Privacypolicy

1.      Introduction

1.1   Weare committed to safeguarding the privacy of [our website visitors and serviceusers].

1.2   Thispolicy applies where we are acting as a data controller with respect to thepersonal data of [our website visitors and service users]; in other words,where we determine the purposes and means of the processing of that personaldata.

1.3   Weuse cookies on our website. Insofar as those cookies are not strictly necessaryfor the provision of [our website and services], we will ask you to consent toour use of cookies when you first visit our website.

1.4   Ourwebsite incorporates privacy controls which affect how we will process yourpersonal data. By using the privacy controls, you can [specify whether youwould like to receive direct marketing communications and limit the publicationof your information]. You can access the privacy controls via [URL].

1.5   Inthis policy, "we", "us" and "our" refer to [datacontroller name].[ For more information about us, see Section 13.]

2.      Credit

2.1   Thisdocument was created using a template from SEQ Legal (https://seqlegal.com).

You must retain the above credit. Useof this document without the credit is an infringement of copyright. However,you can purchase from us an equivalent document that does not include thecredit.

3.      How we use your personal data

3.1   Inthis Section 3 we have set out:

(a)   thegeneral categories of personal data that we may process;

(b)   [inthe case of personal data that we did not obtain directly from you, the sourceand specific categories of that data];

(c)    thepurposes for which we may process personal data; and

(d)   thelegal bases of the processing.

3.2   Wemay process [data about your use of our website and services] ("usagedata"). The usage data may include [your IP address, geographicallocation, browser type and version, operating system, referral source, lengthof visit, page views and website navigation paths, as well as information aboutthe timing, frequency and pattern of your service use]. The source of the usagedata is [our analytics tracking system]. This usage data may be processed [forthe purposes of analysing the use of the website and services]. The legal basisfor this processing is [consent] OR [our legitimate interests, namely[monitoring and improving our website and services]] OR [[specify basis]].

3.3   Wemay process [your account data] ("account data").[ The accountdata may [include your name and email address].][ The source of the accountdata is [you or your employer].] The account data may be processed [for thepurposes of operating our website, providing our services, ensuring thesecurity of our website and services, maintaining back-ups of our databases andcommunicating with you.] The legal basis for this processing is [consent] OR[our legitimate interests, namely [the proper administration of our website andbusiness]] OR [the performance of a contract between you and us and/or takingsteps, at your request, to enter into such a contract] OR [[specify basis]].

3.4   Wemay process [your information included in your personal profile on our website]("profile data").[ The profile data may include [your name,address, telephone number, email address, profile pictures, gender, date ofbirth, relationship status, interests and hobbies, educational details andemployment details].] The profile data may be processed for [the purposes ofenabling and monitoring your use of our website and services]. The legal basisfor this processing is [consent] OR [our legitimate interests, namely [theproper administration of our website and business]] OR [the performance of acontract between you and us and/or taking steps, at you request, to enter intosuch a contract] OR [[specify basis]].

3.5   Wemay process [your personal data that are provided in the course of the use ofour services] ("service data").[ The service data may include [specifydata].][ The source of the service data is [you or your employer].] Theservice data may be processed [for the purposes of operating our website,providing our services, ensuring the security of our website and services,maintaining back-ups of our databases and communicating with you]. The legalbasis for this processing is [consent] OR [our legitimate interests, namely[the proper administration of our website and business]] OR [the performance ofa contract between you and us and/or taking steps, at your request, to enterinto such a contract] OR [[specify basis]].

3.6   Wemay process [information that you post for publication on our website orthrough our services] ("publication data"). The publicationdata may be processed [for the purposes of enabling such publication andadministering our website and services]. The legal basis for this processing is[consent] OR [our legitimate interests, namely [the proper administration ofour website and business]] OR [the performance of a contract between you and usand/or taking steps, at your request, to enter into such a contract] OR [[specifybasis]].

3.7   Wemay process [information contained in any enquiry you submit to us regardinggoods and/or services] ("enquiry data"). The enquiry data maybe processed [for the purposes of offering, marketing and selling relevantgoods and/or services to you]. The legal basis for this processing is [consent]OR [[specify basis]].

