Website Privacy Policy - Template, Sample Form Online Pro · UK-law

________

WEBSITE PRIVACY POLICY

This website, accessible at ________, is operated by ________. We take the privacy of our users extremely seriously. We therefore encourage all users to read this policy carefully, as it contains important information regarding:

• who we are;
• how and why we collect, store, use and share personal data;
• your rights in relation to your personal data; and
• how to contact us and the relevant supervisory authority in the event that you have a complaint.

This policy is issued in accordance with the UK General Data Protection Regulation (UK GDPR), as it forms part of the law of England and Wales by virtue of the European Union (Withdrawal) Act 2018, and the Data Protection Act 2018, together with the Privacy and Electronic Communications (EC Directive) Regulations 2003.

§ 1. Who we are

________ ('we', 'us', 'our') is the controller of, and is responsible for, the personal data we collect and use about you ('you', 'your', 'yours') within the meaning of the UK GDPR.

Our registered office address is ________ and our company registration number (where applicable) is ________. Our data protection registration number with the Information Commissioner's Office is ________.

Where we have appointed a data protection officer or a designated person responsible for data protection matters, their details are: ________.

§ 2. The personal data we collect and use

Personal data is information from which you can be identified, whether directly or indirectly. It does not include anonymised data.

2.1 Types of personal data

We may process the following categories of personal data in relation to you:

________

2.2 Special categories of personal data

We may also process the following special categories of personal data (sensitive data) in relation to you (within the meaning of Article 9 UK GDPR):

________

2.3 Criminal offence data

We may collect and process data relating to criminal convictions and offences in relation to you (within the meaning of Article 10 UK GDPR and section 11(2) of the Data Protection Act 2018), including:

________

§ 3. How your personal data is collected

This section describes how the above categories of personal data are collected by us.

3.1 Personal data obtained from you directly

We will sometimes obtain data from you directly, including when you:

________

3.2 Personal data obtained by use of cookies or other automated means

We will sometimes obtain data via automated technology, by the use of cookies and other similar technologies. A cookie is a small text file placed onto your computer or electronic device when you access our website. Similar technologies include web beacons, action tags, local shared objects ('flash cookies') and single-pixel gifs. Such technologies can be used to track users' actions and activities and to store information about them, usually in order to monitor and obtain information regarding:

________

Lorem ipsum dolor sit amet consectetur adipiscing elit sed do eiusmod tempor incididunt ut labore et dolore magna aliqua ut enim ad minim veniam quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat duis aute irure dolor in reprehenderit voluptate velit esse cillum dolore eu fugiat nulla pariatur lorem ipsum dolor sit amet consectetur adipiscing elit sed do eiusmod tempor incididunt ut labore et dolore magna aliqua ut enim ad minim veniam quis nostrud exercitation ullamco laboris.

3.3 Personal data obtained from third parties

We will sometimes obtain data about you from third party sources, usually from the following entities:

________

3.4 Automated decision-making

You may be the subject of automated decision-making, meaning the use of personal data to make a decision by electronic means without human intervention. Where any decision producing legal effects concerning you, or similarly significantly affecting you, is made solely by automated means, you will be notified that a decision has been made in this manner. In accordance with Article 22 UK GDPR, you are entitled to obtain human intervention, to express your point of view, and to request that the decision be reviewed or reconsidered by manual means within one month of that decision being made.

3.5 Changes to the way in which we collect your personal data

In the event that we need to obtain personal data in relation to you from any source other than those described above, we shall notify you of this in advance.

§ 4. How we use your personal data

4.1 General purposes

In general, your personal data will be processed for the following purposes:

________

Any special category (sensitive) data in relation to you will be processed for the following purposes:

________

Any criminal offence data in relation to you will be processed for the following purposes:

________

Any automated decision-making will generally take place in relation to the following matters:

________

4.2 Monitoring

We may monitor communications, and in doing so we may obtain your personal data through this process. We will undertake monitoring in the following circumstances:

________

4.3 Credit checking

Where one of the purposes described above is the carrying out of credit checks on you, any such search will be recorded on the files of the credit reference agency. We may also disclose information about how you conduct your account to credit reference agencies, and your information may be linked to records relating to other persons living at the same address with whom you are financially associated.

