Ask yourself this: do I collect or use personal data for non-personal / non-household activities in relation to my website?
- Third, one of the key functions of many websites is the projection of a serious and professional image. A website without the necessary legal documentation may have a negative effect on the image of the business behind it.
Should I use a template or ask a lawyer to prepare a policy for me?
Data protection law is not straightforward. Indeed, since the GDPR came into force in 2018, it is difficult for many organisations to be confident that they comply.
As with many business investments in legal services, you will need to balance the risks of a DIY approach against the costs of using a professional. In general, you should always use a professional if there are significant amounts of money at stake or material risks of liability.
A legal template is both never and always potentially suitable for a particular job: never suitable because adaptation is always needed; always potentially suitable because, with enough adaptation, one document can be transformed into any other document.
That said, some jobs will require more adaptation than others, and sometimes the adaptations will require specialist legal knowledge.
You should only use this template in relation to the following purposes if you are confident that you understand the applicable law can make the necessary adaptations:
- the personal data of minors;
- sensitive personal data / special categories of personal data;
- large-scale processing of personal data;
- any complex or unusual personal data processing; and
- any personal data processing that is likely to have a significant impact on individuals’ rights and freedoms.
Articles 13 and 14 of the GDPR set out the core disclosures required by the regulation.
Article 13 sets out the information that must be provided where personal data are collected from the individual. Article 14 sets out the information that must be provided where personal data are collected from some other source.
The main categories of information are:
- identity and contact information of the controller;
- where personal data is not collected from the individual, the source and nature of that data;
- the purposes of the processing;
- the legal bases for the processing, including details of applicable legitimate interests;
- the recipients or categories of recipients of the personal data;
- details of international transfers of personal data that require legal protections, and details of those protections;
- the periods for which the personal data will be stored, or at least the criteria used to determine those periods;
- individuals’ legal rights with respect to their personal data;
- whether the provision of personal data is a legal requirement;
- the existence of automated decision-making, including profiling.
There’s a degree of overlap between the laws relating to cookies and those relating to the processing of personal data: cookies may themselves contain personal data; and even where cookies don’t themselves contain personal data, the reading of cookies will often result in the linking of cookie data to other personal data held by the operator.
The key legal instruments currently applicable to cookies are:
- across the EU, Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications); and
- in the UK, the Privacy and Electronic Communications (EC Directive) Regulations 2003 (as amended).
The latter is the UK’s implementing legislation for the former. The consolidated version of the UK regulations is not available on the legislation.gov.uk website and the text of the relevant Regulation (No 6) has been updated since 2003 – so use with care.
New legislation on cookies is currently going through the EU legislative process.
After you have downloaded the policy, you will need to open it in your word processing software for editing.
With respect to each of your categories of personal data, you will need to determine the purposes for which the data is processed and – this is often the hard bit – the legal basis for processing. Possible legal bases are individual consent, the performance of a contract, and your legitimate interests.
You will also need to identify recipients or categories of recipients, as well as relevant data retention periods.
Guidance notes are included in the template to help with the editing process.
This policy is intended to be easy to use, but data protection law in general and the GDPR in particular are difficult to use.
Data protection law is necessarily built of abstractions, but some of the abstractions at the heart of the GDPR do not map easily onto the real world. The European Data Protection Board (EDPB) has produced voluminous guidance on the application of the GDPR, but the very existence of this guidance highlights the problem. If the law was clear, the guidance wouldn’t be needed. In many cases, the guidance either overreaches or dodges the difficult issues.
Another reason for the length of our templates is that … they are templates. They are intended to be edited before use, and it is much easier to delete unwanted provisions from a template than to add novel provisions. After you have finished editing our template, it should be materially shorter than when you started.
What other privacy and cookies documents are available?
We supply a range of privacy and cookie documents on our ecommerce websites, Website Contracts and Docular.
Do I also need a data protection or GDPR policy?
Documents with the same function will sometimes be called “privacy notices”, “data protection statements”, “personal data processing policies”, “GDPR policies” – or something different entirely.
Worse, there is a different type of document that shares the same pool of possible names.
I usually refer to this other type of document as a “data protection policy” – but don’t assume that other professionals will do so.
In most cases, you will want to keep these documents separate.
Do I need a data processing agreement?
This distinction can be confusing and tricky to apply.
Both controllers and processors process personal data. Just because you are processing personal data, that doesn’t make you a processor. You might be a processor, but equally, you might be a controller. Confused yet?
