Privacy Policy

This document can be used as the privacy policy for a website based in the European Economic Area. It has been updated to reflect the requirements of the General Data Protection Regulation ("GDPR") and sets out the website's policies with regards to a number of key issues concerning personal information and privacy:

what information is collected

how that information is used

who that information may be shared with

marketing policies

credit checking policies

non-EEA transfers

information security

user rights

It should be noted that this document only includes a privacy policy. Further documents such as terms and conditions of use, terms, and conditions of sale, and separate cookie policy may also be required. However, such documents are not included and must be obtained separately.

Further, please note that prior to completing the document, users should consider the lawful bases for their processing of personal information. The lawful bases for processing are set out in Article 6 of the GDPR. At least one of these must apply whenever an entity processes personal data:

(a) Consent: the individual has given clear consent to process their personal data for a specific purpose.

(b) Contract: the processing is necessary for a contract with the individual, or because they have asked the relevant entity to take specific steps before entering into a contract.

(c) Legal obligation: the processing is necessary for an entity to comply with the law (not including contractual obligations).

(d) Vital interests: the processing is necessary to protect someone's life.

(e) Public task: the processing is necessary for the relevant entity to perform a task in the public interest or for their official functions, and the task or function has a clear basis in law.

(f) Legitimate interests: the processing is necessary for an entity's legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual's personal data which overrides those legitimate interests. (This cannot apply if the entity is a public authority processing data to perform their official tasks.)

Further information can be found on the ICO website's page on the lawful basis for processing.


How to use the document

In order for the privacy policy to be effective, the user will have to actually be made aware of the policy. So firstly, it will need to be published on the website.

However many websites will also refer to the privacy policy within their terms and conditions of use, such that the user can be considered to be agreeing to the privacy policy.

If the website deals with "sensitive personal information" it will also be necessary for the website to display a separate notice (e.g. a popup box with checkbox) for the user when collecting such information which will:

display a clear and prominent request for the information just prior to the point of collection

ask the user to opt-in or consent to the collection of such information

provide enough information to enable the user to make an informed choice

record their response

Sensitive personal information includes information relating to ethnicity, political opinions, religious beliefs, trade union membership, physical or mental health or condition, sexual life, or criminal record.

If user details are used for marketing purposes either by the website operators, by group companies, or by 3rd parties with whom the website operators share such information, users should be given an opportunity to opt-in and thereafter opt-out of any such marketing messages when such details are collected.

If personal information will be transferred to non-EEA countries by the website or its operators, entities will need to consider the safeguards surrounding such transfers and may need to use an EU commission approved model contract or EU commission approved corporate binding rules.

If the website relies upon consent as a lawful basis for processing any personal information, such consent must also be expressly collected and recorded by the website (e.g. through a checkbox), in circumstances where the user is fully informed about the nature of their consent. Indeed, the user should also confirm that they are old enough to provide any such consent.

Further information, guidance, and a code of practice can be found on the Information Commissioner's Office website.

In addition to this privacy policy, business owners who are selling goods or services online will also need a separate set of terms and conditions for the sale of goods, and/or terms and conditions for the sale of services - which explain the rules in relation to any sales made through the website. In addition, if cookies are used, a cookie policy will be required. Finally, an acceptable use policy may also help set out the ways in which the website may be used.