/agency is (your contact details, and those of your DPO if any)
• — why your company/agency will be using their personal data (purposes)
• — the nature and category of personal data being collected
• — the legal justification for processing their data
• — for how long the data will be kept
• — who else might receive it
• — that they have a right to a copy of the data (right to access personal data) and other basic rights in the field of data protection
• — their right to lodge a complaint with the Regulator
• — their right to withdraw consent at any time
• — the information may be provided in writing, orally at the request of the individual when identity of that person is proven by other means, or by electronic means where appropriate. Your company/organisation must do that in a concise, transparent, intelligible and easily accessible way, in clear and plain language and free of charge

This indicator entailed users to be furnished with the following details:

• Company's contact details – either an address, contact email or phone number should be provided in the policy.
• Purpose of data collection – the reason for which the data is collected should be explicitly expressed in the policy.
• Types of personal data collected – The first section of the data protection policy should clearly define its scope which includes identifying the types of personal data collected.
• Data storage duration – This variable requires the policy to explicitly express the period for storage of the personal data collected. Though companies that pointed out that data storage was in accordance with the law equally earned a credit.
• Right to access personal data – This variable requires policies to notify data subjects of their right to access personal data. Data subjects can get more information and a copy of their personal data with this right. Additionally, it gives data subjects the ability to understand how and why businesses are using their data and to confirm that this use is permitted by law.
• Right to update, correct, or erase personal data – The privacy policy must mention the data subject has the right to correct personal data and the right to delete or erase personal data.
• Right to restrict or object to data processing - The privacy policy must mention the data subject has right to restrict or object to data processing.
• Right to withdraw consent at any time - The privacy policy must mention the data subject has right to withdraw consent anytime.

This indicator evaluates the transparency and accountability of organizations regarding the transfer of personal data to third parties. This indicator serves as a crucial measure to ensure that data subjects are informed about the sharing of their personal information and the purposes for which it is shared.

Fulfilling these criteria is imperative for organizations seeking to earn credit under the Third-party Data Transfer indicator. By providing clear and comprehensive disclosures in their privacy policies, organizations demonstrate their commitment to transparency and accountability in data handling practices. This not only empowers data subjects to make informed decisions about their personal information but also fosters trust and confidence in the organization’s data processing activities.

This indicator was evaluated along the following variables:

• Third-party entities - The privacy policy should identify the third-party entities with whom the organization shares personal data. This includes any external parties, such as service providers, affiliates, or partners, involved in processing or utilizing the data.
• Specific Data Shared

1. Organizations must specify the types of personal data that are shared with third parties. This encompasses any information collected from data subjects that is subsequently transferred to external entities for processing or other purposes.
2. The tech analysis will use the interception environment provided by Privacy International to check what the application or website of the company is actually collecting.
3. The result should be matched with the privacy policy to decide if there is any personal data being collected but not mentioned in the privacy policy.
4. The data collector should collect third parties mentioned in the privacy policy.
5. The tech analysis will collect data on which trackers are on the websites and mobile application of the company (if it exists).
6. The trackers of websites will be collected with Blacklight website and Ghostery, a browser extension.
7. If the company has any applications, the trackers of the application will be collected with Exodus.
8. The data collector will then locate the company that these trackers belong to with Exodus, Whotracksme and Google searches.
9. The data collector will then match the companies of these trackers with the third-parties mentioned in the companies' privacy policy. If any of the tracker companies was not mentioned among the third parties, the company will fail to get a star.

• Purpose of Data Transfer - The privacy policy should outline the purposes for which personal data is shared with third parties. This includes detailing the reasons or objectives behind the transfer, such as for service provision, marketing activities, analytics, or any other legitimate business purposes.

The indicator evaluates the extent to which organizations prioritize and implement robust measures to safeguard the security of data they collect and process.

To qualify for credit under this indicator, organizations must demonstrate their adherence to data security measures as mandated by the respective Data Protection Laws governing their jurisdiction. These measures typically encompass a wide array of technical, organizational, and procedural safeguards designed to protect against unauthorized access, disclosure, alteration, or destruction of personal data. Companies subject to assessment under this indicator must showcase tangible evidence of their commitment to data security, including but not limited to:

• — the place or location where the personal data is stored,
• — the security measures incorporated into any equipment in which the personal data are stored,
• — the measures taken for ensuring the reliability, integrity and competence of the personnel having access to the personal data,
• — the measures taken for ensuring the secure transmission of the personal data

• SSL server score of the company website - The company website will be tested on Qualys SSL Labs. If a company SSL server score is lower than A, the company won't get a star.
• Privacy Policy - The privacy policy should mention how the personal data is secured.
• Security Header score of the company website - The company website will be tested on SecurityHeaders.com. If a company's security headers score is lower than A, the company won't get a star.

The indicator serves as a pivotal benchmark for evaluating the commitment of organizations to transparency in their data handling practices. To qualify for a credit under this indicator, companies must demonstrate the existence of a comprehensive report detailing the utilization and processing of personal data collected within a specified timeframe, typically a year.

This transparency report serves as a crucial tool for accountability, shedding light on how organizations manage and safeguard individuals’ personal information. It outlines the specifics of how collected data is utilized internally, as well as any instances of sharing with third parties. By providing insight into data processing practices, these reports empower users to make informed decisions about their privacy and better understand the implications of sharing their personal information.

The Availability of Transparency Report indicator underscores the importance of transparency in data handling practices. Companies that fulfill this criterion not only enhance their credibility but also contribute to a more transparent and accountable digital ecosystem, where individuals’ privacy rights are respected and upheld.

This indicator scrutinizes an organization’s privacy policy to determine if it explicitly outlines the mechanisms in place to resolve internal data breaches. To earn a credit under this indicator, the privacy policy must meet several criteria:

• Explicit Remedy Mechanisms

The organization’s privacy policy should clearly articulate the steps taken to address data and privacy breaches internally. This includes outlining the procedures for reporting breaches, investigating incidents, and implementing corrective actions.

• Emphasis on Impartiality

The policy should emphasize impartiality in the resolution process. This means ensuring that investigations into breaches are conducted objectively, without bias or favoritism towards any party involved.

• Timely Processing

Timeliness is crucial in addressing data breaches effectively. The policy should specify reasonable timeframes for reporting, investigating, and resolving breaches to minimize the potential impact on individuals affected by the breach.

• Accessibility

Accessibility of the resolution mechanisms is vital for ensuring that individuals can easily report breaches and seek redress. The policy should outline how individuals can access these mechanisms, whether through designated reporting channels, online platforms, or other means.