The distinction is tricky to apply because the definitions are highly abstract. A controller is defined as a person who determines the purposes and means of processing personal data. A processor is a person who processes personal data on behalf of a controller. In practice, the determination of purposes is more significant than the determination of means.
An example might help. A business providing website hosting services would usually be a processor with respect to personal data contained in the website databases of its customers. It would, however, usually be a controller with respect to personal data contained in its customer relationship management system. For some classes of data – for example, data collected when providing support services to customers – the correct classification may not be clear.
I’d need to know a little more about the blog before commenting on this. Can you give me an idea of the type of content that would be included in the blog, and also whether there is any non-blog functionality on the website?
There are various options.
1. You can download this document (click the button above) and use it free of charge, providing you retain the section in the document that credits us as the source of the document (“This policy is based on a template published by SEQ Legal…”).
2. If you want to project a more professional image, you can buy a licence to use this template without the credit text, here:
3. If you want to edit the document online with our online editor, which makes teh job easier, use:
4. Finally, you could ask a lawyer to produce the document for you.
The method of getting the text on to the website depends upon the technology used to create the website. NB Docular allows you to export in HTML format which can make this process quicker.
Thank you for your response. So just to clarify, as long as we have this document dispayed on our website and we a registered with Information
Thanks in advance for the help.
It’s GBP 10 inc VAT (if applicable), and available for purchase here: https://www.website-contracts.co.uk/privacy-policy.html
Thanks for your comment Chris.
I’m hoping to do some mobile app-specific legal templates at some point, but it won’t be soon I’m afraid.
Are your Privacy Notices GDPR compliant?
We don’t generally update our templates until shortly before relevant legal changes take effect.
The template has now been updated for GDPR, with an choice of DPA and GDPR compliant “your rights” clauses.
Hello, i just launched the website of my record label, a net label. Mainly I’ll be offerening music distribution, remix and mastering and a promotion blog where people and artists will submit their music, photos, links of their social media, links to videos, biography, information about the artist like name, country, age.
15.2 We are registered in [England and Wales] under registration number [number], and our registered office is at [address].
15.3 Our principal place of business is at [address].
Section 15.2 can be removed as you do not have a company.
Section 15.3 however should be retained. You presumably however still have an address from which you conduct the business, even if this is your home address. You should also include your name “Joe Bloggs trading as XYZ” in the legal docs, so that users and customers can identify who they are dealing with.
I’m assuming English law applies.
Good day, I’m based in South Africa and I’m working on developing a music website that will serve all music fans all over the world. I want to know which policy I can use or download for the site. Does it only works for Europe citizens only?
Our documents are all designed to help compliance with English law (including EU law as applicable/implemented in the UK). As your business is based in SA, you should start with documents designed to help with SA law.
(However, in some circumstances you may also need to comply with foreign law.)
I would like to know if I can use your template for my website even if I need to translate in French.
My organisation is a limited registered in the UK, my website will be provided information about sports in France. do you think your document can support my requirement.
The SEQ licence allows you to do this, but you may need to ensure that the translated document is compliant with applicable French law. (Although data protection law is in theory harmonised across the EU, in practice there are differences.)
Useful template thanks. I notice your templates says people can access their data subject to “(a) the payment of a fee (currently fixed at GBP 10)”.
I thought GDPR made it illegal to request a fee unless the request was unduly onerous or made repeatedly. Could you clarify?
The reason for including both sections is that a GDPR-compliant section would be non-compliant under the DPA, while a DPA-compliant section would be non-compliant under the GDPR. We will remove the DPA section from the template in mid-May.
My website promotes and advertises my range of services.
I am not a registered company, just a freelancer. There is no data collection. People can contact me directly should they have use of my services.
Which would be the best for GDPR we are a partnership delivering training services to care providers. Many thanks Pete
I am a life coach based in South Africa serving customers globally.
I do have a website and am sole owner, no other staff.
I have a general terms, conditions and disclaimer (when clients book and use my services) on my website, but I understand I have to include a standalone data privay policy page and link in the footer it?
All I have on my website is a general contact form if a reader if a client/reader on my website wants to conatct me which.
Website is designed with Weebly and I have update the forms Weebly suggestes. Seems like double-opt in with picture verification.
