data about and/or from their users, using both first and third-party
cookies. First-party cookies are those which are set directly by the
website itself. Third-party cookies are set by another site, domain, or
service. Additional provisions govern the use of website analytics.
compliance with the group of laws collectively known as “Cookie Law”. This
policy can assist in compliance with the various requirements laid down by
the law. In particular, the policy explains what cookies your site uses,
what for, and why. Alternatively, if you wish to provide more detailed
information on cookies, this document can be altered to refer to a separate
This document has been written with the GDPR in mind, covering important
things such as data subjects' rights, the retention of personal data, data
subject access requests, and controls and/or consent for cookies and
This template has been reviewed and updated in light of best practice which
has become established since the GDPR came into effect in May 2018. More
detail is provided to data subjects in a number of key areas, including how
personal data is collected, the source of that data, how it is used, and
how it is shared. Furthermore, references to the Data Protection Act 2018
have been added to help make for a smoother Brexit transition in 2019.
This document has been designed for general application, however please
note that you may require specific legal advice if you deal with ‘special
category’ (aka ‘sensitive’) personal data, data relating to criminal
convictions, or children’s personal data as additional measures may be
When providing details of the personal data that you collect and how you
collect it, both detail and user-friendliness are important. In particular,
tech jargon should be avoided whenever possible. It is also important to
note that, where data is sourced from a third party source, you specify
what type of organisation that third party is (e.g. its industry or sector,
and whether it is private or public). It may also be helpful to indicate
whether the source is based inside or outside the EEA. Provide as much
detail here as is commercially reasonable.
It is important to explain how you use the personal data that you collect
and the ‘lawful basis’ which allows you to do so. There are several lawful
bases to choose from, as explained on the ICO website,
. Consent, the data being necessary for a contract, or ‘legitimate
interests’ are, we suggest, the most likely bases for many businesses;
however, it is important to take care when choosing. ‘Consent’ may appear
to be the most straightforward, but this is often not the case.
Furthermore, if you opt to rely on ‘legitimate interests’, it is important
Automated decision-making and/or profiling can be an important aspect of
your personal data usage. The law incorporates specific restrictions and
rights relating to this kind of personal data processing, but it is
important to note that these only apply where the resulting decision has ‘a
legal or similarly significant effect’. When carrying out such
The law requires you to provide ‘meaningful information about the logic’
and to explain ‘the significance and envisaged consequences’ of the
process. This is not intended to require you to provide technical
information about things such as the programming logic used in the
automated process. Instead, you should tell individuals what data you use
and why, what the likely result is going to be, and how likely it is to
affect them. It is always important to keep your information as clear and
easy-to-understand as you can. More information about automated
decision-making and profiling is available on the ICO website,
How long do you keep personal data? This is an important question to answer
Also, keep in mind that some data retention periods may be specified by
law, but this will not apply in many cases. Legal advice should always be
sought if there is any doubt. Please note that example retention periods
are not included in this template.
Another important point to note relates to personal data security. Data
subjects should be able to understand what you are doing to keep their
personal data safe. When setting out measures such as encryption, ensuring
on-going confidentiality, and recovering data in the event of loss, be sure
to use user-friendly language.
Finally, it is important to note that the provisions included in this
template are broad and will not necessarily apply to all websites. When
completing this template, ensure that your policy accurately reflects your
actual use of personal data and associated procedures.
Optional phrases / clauses are enclosed in square brackets. These should be
read carefully and selected so as to be compatible with one another. Unused
options should be removed from the document.
1. Definitions and Interpretation
2. Information About [Us] OR [Me]
3. What Does This Policy Cover?
4. What Is Personal Data?
5. What Are My Rights?
6. What Data Do You Collect and How?
7. How Do You Use My Personal Data?
8. How Long Will You Keep My Personal Data?
9. How and Where Do You Store or Transfer My Personal Data?
10. Do You Share My Personal Data?
11. How Can I Control My Personal Data?
12. Can I Withhold Information?
13. How Can I Access My Personal Data?
15. How Do I Contact You?
in the highlighted fields or adjust the wording to suit your purposes.
Once you have purchased access to the appropriate document folder click on
the “Download Document” link below. You will be asked what you want to do
with the file. It is recommended that you save the document to a location
of your choice prior to viewing.