This template provides you with the wording you need to create a policy for your website or app.
Most modern websites collect data about the people who visit them. Often it might be clear to visitors when this happens, for example, when they buy from you or sign up for your services, but sometimes it might be less obvious, such as when you track their browsing behavior.
In May 2018, data protection law came into force that strengthens the rights of individuals to know what personal data about them is collected, used and managed. This privacy policy template helps you comply with every aspect of the law.
This is a completely free privacy policy template.
We don't ask you to acknowledge our copyright in it, mention us in any way or link to our site in return for using it.
The template is written in plain language that is visitor friendly and is structured so that it is both easy to read and easy to edit.
The first part of the notice explains the legal bases you have chosen for processing different types of information and how these types are used.
The second part deals with specific uses – less designed to comply with the GDPR Policy Template UK and more for the purposes of reassuring customers and protecting you under different laws (for example, regarding copyright).
The third part sets out requirements under the GDPR and DPA once again: whether data is shared with other organisations; how it can be reviewed; and other miscellaneous matters.
In places, we have provided a number of options, where you choose the most appropriate and delete the others. In other places, we have provided ideas and the most common scenarios. The notice may need a little customisation to reflect fully your policy, but because it is written in plain English, editing it is easy.
This notice can be used by a wide range of types of business. Examples of those currently using it include:
solicitors, accountants and other business consultants
e-commerce sites
service providers such as career development coaches and fitness trainers
blogs and information sites
web hosting providers
hotels
community projects
not for profit organisations and charities
The contents of the document cover:
Categories of information collected and used, organised by the legal basis for use
Visitor contributed content
Payment information, whether debit and credit card information or other financial information
Other personal identifiers from browsing activity
Advertising, including use of remarketing
Data transfers and processing outside the EU
Access to personal information
Removal of personal information
Data retention
Complaints
If you collect, use or store personal data for non-personal use then UK and EU Representative law requires that you tell that person what data you 'process' and how.
Personal data is any data that identifies an individual. It commonly includes first and last names, contact information such as an email address or delivery address and payment information such as credit card information. It may also include data that you may not have considered such as an IP address logged by your web server or video footage taken by a security camera on your premises.
The usual way to disclose the required information is to publish a privacy policy on your website, particularly if you collect personal data through use of your website.
Because it is easy to post a privacy policy online, we associate a privacy statement with a website.
However, the law requires you to disclose how you collect,use and store personal data even if you don't have a website or if you process information by other means.
Whether you need a privacy policy is not determined by what technology you use, whether you are in business in a particular industry.
If you publish a mobile app, you can (and should) use the same privacy policy on your website and on your app. Apple, Google and Facebook will all reject your app at review if you don't have a privacy statement, or if it is not clearly labeled. So if you are app developer, whether you develop for iOS, Android or Facebook (or even desktop), you can and should publish a privacy policy
Your data protection impact assessment statement should reflect the way your organisation collects and uses personal data. This will change between organisations enough to make each notice unique, but there are common elements that can be covered with standardised statements.
By giving you the wording for different common situations, we hope that we have done as much of the work for you as we can. We also include our guidance notes, which explain how to edit the privacy policy for your website.
However, you will need to spend time editing this privacy policy template. There are advantages to this.
Your obligation under UK law is not just to publish a statement about personal information you collect, but also to put in place policies and procedures that your website visitors and users never see. While considering how data is collected, used, and managed, the task of editing should prompt you to think about your privacy practices overall and how other parts of your organisation might need to change.
GDPR requires you to choose and communicate (such as in a privacy notice) under what legitimate basis you process personal data. There are six possible bases. Of these, most businesses and organisations are likely to choose one of four, so this privacy policy template gives you the options to use those.
Some data could be processed under one basis, and other data under another. Additionally, a basis might change over time.
For marketing purposes, gdpr cookie consent plugin free is likely to be the basis used.
For example, a website visitor could enter his or her email address on your website in order to receive monthly newsletters, or a member of a club could tick a box on a paper membership form. If Consent is the basis you use, then you should provide some means, clearly displayed, for the subject to withdraw it, such as an unsubscribe link in the newsletter.