All other client intake forms etc are done via Acuity Online Scheduler with intake forms (Not sure how to go about there), SurveyMonkey (Not sure how to go about there), and MailChimp (I have set up GDPR forms ans auto emails as they suggest)
Do I require to do anything else?
Hi I am so confused, we are a very small construction company and we have an email address that we contact people and they contact us through, I have I still to ensure this is GDPR compliant, we would keep email addresses for contact only, so have I to send all my contacts this to say we are being GDPR compliant, if this is the case should we not be doing the same with our personal email addresses where we keep contacts, any help be appreciated
I run a couple of very small businesses (limited companies) One makes corporate films and the other supplies web design and web hosting for SMEs. We are totally word of mouth and do not advertise or use any form of email marketing or telesales except to our existing customers whenever we chase them for payment. We do not deal at all with the general public so only keep business data and that’s kept exclusively in our password protected off-line accounts package. Yes, we have simple email forms on our websites but not ones that populate a database, they simply send an email with the most basic of information. And the computers we use are password protected. And no, we do not have e-commerce so no need for opt-in or opt-out web-based systems.
I understand that we should mention this somehow on our websites but not sure what is necessary. Thanks for this service by the way. It’s refreshing as al I have had this last couple of weeks is people trying to sell me what I deem to be unnecessary and you kindly offer this. Impressed 🙂
Hello – thank you very much for the free template! What is the best way to deal with the portions that don’t apply to us? Instead of deleting all of them (I saw a note somewhere you don’t recommend doing that), can we write “Not Applicable” at the beginning of the section?
For example the portions about selling/giving/receiving data from 3rd parties, we don’t do that. Also parts about tracking their activity (page views, etc).
Templates are merely tools, and always and to be adapted. So, if you adapt the document appropriately, it will serve your purposes. I appreciate that this isn’t very useful guidance. However, in order to assess whether a document is helping a business to comply with the law I would need to: (i) know a good deal about the business; and (ii) see the final version of the document, post editing. This is not a service I can provide alongside the templates.
Can I use this template for online store?
It could be adapted for this purpose, but for a more suitable document see the “online shop” variant of this document:
Sorry, I don’t currently have any template text for this.
… why not use it with attribution?
Hi, my websites are all in portuguese language. Can I use your free version and translate it into portuguese? Also want to make some changes. Do you allow me to do the changes. thank you
Yes, you are welcome to translate the document, although assuming Portuguese law applies remember to account for any differences between English law and Portuguese law.
Hi, i have a new online system which requires users to register with name/email address, company and phone number.
I have looked at your template, but this seems to be overly complicated for my scenario. There is no marketing, cookies or onward distribution or transfer of any details.
The data stored is for internal purposes only. The only time the email address is used is for signon and to update software changes.
Do you have a less comprehensive template.
I don’t have anything shorter right now, although it is on the list. If you go over to https://docular.net you can get access to this template through the Docular online editor, which makes removing unwanted material very easy.
Hi there, are your documents for use in the united states of america?
Unfortunately, no: these documents are not designed to help with US legal compliance.
Hello, I am starting an on-line store selling food supplement products based in the UK but selling in other EU countries as well. Which policy documents available here do I need to put on my website? There are quite a few versions so I am a bit confused. Thank you!
Typically, an online store will need at a minimum: (i) T&Cs of sale, to govern the contract of sale itself; (ii) T&Cs of use, to govern the relationship between the website operator and users, who may or may not be purchasing goods; and (iii) a privacy and cookies policy, to help with disclosures relating to data protection law.
Whilst we don’t currently have a free version of (i) on this website, you can find free versions of all three documents on our Docular website: https://docular.net
I understand. However, I would appreciate if you gave me a link to specific versions, especially of (i) as there are a few I can see on docular.net with different prices. Which one would be the most suitable for my on-line store? I assume the food supplements do not require any specific clauses that other products don’t have? Thanks so much again!
I suggest you look at these documents:
These are all free, but there are paid versions if you want to remove the Docular credit/link.
This may also prove useful:
These do not contain any special terms regarding food supplements. If I were preparing the documents, I would expect to add some special disclaimers for the product type.
If you click on the little notes / document icons in Docular, then notes corresponding to the relevant provisions will appear in the right-hand column.
The templates tend to include lots of optional / removable provisions, because it is easier to remove an unwanted clause than to write a missing one. The residency clause in the T&Cs can for most websites be removed.
