We provide this document for download and use completely free of charge.
- Solicitor approved
- Plain English makes editing easy
- Guidance notes included
- Money back guarantee
Specific versions of this document
About this privacy statement template
Most modern websites collect data about the people who visit them. Often it might be clear to visitors when this happens, for example, when they buy from you or sign up for your services, but sometimes it might be less obvious, such as when you track their browsing behaviour.
Editing the template
Your privacy statement should reflect the way your organisation collects and uses data. This will change between organisations enough to make each notice unique, but there are common elements that can be covered with standardised statements.
By giving you the wording for different common situations, we hope that we have done as much of the work for you as we can.
However, you will need to spend time editing this policy template. There are advantages to this.
The first is that while considering how data is collected, used, and managed, the task of editing should prompt you to think about how other parts of your organisation might need to change. For example, you might need to put in place more secure data transfer processes between two teams.
The second is that a well written privacy notice is likely to demonstrate willingness to comply with the law, even if your organisation falls short in some areas.
One aspect of the GDPR that has caught the headlines is the ability of a supervisory body (the Information Commissioner’s Office or ICO in the UK) to hand out large fines for non-compliance.
Based on how the ICO has acted in the past, our opinion is that it is unlikely to use its full powers against SMEs from day one. More likely, it will issue a warning before a fine, especially if the business can show that it has attempted to comply with the law – unless, of course, a very serious data breach has occurred.
Your privacy statement is likely to be the first thing that the ICO will consider when judging whether you have made an attempt to comply with the GDPR and other regulations. A well written notice is therefore likely to reduce the likelihood of immediate punitive action.
Free to use
We provide this template completely free of charge.
We don't ask you to acknowledge our copyright in it, mention us in any way or link to our site in return for using it.
Features and contents
The template is written in plain language that is visitor friendly, and structured so that it is both easy to read and easy to edit.
The first part of the notice explains the legal bases you have chosen for processing different types of information and how these types are used.
The second part deals with specific uses – less designed to comply with the GDPR and more for the purposes of reassuring customers and protecting you under different law (for example, regarding copyright).
The third part sets out requirements under the GDPR and DPA once again: whether data is shared with other organisations; how it can be reviewed; and other miscellaneous matters.
In places we have provided a number of options, where you choose the most appropriate and delete the others. In other places, we have provided ideas and the most common scenarios. The notice may require a little customisation to reflect fully your policy, but because it is written in plain English, editing it is easy.
This notice can be used by a wide range of types of business. Examples of those currently using it include:
- solicitors and other business consultants
- ecommerce sites
- service providers such as career development coaches and fitness trainers
- blogs and information sites
- web hosting providers
- community projects
- not for profit organisations and charities
The contents of the document cover:
- Categories of information collected and used, organised by the legal basis for use
- Visitor contributed content
- Payment and other financial information
- Other personal identifiers from browsing activity
- Advertising, including use of remarketing
- Data transfers and processing outside the EU
- Access to personal information
- Removal of personal information
- Data retention
The bases for processing data covered in this template
Some data could be processed under one basis, and other data under another. Additionally, a basis might change over time.
For marketing purposes, Consent is likely to be the basis used.
For example, a website visitor could enter his or her e-mail address on your website in order to receive monthly newsletters, or a member of a club could tick a box on a paper membership form. If Consent is the basis you use, then you should provide some means, clearly displayed, for the subject to withdraw it, such as an unsubscribe link in the newsletter.
The advantage of Consent is that you can clearly demonstrate in any disagreement that consent has been given – it requires the data subject to take specific action to allow you to use data about him or her.
Contract as a basis can be used where processing the data is necessary to carry out a contract that the data subject has requested, or where a subject has asked you to do something before entering into a contract (for example, providing a quote) that requires you to process data. A contract has the same definition as under contract law.
Importantly, the processing must be a reasonable way to deliver your side of the agreement and the basis no longer can apply once the contract is complete. That means, for example, that marketing messages to previous customers cannot be sent under this basis.
Legal Obligation can be used as a basis where there is statutory law that requires you to store or use data. For example, HMRC requires all businesses to store records of transactions. Whether other obligations for you to process data exist largely depend on the industry in which you operate or the type of organisation.
Legitimate Interests is the most flexible basis, in that it is most subjective. However, it is not always most appropriate.For it to be used there needs to be a good reason to process the data (beneficial to either the organisation or the individual or both) where processing under this basis is necessary to achieve it. The rights of the data subject not to have the data processed must also have been considered. If the individual might not expect the processing to take place, or if processing might cause harm, then Legitimate Interests cannot be used as a basis.
Examples of where Legitimate Interests might be used include:
- to obtain insurance for the business
- to protect against a fraudulent claim
- to notify members of an organisation of a change of which if they were not aware, might cause harm
This document was written by a solicitor for Net Lawman. It complies with current English law.
"I have used you in the past and am always impressed!"Diane Bantten (Acquit Debt Recovery)
"Brilliant. I am most grateful to Net Lawman. Your service standard is unparallel. I would strongly recommend any individual or organisation to Net Lawman."Dr. Smarajit Roy
"A very useful find for an SME looking for good legal documentation."iTMS Software Pty Ltd