3.8   Wemay process [information relating to our customer relationships, includingcustomer contact information] ("customer relationship data").[The customer relationship data may include [your name, your employer, your jobtitle or role, your contact details, and information contained incommunications between us and you or your employer].][ The source of thecustomer relationship data is [you or your employer].] The customerrelationship data may be processed [for the purposes of managing ourrelationships with customers, communicating with customers, keeping records ofthose communications and promoting our products and services to customers]. Thelegal basis for this processing is [consent] OR [our legitimate interests,namely [the proper management of our customer relationships]] OR [[specifybasis]].

3.9   Wemay process [information relating to transactions, including purchases of goodsand services, that you enter into with us and/or through our website] ("transactiondata").[ The transaction data may include [your contact details, yourcard details and the transaction details].] The transaction data may beprocessed [for the purpose of supplying the purchased goods and services andkeeping proper records of those transactions]. The legal basis for thisprocessing is [the performance of a contract between you and us and/or takingsteps, at your request, to enter into such a contract and our legitimateinterests, namely [the proper administration of our website and business]] OR [[specifybasis]].

3.10 Wemay process [information that you provide to us for the purpose of subscribingto our email notifications and/or newsletters] ("notification data").The notification data may be processed [for the purposes of sending you therelevant notifications and/or newsletters]. The legal basis for this processingis [consent] OR [the performance of a contract between you and us and/or takingsteps, at your request, to enter into such a contract] OR [[specify basis]].

3.11 Wemay process [information contained in or relating to any communication that yousend to us] ("correspondence data"). The correspondence datamay include [the communication content and metadata associated with thecommunication].[ Our website will generate the metadata associated withcommunications made using the website contact forms.] The correspondence datamay be processed [for the purposes of communicating with you andrecord-keeping]. The legal basis for this processing is [our legitimateinterests, namely [the proper administration of our website and business andcommunications with users]] OR [[specify basis]].

3.12 Wemay process [identify general category of data].[ This data may include [listspecific items of data].][ The source of this data is [identify source].]This data may be processed for [specify purposes]. The legal basis forthis processing is [consent] OR [our legitimate interests, namely [specifylegitimate interests]] OR [the performance of a contract between you and usand/or taking steps, at your request, to enter into such a contract] OR [[specifybasis]].

3.13 Wemay process [any of your personal data identified in this policy] wherenecessary for [the establishment, exercise or defence of legal claims, whetherin court proceedings or in an administrative or out-of-court procedure]. Thelegal basis for this processing is our legitimate interests, namely [theprotection and assertion of our legal rights, your legal rights and the legalrights of others].

3.14 Wemay process [any of your personal data identified in this policy] wherenecessary for [the purposes of obtaining or maintaining insurance coverage,managing risks, or obtaining professional advice]. The legal basis for thisprocessing is our legitimate interests, namely [the proper protection of ourbusiness against risks].

3.15 Inaddition to the specific purposes for which we may process your personal dataset out in this Section 3, we may also process [any of your personal data]where such processing is necessary[ for compliance with a legal obligation towhich we are subject, or] in order to protect your vital interests or the vitalinterests of another natural person.

3.16 Pleasedo not supply any other person's personal data to us, unless we prompt you todo so.

4.      Providing your personal data to others

4.1   Wemay disclose [your personal data] to any member of our group of companies (thismeans our subsidiaries, our ultimate holding company and all its subsidiaries)insofar as reasonably necessary for the purposes, and on the legal bases, setout in this policy.[ Information about our group of companies can be found at [URL].]

4.2   Wemay disclose [your personal data] to [our insurers and/or professionaladvisers] insofar as reasonably necessary for the purposes of [obtaining ormaintaining insurance coverage, managing risks, obtaining professional advice,or the establishment, exercise or defence of legal claims, whether in courtproceedings or in an administrative or out-of-court procedure].

4.3   Wemay disclose [specify personal data category or categories] to [oursuppliers or subcontractors][ identified at [URL]] insofar as reasonablynecessary for [specify purposes].

4.4   Financialtransactions relating to [our website and services] [are] OR [may be] handledby our payment services providers, [identify PSPs]. We will sharetransaction data with our payment services providers only to the extentnecessary for the purposes of [processing your payments, refunding suchpayments and dealing with complaints and queries relating to such payments andrefunds]. You can find information about the payment services providers'privacy policies and practices at [URLs].

