Privacy and cookies policy
From a lawyer's perspective, the key purpose of a website privacy and cookies policy is to help a website operator comply with data protection and cookies legislation. In the EU, that means compliance with the General Data Protection Regulation (GDPR), as well as the ePrivacy Directive and national implementing legislation; and in the UK, that means compliance with the UK's version of the GDPR.
One of the principles of the GDPR is transparency: data controllers must provide information to individuals about the personal data that they process. The GDPR specifies the information to be provided in considerable detail.
Controllers must identify the purposes for which they process personal data and, if the data are not collected from the data subject in question, the source and specific categories of data collected. In addition, controllers must identify the legal bases for their processing - and where the legal basis is "legitimate interests" to identify those interests. This template has been designed to make this process as easy as possible.
Information must be provided about the recipients of personal data, including both other controllers and processors. Moreover, where the transfer to a recipient involves a transfer of data to a "third country", information about the "appropriate safeguards" used to ensure the transfer is lawful should be provided. Again, the templates can help you to set out this information in a clear and concise fashion.
Other provisions of the template cover: profiling and automated processing, data retention, security, data subject rights, processor information, cookies and controller information.
The language in this policy is unlikely to be sufficiently simple for use in connection with the collection of personal data from children.Ask about this document
Privacy and cookies policy contents
- The personal data that we collect: introduction to categories; processing of contact data; processing of account data; processing of profile data; processing of customer relationship data; processing of service data; processing of transaction data; processing of communication data; processing of usage data; processing of other data; disclosure of third party personal data.
- Purposes of processing and legal bases: setting out purposes etc of personal data processing; processing for operations; processing for publications; processing for communications; processing for personalisation; processing for direct marketing; processing for research and analysis; processing for record keeping; processing for security; processing for insurance and risk management; processing for legal claims; processing for legal compliance and vital interests protection.
- Automated decision-making: personal data used in automated decisions; logic involved in automated decisions; significance of automated decisions.
- Providing your personal data to others: intra-group disclosures of personal data; disclosure of personal data to insurers etc; disclosures of personal data to hosting services providers; disclosures of personal data to subcontractors; disclosure of personal data to payment services providers; disclosure of personal data to third party suppliers; disclosure of personal data necessary for legal compliance etc.
- International transfers of your personal data: introduction to international personal data transfers; UK to EEA and EEA to UK personal data transfers; international transfers within business; international transfers to hosting services provider; international transfers to subcontractors; publication of personal data on internet.
- Retaining and deleting personal data: data retention introduction; personal data retention default rule; personal data retention specific rules; personal data retention criteria; personal data retention and publications; personal data deletion exception.
- Security of personal data: appropriate technical and organisational security measures; personal data stored on secure servers and computers; encrypted storage of personal data; security of server-browser communications; unencrypted data sent over internet is insecure; password security.
- Your rights: introduction to data subject rights list; list of data subject rights; learn more about data subject rights; exercise of data subject rights.
- Your rights: introduction to data subject rights summaries; list of data subject rights; summary of right to access personal data; summary of right to rectification of personal data; summary of right to erasure of personal data; summary of right to restrict processing of personal data; summary of right to object to processing of personal data; summary of right to object to processing of personal data for direct marketing; summary of right to object to processing of personal data for research purposes; summary of right to personal data portability; summary of right to complain to data protection supervisory authority; summary of right to withdraw consent to personal data processing; exercise of data subject rights.
- Third party websites: hyperlinks to third party websites; no responsibility for third party privacy policies.
- Personal data of children: website targeted at persons over specified age; deleting personal data of children.
- Updating information: correcting or updating personal information.
- Acting as a data processor: acting as a data processor; not applicable as data processor.
- About cookies: what are cookies?; persistent and session cookies; cookies and personal data.
- Cookies that we use: purposes for which cookies are used (including shopping cart).
- Managing cookies: how to manage cookies; negative impact of blocking cookies; effects on website use of blocking cookies.
- Cookie preferences: managing cookie preferences.
- Amendments: amendment by publication; check for changes to policy; notification of changes topolicy.
- Our details: website operator name; company registration details; place of business; contact information.
- Data protection registration: registered with ICO; data protection registration number.
- Representatives: identity and contact details of EU representative of data controller; identity and contact details of UK representative of data controller.
- Data protection officer: data protection officer contact details.