It can also be used for web and mobile apps and by businesses that operate offline.
As well as complying with data protection legislation, including the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA), it will help reassure your customers and website visitors that you protect their personal data and take privacy seriously.
- Solicitor approved
- Plain English makes editing easy
- Guidance notes included
- Money back guarantee
Why you need a privacy notice
In May 2018, enhanced data protection law came into force. It strengthens the rights of individuals to know what personal information about them is collected, used and managed (or otherwise 'processed').
whether you process personally identifable information that could be linked to a private individual (known as a 'data subject'); and
whether data subjects are citizens or residents of the UK or European Union member states.
The requirements of the DPA are not just that you protect personally identifiable information but that you also inform users about how your business collects and processes personal information and data subject rights.
One of the core functions of many websites is to present a professional image of the business. Simply put, one of the main reasons to publish a privacy notice is because the general public expects you to do so. Not having one can put off potential customers from buying from you.
A sound template for your app or website privacy notice
Most websites and apps collect personal data about the people who use them.
While it might be clear to visitors or users when this happens, for example, when they provide credit card details to buy from you or otherwise sign up for your services, sometimes it might be less obvious, such as when you track their browsing behaviour or transfer data to third parties.
It meets the requirements for disclosure for app stores including Facebook Apps, Google Play and the Apple App Store, and for advertising platforms including Google Adsense.
Alternative templates for specific industries
If you work in one of the following specific professional service providers, you'll be able to download a version specifically for your business:
Features and contents
Free to download and use
We don't ask you to acknowledge our copyright in it, mention us in any way or link to our site in return for using it.
Easy to understand & fast to edit
The template is written in clear and plain language that is visitor friendly, easy to read and easy to edit.
It is structured so that you can disclose all the necessary information legally required for GDPR compliance.
The introduction gives information about your business: the name and address and, if you have appointed a data protection officer, the name and contact details of the DPO.
The first part of the notice explains the legal bases you have chosen for processing different types information collected by you and how these types are used.
The second part deals with specific uses – less designed to comply with the General Data Protection Regulation and data protection law, and more for the purposes of reassuring customers and protecting you under different laws (for example, regarding copyright). In this part, you can describe
The third part sets out requirements under the General Data Protection Regulation and data protection law once again: whether the information is shared with other organisations; how it can be reviewed; and other miscellaneous matters.
In places, we have provided a number of options, where you choose the most appropriate and delete the others. In other places, we have provided ideas and the most common scenarios. The notice may need a little customisation to reflect fully your policy, but because it is written in plain English, editing it is easy.
The contents of the document cover:
- Categories of collected personal information and how it is used, organised by the legal basis for use
- Visitor contributed content
- Payment information, whether debit and credit card information or other financial data
- Other personal identifiers from browsing activity
- Advertising, including use of remarketing
- Data transfers and processing outside the EU
- Access to personal information
- Removal of personal information
- Data retention
Suitable for many types of business
This notice can be used by a wide range of types of business. Examples of those currently using it include:
- solicitors, accountants and other business consultants
- e-commerce sites
- service providers such as career development coaches and fitness trainers
- blogs and information sites
- web hosting providers
- community projects
- not for profit organisations and charities
If you collect personal data or use or store personal information for non-personal use, then UK law requires that you tell that person what data you 'process' and how.
Personal information is any data that identifies an individual. It commonly includes first and last names, contact information such as an email address or delivery address and payment information such as credit card information or credit card details. Personal data may also include data that you may not have considered such as an IP addresses logged by your web server or video footage taken by a security camera on your premises.
If you don't have a website
However, the law requires you to disclose how you collect,use and store personal information even if you don't have a website or if you collect personal data by other means (for example, a mobile app).
Your privacy statement should reflect the way your organisation collects and uses personal information. This will change between organisations enough to make each notice unique, but there are common elements that can be covered with standardised statements.
Your obligation under UK law is not just to publish a statement about personal information you collect, but also to put in place security measures, policies and procedures that your website visitors and users never see. While considering how personal information is collected, used, and managed, the task of editing should prompt you to think about your privacy practices overall and how other parts of your organisation might need to change.
For example, you might need to put in place more secure personal data transfer processes between two teams or you may be able to reduce the personal data you collect.
Additionally, a well-written privacy notice is likely to demonstrate your willingness to comply with the law, even if your organisation falls short in some areas.
One aspect of the GDPR that has caught the headlines is the ability of a supervisory body (the Information Commissioner’s Office or ICO in the UK) to hand out large fines for non-compliance.
Based on how the ICO has acted in the past, our opinion is that it is unlikely to use its full powers against SMEs from day one. More likely, it will issue a warning before a fine, especially if the business can show that it has attempted to comply with the law – unless, of course, a very serious data breach has occurred.
Your privacy statement is likely to be the first thing that the ICO will consider when judging whether you have made an attempt to comply with the GDPR and other regulations. A well-written notice is therefore likely to reduce the likelihood of immediate punitive action.
The steps you should follow
Make a list of the types of people about whom you are collecting personal information: site visitors, users, customers, employees, contractors and suppliers, business partners, other third parties.
For each of the types of people, make a list of the users personal information you collect, use or store. It may be information they provide to you themselves, or it may be a third party provider (such as a credit reference agency) provides, or it may be personal data that you collect from your interaction with them.