4.5   Wemay disclose [your enquiry data] to [one or more of those selected third partysuppliers of goods and services identified on our website] for the purpose of[enabling them to contact you so that they can offer, market and sell to yourelevant goods and/or services].[ Each such third party will act as a data controllerin relation to the enquiry data that we supply to it; and upon contacting you,each such third party will supply to you a copy of its own privacy policy,which will govern that third party's use of your personal data.]

4.6   Inaddition to the specific disclosures of personal data set out in this Section4, we may disclose your personal data where such disclosure is necessary forcompliance with a legal obligation to which we are subject, or in order toprotect your vital interests or the vital interests of another natural person.[We may also disclose your personal data where such disclosure is necessary forthe establishment, exercise or defence of legal claims, whether in courtproceedings or in an administrative or out-of-court procedure.]

5.      International transfers of your personaldata

5.1   Inthis Section 5, we provide information about the circumstances in which yourpersonal data may be transferred to [countries outside the European EconomicArea (EEA)].

5.2   We[and our other group companies] have [offices and facilities] in [specifycountries].[ The European Commission has made an "adequacydecision" with respect to [the data protection laws of each of thesecountries].][ Transfers to [each of these countries] will be protected byappropriate safeguards, namely [the use of standard data protection clausesadopted or approved by the European Commission, a copy of which can be obtainedfrom [source]] OR [the use of binding corporate rules, a copy of whichyou can obtain from [source]] OR [[specify appropriate safeguards andmeans to obtain a copy]].]

5.3   Thehosting facilities for our website are situated in [specify countries].[The European Commission has made an "adequacy decision" with respectto [the data protection laws of each of these countries].][ Transfers to [eachof these countries] will be protected by appropriate safeguards, namely [theuse of standard data protection clauses adopted or approved by the EuropeanCommission, a copy of which you can obtain from [source]] OR [[specifyappropriate safeguards and means to obtain a copy]].]

5.4   [Specifycategory or categories of supplier or subcontractor] [is] OR [are] situatedin [specify countries].[ The European Commission has made an"adequacy decision" with respect to [the data protection laws of eachof these countries].][ Transfers to [each of these countries] will be protectedby appropriate safeguards, namely [the use of standard data protection clausesadopted or approved by the European Commission, a copy of which can be obtainedfrom [source]] OR [[specify appropriate safeguards and means toobtain a copy]].]

5.5   Youacknowledge that [personal data that you submit for publication through ourwebsite or services] may be available, via the internet, around the world. Wecannot prevent the use (or misuse) of such personal data by others.

6.      Retaining and deleting personal data

6.1   ThisSection 6 sets out our data retention policies and procedure, which aredesigned to help ensure that we comply with our legal obligations in relationto the retention and deletion of personal data.

6.2   Personaldata that we process for any purpose or purposes shall not be kept for longerthan is necessary for that purpose or those purposes.

6.3   Wewill retain your personal data as follows:

(a)   [personaldata category or categories] will be retained for a minimum period of [period]following [date], and for a maximum period of [period] following [date].

[additional list items]

6.4   Insome cases it is not possible for us to specify in advance the periods forwhich your personal data will be retained. In such cases, we will determine theperiod of retention based on the following criteria:

(a)   theperiod of retention of [personal data category] will be determined basedon [specify criteria].

[additional list items]

6.5   Notwithstandingthe other provisions of this Section 6, we may retain your personal data wheresuch retention is necessary for compliance with a legal obligation to which weare subject, or in order to protect your vital interests or the vital interestsof another natural person.

7.      Amendments

7.1   Wemay update this policy from time to time by publishing a new version on ourwebsite.

7.2   Youshould check this page occasionally to ensure you are happy with any changes tothis policy.

7.3   We[may] OR [will] notify you of [changes] OR [significant changes] to this policy[by email or through the private messaging system on our website].

8.      Your rights

8.1   Inthis Section 8, we have summarised the rights that you have under dataprotection law. Some of the rights are complex, and not all of the details havebeen included in our summaries. Accordingly, you should read the relevant lawsand guidance from the regulatory authorities for a full explanation of theserights.

