This Privacy Notice template is primarily for SMEs that sell goods and/or services from their website. In accordance with the GDPR requirments, the Privacy Notice explains what personal data the business collects, the reasons and legal basis for collecting and processing personal data, who else might receive the data, how long it will be kept and what rights the individual has to access, amend or erase their personal data. It also explains when consent is needed from the individual.
If you run a business and process data – which can involve no more than collecting the name and email address of visitors to your website – you may also have a legal duty to register as a ‘Data Controller’ with the Information Commissioner, the Government official who administers the Data Protection Act.
To find out more, there is a lot of helpful guidance on the Information Commissioner’s website:
There is no necessity for an introduction but it helps to identify your business and, if you use it, you should fill in the blanks appropriately.
Here you should adapt the wording as necessary to explain what information you are collecting. If, for example, you do not sell anything from your website, then our paragraph about credit card payments should be omitted. If you collect and handle sensitive information about your visitors, then our wording is not appropriate and needs to be strengthened.
This explains what you will do with the information. The paragraph also picks up on one of the duties of a Data Controller, namely to take precautions to keep data secure.
Here again, try to set out what you will do with the information that you collect (within the limits laid down by the Data Protection Act) and alter our wording as appropriate to meet your own objectives.
CHANGES TO THIS POLICY
This is a reminder for you as well as your visitors – if you change your policy you should inform the people whose data you hold and get their consent.
You are required to keep up to date all information that you hold, and this paragraph explains how visitors can contact you.
If you send out newsletters or maintain regular (or irregular) contact with the individuals whose information you hold, you should make it clear in all your communications that they are entitled to have their details removed from your list. And do remember it is in your interests to have a procedure to do this – quite apart from the legal implications, there is nothing more irritating for someone than to keep receiving material from an organization that is of no interest after he/she has asked tot be removed from the mailing list.
Finally, please remember: