This website privacy policy template has been designed to help website owners comply with European Union and United Kingdom data protection legislation, including the General Data Protection Regulation (GDPR Policy Template UK).
The policy covers all the usual ground: the categories of personal data that are collected, the purposes for which that personal data may be used, the legal bases for processing, the persons to whom the personal data may be disclosed, international transfers of personal data, the security measures used to protect the personal data, individual rights and website cookies.
First published in 2008, this policy and its antecedents have been used on hundreds of thousands of websites. It was updated during 2017 and 2018 to reflect the GDPR and the developing regulatory guidance from the EU and UK data protection authorities. This template was last updated on 25 April 2018.
If you're new to data protection law, then before downloading the policy you might want to review the questions and answers below, which provide a introduction to both the legal and practical issues around the use of privacy policies.
Data protection law is not straightforward. Indeed, since the coming into force of the GDPR, it is difficult for many organisations to be confident that they comply.
Ideally, all privacy policies would be prepared by, or under the supervision of, experts in data protection law. But data protection Policy Template expertise can be expensive: you might pay anything from £500 to £5,000 or more for a UK data protection lawyer to prepare a privacy policy.
As with many business investments in legal services, you will need to balance the risks of a DIY approach against the costs of using a professional. In general, you should always use a professional if there are significant amounts of money at stake or material risks of liability.
The core disclosures required by the GDPR Training are set out in Articles 13 and 14.
Article 13 sets out the information that must be provided where personal data are collected from the individual. Article 14 sets out the information that must be provided where personal data are collected from some other source.
The main categories of information are:
identity and contact information of the controller;
where personal data is not collected from the individual, the source and nature of that data;
the purposes of the processing;
the legal bases for the processing, including details of applicable legitimate interests;
the recipients or categories of recipients of the personal data;
details of international transfers of personal data that require legal protections, and details of those protections;
the periods for which the personal data will be stored, or at least the criteria used to determine those periods;
individuals' legal rights with respect to their personal data;
whether the provision of personal data is a legal requirement;
the existence of automated decision-making, including profiling.
Our privacy policy template has been designed to help you to disclose the necessary information.
A privacy policy is concerned with an organisation's role as a controller of personal data; whereas a data protection impact assessment agreement is concerned with an organisation's role as a processor of personal data.
This distinction can be confusing and tricky to apply.
Both controllers and processors process personal data. Just because you are processing personal data, that doesn’t make you a processor. You might be a processor, but equally, you might be a controller. Confused yet?
The distinction is tricky to apply because the definitions are highly abstract. A controller is defined as a person who determines the purposes and means of processing personal data. A processor is a person who processes personal data on behalf of a controller. In practice, the determination of purposes is more significant than the determination of means.
This privacy policytemplate is ideal for information security policy for small business, provided free without warranties or liabilities. This policy is meant to be used as a privacy template that you can edit/adapt into your own small business privacy notice or privacy policy. There are various sections within the privacy template that you may need to edit and complete with your small business details, some section may not be required and could be removed. This privacy template covers the general key points of a GDPR compliant privacy policy, though it is not a comprehensive document and you may need to extend upon this privacy policy template to suit your business operations. If you require professional advice or bespoke privacy policies please seek professional legal advice from a company who specialises in privacy notices or privacy policy templates.