8.2   Yourprincipal rights under data protection law are:

(a)   theright to access;

(b)   theright to rectification;

(c)    theright to erasure;

(d)   theright to restrict processing;

(e)   theright to object to processing;

(f)    theright to data portability;

(g)   theright to complain to a supervisory authority; and

(h)   theright to withdraw consent.

8.3   Youhave the right to confirmation as to whether or not we process your personaldata and, where we do, access to the personal data, together with certainadditional information. That additional information includes details of thepurposes of the processing, the categories of personal data concerned and therecipients of the personal data. Providing the rights and freedoms of othersare not affected, we will supply to you a copy of your personal data. The firstcopy will be provided free of charge, but additional copies may be subject to areasonable fee.[ You can access [your personal data] by visiting [URL]when logged into our website.]

8.4   Youhave the right to have any inaccurate personal data about you rectified and,taking into account the purposes of the processing, to have any incompletepersonal data about you completed.

8.5   Insome circumstances you have the right to the erasure of your personal datawithout undue delay. Those circumstances include: [the personal data are nolonger necessary in relation to the purposes for which they were collected orotherwise processed; you withdraw consent to consent-based processing; youobject to the processing under certain rules of applicable data protection law;the processing is for direct marketing purposes; and the personal data havebeen unlawfully processed]. However, there are exclusions of the right toerasure. The general exclusions include where processing is necessary: [forexercising the right of freedom of expression and information; for compliancewith a legal obligation; or for the establishment, exercise or defence of legalclaims].

8.6   Insome circumstances you have the right to restrict the processing of yourpersonal data. Those circumstances are: you contest the accuracy of thepersonal data; processing is unlawful but you oppose erasure; we no longer needthe personal data for the purposes of our processing, but you require personaldata for the establishment, exercise or defence of legal claims; and you haveobjected to processing, pending the verification of that objection. Whereprocessing has been restricted on this basis, we may continue to store yourpersonal data. However, we will only otherwise process it: with your consent; forthe establishment, exercise or defence of legal claims; for the protection ofthe rights of another natural or legal person; or for reasons of importantpublic interest.

8.7   Youhave the right to object to our processing of your personal data on grounds relatingto your particular situation, but only to the extent that the legal basis forthe processing is that the processing is necessary for: the performance of atask carried out in the public interest or in the exercise of any officialauthority vested in us; or the purposes of the legitimate interests pursued byus or by a third party. If you make such an objection, we will cease to processthe personal information unless we can demonstrate compelling legitimategrounds for the processing which override your interests, rights and freedoms,or the processing is for the establishment, exercise or defence of legalclaims.

8.8   Youhave the right to object to our processing of your personal data for directmarketing purposes (including profiling for direct marketing purposes). If youmake such an objection, we will cease to process your personal data for thispurpose.

8.9   Youhave the right to object to our processing of your personal data for scientificor historical research purposes or statistical purposes on grounds relating toyour particular situation, unless the processing is necessary for theperformance of a task carried out for reasons of public interest.

8.10 Tothe extent that the legal basis for our processing of your personal data is:

(a)   consent;or

(b)   thatthe processing is necessary for the performance of a contract to which you areparty or in order to take steps at your request prior to entering into acontract,

        andsuch processing is carried out by automated means, you have the right to receiveyour personal data from us in a structured, commonly used and machine-readableformat. However, this right does not apply where it would adversely affect therights and freedoms of others.

8.11 Ifyou consider that our processing of your personal information infringes dataprotection laws, you have a legal right to lodge a complaint with a supervisoryauthority responsible for data protection. You may do so in the EU member stateof your habitual residence, your place of work or the place of the allegedinfringement.

8.12 Tothe extent that the legal basis for our processing of your personal informationis consent, you have the right to withdraw that consent at any time. Withdrawalwill not affect the lawfulness of processing before the withdrawal.

8.13 Youmay exercise any of your rights in relation to your personal data [by writtennotice to us] OR [by [methods]][, in addition to the other methodsspecified in this Section 8].