Regarding exclusive / non-exclusive jurisdiction: the former should be used where you want ONLY the identified courts to adjudicate disputes; the latter where you want the identified courts PLUS any others who may have jurisdiction under the applicable rules of private international law. Even where you choose exclusive jurisdictions, the courts in a different country may sometimes ignore this (e.g. to apply their own consumer protection law).
I’m just reading through the document I bought yesterday and it says it’s for England and Wales. I thought it was for the UK (all included) and just wondered if it’s ok to use them for Northern Ireland as that’s where my business is based….?! All this is such a headache and I thought I found the perfect solution when I was recommended your site yesterday … 🙂
I am creating a website that is based on my hobby. There are no commercial aspects to it; I do not sell anything and neither do I provide any chargeable services. There is no membership and/or registration requirements on my website. The website is purely me giving information about the subject for educational and/or personal interest reasons.
I do have a contact form and a comments page where people can write and upload comments to my posts, such as the one you have on this website. When I have tested the comments section on my site, and I look at the details of the comment via my website admin panel, I can see the following information about people who add comments: name (not required, they can post anonymously) and email (not required, again they can post anonymously.) Obviously, if they do provide a name and/or email address, then I can see that information in my admin panel. I am, however, provided with an IP address of the sender if they submit a comment (whether anonymously or not). Again, if somebody uses the contact form I will receive an email with their email address, and possibly name, contained within.
Very many thanks for your time and assistance.
GDPR makes much mention of ‘personal’ data. If a business only carries out business with other businesses, not individuals, does GDPR still have to be complied with?
Even if you are only dealing with other businesses, you will still be handling personal data. For example: the personal data of supplier and customer personnel, the personal data of employees and subcontractors, and the personal data of persons on your marketing lists. Wherever you are handling personal data, the GDPR will apply (subject to jurisdictional limitations).
Hi, I have my personal website where I write novels, stories and rhymes etc. I publish those link to my facebook account and people visits my site to read my writings. I don’t use any kind of Ad in my site. Only issue is I have a contact form where visitors can put their name, e-mail address and messages. That’s how sometimes I get some of the visitors e-mail address.
Thanks a lot in advance.
The obligation to publish a privacy notice in the context of personal data collection will not apply in relation to processing “by a natural person in the course of a purely personal or household activity” (Reg 2(2)(c) GDPR). Your website might well fall within this exception – although NB the European courts seem to be interpreting it narrowly.
As regards a disclaimer, you probably have no obligation under UK law to publish the information that is typically included in a disclaimer, as the website is non-commercial. However, if there are any risks relating to the use of the information published on the website (eg health information or exercise information) then it might be a good idea to publish a disclaimer nonetheless.
Hi, I’m starting up a new business so at the moment I’ll be a sole trader, planning of becoming a limited company in a year or so. (I’m already running another business as sole trader “Cooking Tutor”). With this new venture, I will provide accomodation (reserved hotel’s rooms), transports (hired company that will supply their service) and guided tour (with a licenced guide). I will no providing flights. Would you be able to tell me if this template would be fine for me and what section I will not need if any? I’ll be collecting data like names, emails, addresses, phone number, for communication with those people. I will also need to give their data to the italian autority, when in Italy, for the purpose of paying city taxes.
I’ll be very grateful for any advise.
Hi Fulvia – Even if you were in the UK, I wouldn’t be able to provide this kind of assistance, unless you became a client of my law firm. Templates always need to be adapted for the circumstances in which they are used. You should consult an Italian IT/privacy lawyer about this.
Thank you for replying to me. I do live in the UK and selling the tour to UK, that’s why I was looking at this template. 🙂
I have a website that only collects names and emails. People sign up to recieve the newsletters. What template do I need for this? Thank you!
Strictly (but subject to certain exceptions) you need to provide information to data subjects about how you handle any personal data that you collect and use in the course of your business. In the case of this type of limited functionaltiy website, possible sources of personal data are: (i) website analytics systems (not all of this will be personal data, but some may be); and (ii) any communications you receive from users, eg via email. If the website uses “non-necessary” cookies (whether yours or from a third party), you should also be disclosing information to users about those cookies. All these disclosures are usually contained in a privacy and/or cookies policy.
My web site WHEN up and running is for double glazing suppliers and fitters; I’m a sole trader and trade under the name raysglaze.
Do i need the policy they are trying to sell me.
Kind regards, Ray
You would need to take proper advice from a data protection lawyer on this.