Start by clicking on "Fill out the template"
Answer a few questions and your document is created automatically.
Your document is ready! You will receive it in Word and PDF formats. You will be able to modify it.
You can choose to get help from a lawyer after filling out the document.
This document can be used by any UK based website owner in order to set out the manner in which it processes personal information of its users. When personal information is collected from individuals they are referred to as 'data subjects'.
Why is it important for a website to have privacy documents and policies?
It is important for a website to have such a policy under UK law because:
As described above, there are requirements placed upon businesses with regards to the various pieces of specific information which they must provide to any data subject. However, there is also a requirement for information to be clear and concise.
In order to strike this balance, the Information Commissioner's Office (the regulatory body which oversees data processing in the United Kingdom), has suggested a layered approach is one of the most efficient ways to properly communicate all the relevant information. For example, key information can be provided to data subjects in a notice or statement, with links or click features to allow data subjects to obtain more detail if needed.
The role of this particular document allows a website to set out its general processing, storage and usage of personal data, in order to fulfil the requirement to supply data subjects with 'transparent' information (Article 13 and 14 of UK GDPR).
A website owner should also hold a shorter simple 'privacy notice' which would be provided to data subjects upon the point of collection in a concise manner (as per the requirement of Article 13 (1) UK GDPR). The shorter notice may have an index system to expand into more detailed guidance (for example to link to this policy) or may have links to more detailed information as per the layered approach.
In addition to the short notice and this general policy, a website owner may wish to have further policy documents to provide even more detail regarding specific areas of processing such as:
Where a website processes sensitive date, this fact can be stated within this policy document however there are additional measures which a website must also put in place. In particular, website owners should be aware that, where any sensitive data is collected from data subjects, a further comprehensive policy must be held to address the collection of sensitive data specifically. Where sensitive data is collected, a website will often rely upon consent as the lawful justification for processing data. The website will therefore need to obtain explicit consent/opt-in consent at the time of collection via a separate specialised form.
Sensitive data is personal information which relates to:
Criminal offence data
Websites may also sometimes need to process data relating to any criminal offences of data subjects (for example, to meet regulatory requirements or for fraud prevention purposes). Criminal offence data falls into its own category and must also be justified under further very specific grounds. The existence of criminal data processing should be stated in this general policy together with the lawful reasoning, however it is usually necessary for a website to also hold a separate specific policy where criminal data is processed.
Other restrictions and requirements
There are additional restrictions and requirements which may apply to a website's use of personal information in other circumstances. For example, where personal information is transferred outside of the United Kingdom, or where decisions are made using personal information via an automated process. These can be addressed and detailed within this document if so required.
This document is designed for a website which is not aimed at children and where the website does not process child data. Websites still must consider, regardless of the intentions of the website, whether children may access the website and whether there is any possibly of inadvertently processing child data. In those circumstances, a website must consider the Children's code.
How to use this document
This document should be filled out with the relevant information. When personal information is collected directly from a data subject, they should be informed of the relevant privacy information at the time that the data is collected.
Where information is obtained about an individual from another source, they must be informed within a reasonable period and no later than one month after it is collected.
The privacy information must be actively provided to individuals, by making the individuals aware of its existence and by placing the policy on the website in an accessible location.
Where a website processes sensitive information, and is relying upon the data subject's consent for this, the consent must be obtained separately. The website should:
In a similar manner, where a website is relying upon consent of data subjects in order to justify direct marketing, the consent should be obtained separately.
As set out above, the policy may be used in conjunction with other specific policies, for example where sensitive or criminal offence data is being processed or where cookies are being used by the website.
As of 1 January 2021, the law relating to data protection in the UK is governed by:
Help from a lawyer
You can choose to consult a lawyer if you need help.
The lawyer can answer your questions or help you through the process. You will be offered this option when you complete the document.
How to modify the template
You fill out a form. The document is created before your eyes as you respond to the questions.
At the end, you receive it in Word and PDF formats. You can modify it and reuse it.