9.      About cookies

9.1   Acookie is a file containing an identifier (a string of letters and numbers)that is sent by a web server to a web browser and is stored by the browser. Theidentifier is then sent back to the server each time the browser requests apage from the server.

9.2   Cookiesmay be either "persistent" cookies or "session" cookies: apersistent cookie will be stored by a web browser and will remain valid untilits set expiry date, unless deleted by the user before the expiry date; asession cookie, on the other hand, will expire at the end of the user session,when the web browser is closed.

9.3   Cookiesdo not typically contain any information that personally identifies a user, butpersonal information that we store about you may be linked to the informationstored in and obtained from cookies.

10.    Cookies that we use

10.1 Weuse cookies for the following purposes:

(a)   [authentication- we use cookies [to identify you when you visit our website and as younavigate our website][ (cookies used for this purpose are: [identifycookies])]];

(b)   [status- we use cookies [to help us to determine if you are logged into our website][(cookies used for this purpose are: [identify cookies])]];

(c)    [personalisation- we use cookies [to store information about your preferences and topersonalise the website for you][ (cookies used for this purpose are: [identifycookies])]];

(d)   [security- we use cookies [as an element of the security measures used to protect useraccounts, including preventing fraudulent use of login credentials, and toprotect our website and services generally][ (cookies used for this purposeare: [identify cookies])]];

(e)   [advertising- we use cookies [to help us to display advertisements that will be relevant toyou][ (cookies used for this purpose are: [identify cookies])]];

(f)    [analysis- we use cookies [to help us to analyse the use and performance of our websiteand services][ (cookies used for this purpose are: [identify cookies])]];and

(g)   [cookieconsent - we use cookies [to store your preferences in relation to the use ofcookies more generally][ (cookies used for this purpose are: [identifycookies])]].

[additional list items]

11.    Cookies used by our service providers

11.1 Ourservice providers use cookies and those cookies may be stored on your computerwhen you visit our website.

11.2 Weuse Google Analytics to analyse the use of our website. Google Analyticsgathers information about website use by means of cookies. The informationgathered relating to our website is used to create reports about the use of ourwebsite. Google's privacy policy is available at: https://www.google.com/policies/privacy/.[The relevant cookies are: [identify cookies].]

11.3 [Wepublish Google AdSense interest-based advertisements on our website. These aretailored by Google to reflect your interests. To determine your interests,Google will track your behaviour on our website and on other websites acrossthe web using cookies.] OR [We publish Google AdSense advertisements on ourwebsite. To determine your interests, Google will track your behaviour on ourwebsite and on other websites across the web using cookies. This behaviourtracking allows Google to tailor the advertisements that you see on otherwebsites to reflect your interests (but we do not publish interest-based advertisementson our website).] You can view, delete or add interest categories associatedwith your browser by visiting: https://adssettings.google.com. You can also optout of the AdSense partner network cookie using those settings or using theNetwork Advertising Initiative's multi-cookie opt-out mechanism at: http://optout.networkadvertising.org.However, these opt-out mechanisms themselves use cookies, and if you clear thecookies from your browser your opt-out will not be maintained. To ensure thatan opt-out is maintained in respect of a particular browser, you may wish toconsider using the Google browser plug-ins available at: https://support.google.com/ads/answer/7395996.[The relevant cookies are: [identify cookies].]

11.4 Weuse [identify service provider] to [specify service]. Thisservice uses cookies for [specify purpose(s)]. You can view the privacypolicy of this service provider at [URL].[ The relevant cookies are: [identifycookies].]

12.    Managing cookies

12.1 Mostbrowsers allow you to refuse to accept cookies and to delete cookies. Themethods for doing so vary from browser to browser, and from version to version.You can however obtain up-to-date information about blocking and deletingcookies via these links:

(a)   https://support.google.com/chrome/answer/95647?hl=en(Chrome);

(b)   https://support.mozilla.org/en-US/kb/enable-and-disable-cookies-website-preferences(Firefox);

(c)    http://www.opera.com/help/tutorials/security/cookies/(Opera);

(d)   https://support.microsoft.com/en-gb/help/17442/windows-internet-explorer-delete-manage-cookies(Internet Explorer);

(e)   https://support.apple.com/kb/PH21411(Safari); and

(f)    https://privacy.microsoft.com/en-us/windows-10-microsoft-edge-and-privacy(Edge).

