Privacy and cookies policy (online shop)
This privacy and cookies policy template has been designed for online stores selling goods, including B2B stores, B2C stores and those supplying goods both B2B and B2C. The policy sets out details of the processing of personal data by the online store in accordance with UK and EU laws concerning the protection of personal information - including the General Data Protection Regulation in both its UK and EU forms.
The core of the policy covers the categories of personal information which may be processed, the sources of that information (where it is not collected from the data subject), the purposes of processing, the legal basis for the processing and, where the legal basis is the store operator's legitimate interests, details of those legitimate interests.
In addition, the template includes information about disclosures that the store operator may make. For instance, personal information may be disclosed to hosting services providers, payment services providers and other suppliers and subcontractors.
Businesses that operate overseas, or outsource parts of their operation abroad, may need to transfer personal information to other countries, and in the case of extra-UK/EEA transfers information about those transfers should be included in the policy.
Store operators will need to decide on data retention policies. In general, a data controller is not allowed to retain personal information obtained for a particular purpose or purposes for longer than is necessary for that purpose or those purposes. Appropriate disclosures relating to retention policies are included in this document.
Finally, almost all ecommerce websites will use cookies to improve the user experience: these enable the website to remember the user and track the user as he or she navigates the website. The website should identify the cookies it stores in a user's computer, and the third-party cookies that may be stored as a result of the use of the website.
Get help with this documentPrivacy and cookies policy (online shop) contents
- Introduction: commitment to privacy; document applies to controlled personal data; website privacy controls; consent to use of cookies; data controller name.
- The personal data that we collect: introduction to categories; processing of contact data; processing of account data; processing of customer relationship data; processing of transaction data; processing of communication data; processing of usage data; processing of other data.
- Purposes of processing and legal bases: setting out purposes etc of personal data processing; processing for operations; processing for publications (account data); processing for communications; processing for personalisation (account data and usage data); processing for direct marketing (contact data, account data, customer relationship data and transaction data); processing for research and analysis (usage data and transaction data); processing for record keeping; processing for security; processing for insurance and risk management; processing for legal claims; processing for legal compliance and vital interests protection.
- Automated decision-making: personal data used in automated decisions; logic involved in automated decisions; significance of automated decisions.
- Providing your personal data to others: intra-group disclosures of personal data; disclosure of personal data to insurers etc; disclosures of personal data to hosting services providers; disclosures of personal data to subcontractors; disclosure of personal data to payment services providers; disclosure of personal data to third party suppliers; disclosure of personal data necessary for legal compliance etc.
- International transfers of your personal data: introduction to international personal data transfers; UK to EEA and EEA to UK personal data transfers; international transfers within business; international transfers to hosting services provider; international transfers to subcontractors; publication of personal data on internet.
- Retaining and deleting personal data: data retention introduction; personal data retention default rule; personal data retention specific rules (online shop); personal data retention criteria; personal data deletion exception.
- Security of personal data: appropriate technical and organisational security measures; personal data stored on secure servers and computers; encrypted storage of personal data; security of server-browser communications; unencrypted data sent over internet is insecure; password security.
- Your rights: introduction to data subject rights list; list of data subject rights; learn more about data subject rights; exercise of data subject rights.
- Your rights: introduction to data subject rights summaries; list of data subject rights; summary of right to access personal data; summary of right to rectification of personal data; summary of right to erasure of personal data; summary of right to restrict processing of personal data; summary of right to object to processing of personal data; summary of right to object to processing of personal data for direct marketing; summary of right to object to processing of personal data for research purposes; summary of right to personal data portability; summary of right to complain to data protection supervisory authority; summary of right to withdraw consent to personal data processing; exercise of data subject rights.
- Third party websites: hyperlinks to third party websites; no responsibility for third party privacy policies.
- Personal data of children: website targeted at persons over specified age; deleting personal data of children.
- Updating information: correcting or updating personal information.
- About cookies: what are cookies?; persistent and session cookies; cookies and personal data.
- Cookies that we use: purposes for which cookies are used (including shopping cart).
- Cookies used by our service providers: use of cookies by services providers; google Analytics cookies; google advertising cookies; meta pixel; service provider cookies (generic).
- Managing cookies: how to manage cookies; negative impact of blocking cookies; effects on website use of blocking cookies.
- Cookie preferences: managing cookie preferences.
- Amendments: amendment by publication; check for changes to policy; notification of changes topolicy.
- Our details: website operator name; company registration details; place of business; contact information.
- Data protection registration: registered with ICO; data protection registration number.
- Representatives: identity and contact details of EU representative of data controller; identity and contact details of UK representative of data controller.
- Data protection officer: data protection officer contact details.