Data protection law
1. Privacy policies
Designed to help you to comply with UK and EU data protection law, these privacy policies are, in essence, shorter and simpler versions of our privacy and cookies policy templates. Although cookies are not referenced in the titles of these documents, cookies-related disclosures are included, albeit in summary form.
2. Data processing agreements
Data processing agreements between controllers of personal data and their processors, and between processors and sub-processors, have long been a requirement of EU and UK data protection law. With the coming of the General Data Protection Regulation (GDPR) they have become much more common. GDPR-friendly data processing agreements tend to be longer and more complex than pre-GDPR agreements. These template data processing agreements are designed to help you produce a compliant document with the minimum of fuss. They track the specific requirements of the GDPR closely, supplementing those requirements in a few important areas.
3. Email disclaimer
This is a template for a legal notice to be displayed in email communications.
Although the enforceability of email disclaimers may be open to question, many businesses nonetheless incorporate a disclaimer in the footer of all email communications. However, there is no "standard" disclaimer, as different businesses face different compliance obligations and legal risks.
This template may be used to create a document covering some ...
4. Privacy and cookies policies
Almost every commercial website collects some personal data and few websites entirely eschew the use of cookies and similar technologies. In order to comply with the GDPR and other UK and EU data protection laws, website publishers need to disclose to users information about the personal data that they collect; and in order to comply with electronic privacy laws, website publishers need to disclose to users information about the cookies that they use. These template privacy and cookies policies will help you to comply with these laws.
5. Data protection information notices
The General Data Protection Regulation (GDPR) and national data protection laws require that controllers of personal data disclose information about their processing of that personal data to data subjects. These data protection information notices will help an organisation that collects personal data relating to its freelances, supplier personnel and customer personnel to comply with the applicable disclosure requirements. These documents are similar to our privacy policy template, but intended for use offline rather than online.
6. Cyber security incident response policy
This policy provides organisations with a pre-structured way of describing their policy in the event of a cyber security incident. Policy users may be a small group within an organisation, or this policy may be given to all personnel as guidance in the event of an incident.
Unlike an employee, contractor or B2B cyber security policy this is not intended to be a legal ...
7. Personal data breach notification policy
This is a personal data breach notification policy, which sets out the procedures to be followed by a business in the event that personal data stored or processed by the business is subject to a breach. The policy has been created with SMEs in mind.
The policy is designed to aid compliance with the General Data Protection Regulation or GDPR, and takes account of the ...
8. Data processing addenda
These addenda should be used to complement an existing contract and bring it into line with the General Data Protection Regulation (GDPR). The GDPR is relatively prescriptive about the clauses that need to be included in contracts between controllers and processors and in contracts between between processors and sub-processors. The drafting of these documents follows the requirements of the GDPR closely.
9. Supply chain cyber security policies
These cyber security policies should be used by a customer purchasing services and wanting to impose contractual obligations upon the supplier in relation to cyber security. The policies can be adapted to focus on specific risks or to apply general standards. These policies were created and are maintained by Emma Osborn of OCSRC.
10. Data retention policy
This management-level data retention policy should be used to codify the policies and procedures of an organisation in relation to the archiving and deletion of data. The driving force behind the adoption of many retention policies is the General Data Protection Regulation (GDPR), but the suggested drafting in this document covers non-personal as well as personal data.
To make effective use of this ...
11. Data sharing agreements
These agreements facilitate the lawful sharing of personal data between two controllers (as that term is defined in the General Data Protection Regulation). They can be used with respect to either joint controllers or independent controllers. They are not suitable for use in relation to controller-to-processor or processor-to-processor sharing.