Ask yourself this: do I collect or use personal data for non-personal / non-household activities in relation to my website?
- Third, one of the key functions of many websites is the projection of a serious and professional image. A website without the necessary legal documentation may have a negative effect on the image of the business behind it.
Should I use a template or ask a lawyer to prepare a policy for me?
Data protection law is not straightforward. Indeed, since the GDPR came into force in 2018, it is difficult for many organisations to be confident that they comply.
As with many business investments in legal services, you will need to balance the risks of a DIY approach against the costs of using a professional. In general, you should always use a professional if there are significant amounts of money at stake or material risks of liability.
A legal template is both never and always potentially suitable for a particular job: never suitable because adaptation is always needed; always potentially suitable because, with enough adaptation, one document can be transformed into any other document.
That said, some jobs will require more adaptation than others, and sometimes the adaptations will require specialist legal knowledge.
You should only use this template in relation to the following purposes if you are confident that you understand the applicable law can make the necessary adaptations:
- the personal data of minors;
- sensitive personal data / special categories of personal data;
- large-scale processing of personal data;
- any complex or unusual personal data processing; and
- any personal data processing that is likely to have a significant impact on individuals’ rights and freedoms.
Articles 13 and 14 of the GDPR set out the core disclosures required by the regulation.
Article 13 sets out the information that must be provided where personal data are collected from the individual. Article 14 sets out the information that must be provided where personal data are collected from some other source.
The main categories of information are:
- identity and contact information of the controller;
- where personal data is not collected from the individual, the source and nature of that data;
- the purposes of the processing;
- the legal bases for the processing, including details of applicable legitimate interests;
- the recipients or categories of recipients of the personal data;
- details of international transfers of personal data that require legal protections, and details of those protections;
- the periods for which the personal data will be stored, or at least the criteria used to determine those periods;
- individuals’ legal rights with respect to their personal data;
- whether the provision of personal data is a legal requirement;
- the existence of automated decision-making, including profiling.
There’s a degree of overlap between the laws relating to cookies and those relating to the processing of personal data: cookies may themselves contain personal data; and even where cookies don’t themselves contain personal data, the reading of cookies will often result in the linking of cookie data to other personal data held by the operator.
The key legal instruments currently applicable to cookies are:
- across the EU, Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications); and
- in the UK, the Privacy and Electronic Communications (EC Directive) Regulations 2003 (as amended).
The latter is the UK’s implementing legislation for the former. The consolidated version of the UK regulations is not available on the legislation.gov.uk website and the text of the relevant Regulation (No 6) has been updated since 2003 – so use with care.
New legislation on cookies is currently going through the EU legislative process.
After you have downloaded the policy, you will need to open it in your word processing software for editing.
With respect to each of your categories of personal data, you will need to determine the purposes for which the data is processed and – this is often the hard bit – the legal basis for processing. Possible legal bases are individual consent, the performance of a contract, and your legitimate interests.
You will also need to identify recipients or categories of recipients, as well as relevant data retention periods.
Guidance notes are included in the template to help with the editing process.
This policy is intended to be easy to use, but data protection law in general and the GDPR in particular are difficult to use.
Data protection law is necessarily built of abstractions, but some of the abstractions at the heart of the GDPR do not map easily onto the real world. The European Data Protection Board (EDPB) has produced voluminous guidance on the application of the GDPR, but the very existence of this guidance highlights the problem. If the law was clear, the guidance wouldn’t be needed. In many cases, the guidance either overreaches or dodges the difficult issues.
Another reason for the length of our templates is that … they are templates. They are intended to be edited before use, and it is much easier to delete unwanted provisions from a template than to add novel provisions. After you have finished editing our template, it should be materially shorter than when you started.
What other privacy and cookies documents are available?
We supply a range of privacy and cookie documents on our ecommerce website, Website Contracts.
Do I also need a data protection or GDPR policy?
Documents with the same function will sometimes be called “privacy notices”, “data protection statements”, “personal data processing policies”, “GDPR policies” – or something different entirely.
Worse, there is a different type of document that shares the same pool of possible names.
I usually refer to this other type of document as a “data protection policy” – but don’t assume that other professionals will do so.
In most cases, you will want to keep these documents separate.
Do I need a data processing agreement?
This distinction can be confusing and tricky to apply.
Both controllers and processors process personal data. Just because you are processing personal data, that doesn’t make you a processor. You might be a processor, but equally, you might be a controller. Confused yet?
The distinction is tricky to apply because the definitions are highly abstract. A controller is defined as a person who determines the purposes and means of processing personal data. A processor is a person who processes personal data on behalf of a controller. In practice, the determination of purposes is more significant than the determination of means.
An example might help. A business providing website hosting services would usually be a processor with respect to personal data contained in the website databases of its customers. It would, however, usually be a controller with respect to personal data contained in its customer relationship management system. For some classes of data – for example, data collected when providing support services to customers – the correct classification may not be clear.