Be aware that some user data needs to be treated more carefully than other information. 'Special Category Data' is defined by the law as information about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions and trade union membership. It also includes health, genetic and biometric data. If you do process Special Category Data, you need to make sure that you disclose that you do.
Decide on the granularity of your disclosure. It may seem right to disclose every item of data. But that may give users more information than perhaps is useful to them. We suggest you group information into types, such as 'contact information' and 'payment information' and give examples of the types of data in each group. For example, 'Contact Information' is information that we use for the purposes of communicating with you and may include your postal address, your telephone numbers and your email address."
Decide on the basis or bases on which you process personal information. As described further down this page, there are six bases and you are required by law to tell users which ones you use. Most organisations will use at least three of the six ('Consent', 'Legitimate Interests' and 'Legal Obligation'), and possibly four or five. Again, you can give detailed information about which basis is used for each item of data, but it may be more practical to give examples of which groups are processed under each basis.
The bases for processing data covered in this template
Some personal information could be processed under one basis, and other personal information under another. Additionally, a basis might change over time.
For marketing purposes, Consent is likely to be the basis used.
For example, a website visitor could enter his or her email address on your website in order to receive monthly newsletters, or a member of a club could tick a box on a paper membership form. If Consent is the basis you use, then you should provide some means, clearly displayed, for the subject to withdraw it, such as an unsubscribe link in the newsletter.
The advantage of Consent is that you can clearly demonstrate in any disagreement that consent has been given – it requires the data subject to take specific action to allow you to use personal information you collect about him or her.
Contract as a basis can be used where processing the personal information is necessary to carry out a contract that the data subject has requested, or where a subject has asked you to do something before entering into a contract (for example, providing a quote) that requires you to process personal information. A contract has the same definition as under contract law.
Importantly, the processing must be a reasonable way to deliver your side of the agreement and the basis no longer can apply once the contract is complete. That means, for example, that marketing messages to previous customers cannot be sent under this basis.
Legal Obligation can be used as a basis where there is statutory law that requires you to store or use personal information. For example, HMRC requires all businesses to store records of transactions. Whether other obligations for you to process data exist largely depend on the industry in which you operate or the type of organisation.
Legitimate Interests ('LI') is the most flexible basis, in that it is most subjective. However, it is not always most appropriate.
For it to be used there needs to be a good reason to process the data (beneficial to either the organisation or the individual or both) where processing under this basis is necessary to achieve it. The rights of the data subject not to have the data processed must also have been considered. If the individual might not expect the processing to take place, or if processing might cause harm to an interest, then LI cannot be used as a basis.
Examples of where LI might be used include:
to obtain insurance for the business to protect against a fraudulent claim
to notify members of an organisation of a change of which if they were not aware, might cause harm
Cookies are often used to provide website functionality across multiple pages. A cookie is a file that is placed on the user's device that records information collected or generated from a previous page.
In addition, cookies may contain personal data, and even if they don't, their purpose may be linked to processing personal data.
You may wish to read more about disclosure requirements for cookies before deciding how much information about them to disclose.
To summarise that article:
Do I need to comply with privacy laws outside the UK?
Other legal jurisdictions have similar privacy laws to the Data Protection Act.
You may have been told that if you are collecting personal information, you need to comply with the privacy laws of those jurisdiction such as the Privacy Act; the Personal Information Protection and Electronic Documents Act ('PIPEDA') or the California Online Privacy Protection Act ('CalOPPA').
While every enforcement authority would like the reach of their legislation to be global, enforcing privacy laws outside their jurisdiction is very difficult unless your business or organisation has some assets in that jurisdiction.
In any case, because the DPA sets such a high standard for disclosure, if you comply with UK law, particularly in respect of 'openness', you're likely to meet most of the requirements of other countries around the world by default.
However, you do need to make sure that users have an opportunity to read it. So it is a good idea to follow common practice and link to it from an expected location such as your website's footer.
You can also provide links to it whenever a user gives personal information. This should remind the user that you take data privacy seriously and that he or she can trust you. As examples, you might do so on email newsletter sign-up forms, 'contact us' forms, account creation forms and e-commerce checkout pages.
Do I also need a data protection statement, GDPR policy or data processing agreement?
Privacy policies are also known as privacy statements or privacy notices. The statement discloses the policy of the organisation in so far as it is a 'controller' of personal information.
You may also hear about 'data protection statements' or 'GDPR policies'. These are usually documents with a different purpose and audience - to tell employees or third party contractors of the internal business processes that protect the customer's privacy and rights. They are usually appended as a schedule to a contract for services or form part of the staff handbook.
In addition, your business may use a 'data processing agreement' to make sure that if a third party processes data, it complies with the law. Doing so is a requirement of the GDPR. Certain clauses are mandatory, others expand on them for specific personal data or circumstances.
This document was written by a solicitor for Net Lawman. It complies with current English law.
"I was really pleased with my recent experience of using Net Lawman. I was able to obtain important legal documents, needed to support my small business. Net Lawman understood my needs and provided fast and efficient service without incurring the significant costs of a traditional law firm. I would both recommend and use Net lawman again"Shireen Arthur
"Reasonable price. Contained just the layout and info I needed. Saved time in production and of course legal fees."Don Eade
"Great resource for a small business like ours. Affordable and professional legal documents that would otherwise cost us a bundle."Garry