[additional list items]

12.2 Blockingall cookies will have a negative impact upon the usability of many websites.

12.3 Ifyou block cookies, you will not be able to use all the features on our website.

13.    Our details

13.1 Thiswebsite is owned and operated by [name].

13.2 Weare registered in [England and Wales] under registration number [number],and our registered office is at [address].

13.3 Ourprincipal place of business is at [address].

13.4 Youcan contact us:

(a)   [bypost, to [the postal address given above]];

(b)   [usingour website contact form];

(c)    [bytelephone, on [the contact number published on our website from time to time]];or

(d)   [byemail, using [the email address published on our website from time to time]].

[additional list items]

14.    Data protection officer

14.1 Ourdata protection officer's contact details are: [contact details].


Free privacypolicy: drafting notes

This is a standard website or webapp privacy policy, which will help you to comply with data protectionlegislation, and has been updated for the General Data Protection Regulation(also known as the GDPR).

This policy covers the followingmatters (amongst others): the collection of personal information; the use ofthat personal information; the legal bases for the processing of thatinformation; disclosures of that personal information to third parties;international transfers of personal information; and the use of cookies on thewebsite.

This document might not besuitable for you if the ways in which you use personal information are complexor unusual.

In any event, there are manyaspects to data protection compliance. Publishing a privacy policy or statementcontaining the relevant information is only one aspect - albeit an importantaspect - of compliance.

Section 1:Introduction

Section 1.1

Optional element.

Section 1.2

"Personal data" isdefined in Article 4(1) of the GDPR:

"(1) 'personal data' meansany information relating to an identified or identifiable natural person ('datasubject'); an identifiable natural person is one who can be identified,directly or indirectly, in particular by reference to an identifier such as aname, an identification number, location data, an online identifier or to oneor more factors specific to the physical, physiological, genetic, mental,economic, cultural or social identity of that natural person".

Section 1.3

Optional element.

The inclusion of this statement inyour privacy policy will not in itself satisfy the requirements of the Privacyand Electronic Communications (EC Directive) Regulations 2003 as regardsconsent to the use of cookies. Guidance concerning methods of obtaining suchconsent is included on the Information Commissioner's website (http://www.ico.gov.uk).

Section 1.4

Optional element.

Section 1.5

Optional element.

Section 2:Credit

Section: Freedocuments licensing warning

Optional element. Although youneed to retain the credit, you should remove the inline copyright warning fromthis document before use.

Section 3:How we use your personal data

Article 13(1) of the GDPR providesthat:

"(1) Where personal datarelating to a data subject are collected from the data subject, the controllershall, at the time when personal data are obtained, provide the data subjectwith all of the following information: ... (c) the purposes of the processingfor which the personal data are intended as well as the legal basis for theprocessing; (d) where the processing is based on point (f) of Article 6(1), thelegitimate interests pursued by the controller or by a third party".

Article 6(1)(f) of the GDPRprovides that:

"(1) Processing shall belawful only if and to the extent that at least one of the following applies:... (f) processing is necessary for the purposes of the legitimate interestspursued by the controller or by a third party, except where such interests areoverridden by the interests or fundamental rights and freedoms of the datasubject which require protection of personal data, in particular where the datasubject is a child."

Section 3.1

Article 14 of the GDPR, whichapplies where personal information is not obtained from the data subject,provides that information about "the categories of personal dataconcerned" must be supplied to data subjects.

Article 13 of the GDPR, whichapplies where personal information is obtained from the data subject, does notinclude an equivalent provision.

Nonetheless, we have includedreferences to general categories of data in this document, because this facilitatesthe identification of particular purposes of processing and the legal bases ofprocessing - information which does need to be provided under Article 13.

Section 3.2

Optional element.

Section 3.3

Optional element.

Section 3.4

Optional element.

Section 3.5

Optional element.

Section 3.6

Optional element.

Section 3.7

Optional element.

Section 3.8

Optional element.

Section 3.9

Optional element.

Section 3.10

Optional element.

Section 3.11

Optional element.

Section 3.12

Optional element. Use this form ofprovision to identify and provide relevant information about other categoriesof personal data that you may process.

