websites that only collect limited personal data from users, without using
cookies. An example may be a site that uses a basic ‘Contact Us’ form.
This document has been written with the GDPR in mind, covering important
elements such as details of data subjects' rights, information on the
retention of personal data (i.e. for how long it will be kept), and data
subject access requests.
This template has been reviewed and updated in light of best practice which
has become established since the GDPR came into effect in May 2018. More
detail is provided to data subjects in a number of key areas, including how
personal data is collected, the source of that data, how it is used, and
how it is shared. Furthermore, references to the Data Protection Act 2018
have been added to help make for a smoother Brexit transition in 2019.
This document has been designed for general application, however please
note that you may require specific legal advice if you deal with ‘special
category’ (aka ‘sensitive’) personal data, data relating to criminal
convictions, or children’s personal data as additional measures may be
When providing details on the personal data that you collect and how it is
collected, both detail and user-friendliness are important. Using technical
jargon is not a good idea. It is also important to note that, where
personal data is obtained from a third party, you specify what type of
organisation that third party is (e.g. its industry or sector, and whether
it is private or public). It may also be helpful to indicate whether the
source is located inside or outside the EEA. Provide as much detail here as
It is important to explain how you use the personal data that you collect
and the ‘lawful basis’ which allows you to do so. There are several lawful
bases to choose from, as explained on the ICO website,
here. Consent, the data being necessary for a contract, or ‘legitimate
interests’ are, we would estimate, the most likely bases for many
businesses; however, it is important to take care when choosing. ‘Consent’
may appear to be the most straightforward, but this is often not the case.
Furthermore, if you choose to rely on ‘legitimate interests’, you should
A related issue is that of automated decision-making and/or profiling. The
law incorporates additional restrictions and rights relating to this kind
of personal data processing, but it is important to note that these only
apply where the resulting decision has ‘a legal or similarly significant
effect’. When carrying out such decision-making or profiling, you should
‘meaningful information about the logic’ and to explain ‘the significance
and envisaged consequences’ of the process. This is not intended to require
you to provide details of the technical or scientific logic used in the
automated process, however. Instead, you should tell individuals about the
data that you use and why, what the likely result is going to be, and how
likely it is to affect them. It is always important to keep your
information as clear and easy-to-understand as you can. More information
about automated decision-making and profiling is available on the ICO
How long do you retain personal data? This is an important piece of
information to give to data subjects. When dealing with this in your
important to keep in mind that some data retention periods may be specified
by law, but others will not. Legal advice should always be sought if there
is any doubt. Please note that example retention periods are not included
in this template.
Another key point relates to data security. Data subjects should be able to
understand what you are doing to keep their personal data safe. When
setting out measures such as encryption, ensuring on-going confidentiality,
and recovering data in the event of loss, be sure to use user-friendly
Finally, it is important to note that the provisions included in this
template are broad and will not necessarily apply to all sites. When
completing this template, ensure that your policy accurately reflects your
actual use of personal data and associated procedures.
Optional phrases / clauses are enclosed in square brackets. These should be
read carefully and selected so as to be compatible with one another. Unused
options should be removed from the document.
1. Information About [Us] OR [Me]
2. What Does This Policy Cover?
3. What Is Personal Data?
4. What Are My Rights?
5. What Data Do You Collect and How?
6. How Do You Use My Personal Data?
7. How Long Will You Keep My Personal Data?
8. How and Where Do You Store or Transfer My Personal Data?
9. Do You Share My Personal Data?
10. Can I Withhold Information?
11. How Can I Access My Personal Data?
12. How Do I Contact You?
This document template is in open format. Either enter the
requisite details in the highlighted fields or adjust the wording to suit
Once you have purchased access to the appropriate document folder click on
the “Download Document” link below. You will be asked what you want to do
with the file. It is recommended that you save the document to a location
of your choice prior to viewing.