Section 3.13

Optional element.

Section 3.14

Optional element.

Section 3.16

Optional element.

Section 4:Providing your personal data to others

Article 13(1)(e) of the GDPRrequires that where personal data are collected from the data subject, the datacontroller must provide the data subject with information about "therecipients or categories of recipients of the personal data".

Equivalent rules for datacollected from someone other than the data subject are in Article 14(1)(e).

Section 4.1

Optional element.

Section 4.2

Optional element.

Section 4.3

Optional element.

Section 4.4

Optional element.

Section 4.5

Optional element.

Section 5:International transfers of your personal data

Optional element.

Article 13(1)(f) of the GDPRrequires that data controllers disclose to data subjects "whereapplicable, the fact that the controller intends to transfer personal data to athird country or international organisation and the existence or absence of anadequacy decision by the Commission, or in the case of transfers referred to inArticle 46 [transfers subject to appropriate safeguards] or 47 [bindingcorporate rules], or the second subparagraph of Article 49(1) [limitedtransfers for compelling legitimate interests], reference to the appropriate orsuitable safeguards and the means by which to obtain a copy of them or wherethey have been made available".

Section 5.2

Optional element.

Section 5.3

Optional element.

Section 5.4

Optional element.

Section 5.5

Optional element. Will users havethe opportunity to publish personal information on the website?

Section 6:Retaining and deleting personal data

Article 5(1)(e) of the GDPR setsout the storage limitation, one of the fundamental rules of the regime:

"Personal data shall be: ...kept in a form which permits identification of data subjects for no longer thanis necessary for the purposes for which the personal data are processed;personal data may be stored for longer periods insofar as the personal datawill be processed solely for archiving purposes in the public interest,scientific or historical research purposes or statistical purposes inaccordance with Article 89(1) subject to implementation of the appropriatetechnical and organisational measures required by this Regulation in order tosafeguard the rights and freedoms of the data subject ... ".

Section 7:Amendments

Optional element.

Section 7.2

Optional element.

Section 7.3

Optional element. Will you contactusers to notify them of changes to the document?

  • How will users be notified of changes to the document?

Section 8:Your rights

Article 13(2) of the GDPR providesthat, where personal data is collected from a data subject, certain informationabout data subject rights must be provided:

"In addition to theinformation referred to in paragraph 1, the controller shall, at the time whenpersonal data are obtained, provide the data subject with the following furtherinformation necessary to ensure fair and transparent processing: ... (b) theexistence of the right to request from the controller access to andrectification or erasure of personal data or restriction of processingconcerning the data subject or to object to processing as well as the right todata portability; (c) where the processing is based on point (a) of Article6(1) or point (a) of Article 9(2), the existence of the right to withdrawconsent at any time, without affecting the lawfulness of processing based onconsent before its withdrawal; ...".

Similar provisions are set out inArticle 14 in relation to personal data which is not collected from therelevant data subject.

Section 8.3

The right to access is set out inArticle 15 of the GDPR.

Section 8.4

The right to rectification is setout in Article 16 of the GDPR.

Section 8.5

The right to erasure (or right tobe forgotten) is set out in Article 17 of the GDPR, and must be notified todata subjects under Articles 13(2)(b), 14(2)(c) and 15(1)(e) of the GDPR.

Consider modifying the highlightedcircumstances and exclusions, depending upon what will be most relevant to yourprocessing.

Section 8.6

Article 18(1) of the GDPR states:

"The data subject shall havethe right to obtain from the controller restriction of processing where one ofthe following applies: (a) the accuracy of the personal data is contested bythe data subject, for a period enabling the controller to verify the accuracyof the personal data; (b) the processing is unlawful and the data subjectopposes the erasure of the personal data and requests the restriction of theiruse instead; (c) the controller no longer needs the personal data for thepurposes of the processing, but they are required by the data subject for theestablishment, exercise or defence of legal claims; (d) the data subject hasobjected to processing pursuant to Article 21(1) pending the verificationwhether the legitimate grounds of the controller override those of the datasubject.

Section 8.7

The right to object to processingis detailed in Article 21 of the GDPR, and must be notified to data subjectsunder Articles 21(4), 13(2)(b) and 14(2)(c).

Section 8.8

Optional element.

Article 21(3) of the GDPR states:

"Where the data subjectobjects to processing for direct marketing purposes, the personal data shall nolonger be processed for such purposes."

Section 8.9

Optional element.

This right is set out in Article21(6) of the GDPR. 

Section 8.10

The right to data portability isset out in full in Article 20 of the GDPR, and must be notified to data subjectsunder Articles 13(2)(b) and 14(2)(c).

Section 8.11

The right to lodge a complaintwith a supervisory authority is set out in Article 77 of the GDPR, and must benotified to data subjects under Articles 13(2)(d), 14(2)(e) and 15(1)(f). 

Section 8.12

Article 7(3) of the GDPR sets outthe right of withdrawal. The right must be notified to data subjects underArticles 13(2)(c) and 14(2)(d). See also Article 17(1)(b).

Section 9:About cookies

Optional element.

Section 9.2

Optional element.

Section 9.3

Optional element.

Section 10:Cookies that we use

Optional element.

Section 11:Cookies used by our service providers

Does the website serve any thirdparty cookies, analytics cookies or tracking cookies to users?

Section 11.2

Optional element.

Section 11.3

Optional element. Will GoogleAdSense advertisements be published on the website?

This provision should be includedif you publish Google AdSense interest-based advertisements on your website.Additional disclosures will be required if you have not opted out ofthird-party ad serving.

If the website sets any othercookies to users' machines that track behaviour, information about thosecookies will also need to be disclosed.

Section 12:Managing cookies

Optional element.

Section 12.3

Optional element. Will the blockingof cookies have a negative effect upon the use of the website from a userperspective?

Section 13:Our details

UK companies must provide theircorporate names, their registration numbers, their place of registration andtheir registered office address on their websites (although not necessarily inthis document).

Sole traders and partnerships thatcarry on a business in the UK under a "business name" (i.e. a namewhich is not the name of the trader/names of the partners or certain otherspecified classes of name) must also make certain website disclosures: (i) inthe case of a sole trader, the individual's name; (ii) in the case of apartnership, the name of each member of the partnership; and (iii) in eithercase, in relation to each person named, an address in the UK at which serviceof any document relating in any way to the business will be effective. Allwebsites covered by the Electronic Commerce (EC Directive) Regulations 2002must provide a geographic address (not a PO Box number) and an email address.All website operators covered by the Provision of Services Regulations 2009must also provide a telephone number.

Section 13.1

  • What is the name of the company, partnership, individual or other legal person or entity that owns and operates the website?

Section 13.2

Optional element. Is the relevantperson a company?

  • In what jurisdiction is the company registered?
  • What is the company's registration number or equivalent?
  • Where is the company's registered address?

Section 13.3

Optional element.

  • Where is the relevant person's head office or principal place of business?

Section 13.4

Optional element.

  • By what means may the relevant person be contacted?
  • Where is the relevant person's postal address published?
  • Either specify a telephone number or give details of where the relevant number may be found.
  • Either specify an email address or give details of where the relevant email address may be found.

Section 14:Data protection officer

Optional element.

Section 14.1

Some data controllers and dataprocessors will have an obligation to appoint a data protection officer (DPO).The basic obligation is set out in Article 37(1) of the GDPR:

"(1) The controller and theprocessor shall designate a data protection officer in any case where: (a) theprocessing is carried out by a public authority or body, except for courtsacting in their judicial capacity; (b) the core activities of the controller orthe processor consist of processing operations which, by virtue of theirnature, their scope and/or their purposes, require regular and systematicmonitoring of data subjects on a large scale; or (c) the core activities of thecontroller or the processor consist of processing on a large scale of specialcategories of data pursuant to Article 9 and personal data relating to criminalconvictions and offences referred to in Article 10."

Article 13(1)(b) of the GDPRprovides that:

"(1) Where personal datarelating to a data subject are collected from the data subject, the controllershall, at the time when personal data are obtained, provide the data subjectwith all of the following information ... (b) the contact details of the dataprotection officer, where applicable".

See also Article 14(1)(b).

  • Insert contact details of the appointed data protection officer (if any).