Other credit businesses may use your information to:

(1) make credit decisions about you and the people with whom you are financially associated;

(2) prevent and detect fraud and money laundering;

(3) ensure you are eligible for certain products and services; and/or

(4) verify the information you provide to us.

4.4 Fraud prevention

We will undertake fraud checks by use of your personal data. This will involve sharing and working with fraud prevention agencies. We do so to protect our own commercial interests, which form part of our legitimate interests as a business pursuant to Article 6(1)(f) UK GDPR.

In general, your data will be used for fraud prevention purposes as follows:

________

Fraud prevention agencies can hold your personal data for different periods of time, the maximum period being six years.

§ 5. Lawful basis for processing your personal data

The purposes for which we process your personal data, described above, will at all times be justified by a lawful basis under UK data protection law.

5.1 General lawful bases (Article 6 UK GDPR)

The lawful bases upon which we are able to process your personal data are:

(1) where we have your consent to use your data for a specific purpose;

(2) where it is necessary to enter into a contract with you or to perform our obligations under a contract with you;

(3) where it is necessary to enable us to comply with a legal obligation;

(4) where it is necessary for our own legitimate interests or those of a third party (provided that your interests and fundamental rights do not override those interests). Where we rely upon this basis, details of the legitimate interests concerned shall be provided to you;

(5) where we need to protect your vital interests (or those of another person); and/or

(6) where it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority, provided the task or function has a clear basis in law.

The specific lawful basis we rely upon for each of the principal purposes described above is:

________

5.2 Lawful bases applicable to special category (sensitive) data (Article 9 UK GDPR)

Where we process special category data we will, in addition to a lawful basis under section 5.1, rely upon one or more of the following conditions, together with the relevant condition in Schedule 1 to the Data Protection Act 2018 where required:

(1) where you have given explicit consent;

(2) where it is necessary for the purposes of carrying out our obligations in the field of employment, social security and social protection (and authorised by law);

(3) where it is necessary to protect your vital interests or those of another person;

(4) where processing is carried out in the course of legitimate activities by a foundation, association or not-for-profit body with a political, philosophical, religious or trade union aim;

(5) where the data has manifestly been made public by you;

(6) where processing is necessary for the establishment, exercise or defence of legal claims;

(7) where processing is necessary for reasons of substantial public interest;

(8) where processing is necessary for the purposes of medical diagnosis, the provision of health or social care, or treatment;

(9) where processing is necessary for reasons of public interest in the area of public health; and/or

(10) where processing is necessary for scientific or historical research, statistical purposes or archiving in the public interest.

In general, the condition we will usually rely upon for processing your special category data is:

________

5.3 Lawful bases applicable to criminal offence data (Article 10 UK GDPR)

Where we process criminal offence data we will, in addition to a lawful basis under section 5.1, satisfy a condition in Schedule 1 to the Data Protection Act 2018. The condition we generally rely upon in relation to criminal offence data is:

________

§ 6. Sharing of your personal data

On any occasion where any of your personal data is shared with a third party processor, we shall only permit them to process such data for our required purposes, under our specific instruction, and not for their own purposes. We are required to enter into a written agreement compliant with Article 28 UK GDPR to enable such sharing to take place.

In order to meet the purposes described above, we may need to share your personal data with the following third parties:

________

§ 7. How long your personal data will be kept

Your personal data will only be kept for the period of time necessary for us to fulfil the purposes described above, or as required to comply with our legal and regulatory obligations.

We envisage that your personal data shall be retained by us for the following periods:

________

After the period described above, your data shall be securely deleted or anonymised.

§ 8. Keeping your data secure

We have appropriate technical and organisational measures in place to protect the security of your personal data, in accordance with Article 32 UK GDPR. These measures include:

________

Our information security accreditations and certifications (where applicable) are: ________.

We have procedures in place to deal with any suspected personal data breach, which will be assessed and, where required, reported to the Information Commissioner's Office and to you in accordance with Articles 33 and 34 UK GDPR.

§ 9. Transfers of your data outside the United Kingdom

In order to meet the purposes and lawful bases described above, we may transfer your personal data outside of the United Kingdom. Your personal data may be transferred to:

________

Lorem ipsum dolor sit amet consectetur adipiscing elit sed do eiusmod tempor incididunt ut labore et dolore magna aliqua ut enim ad minim veniam quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat duis aute irure dolor in reprehenderit voluptate velit esse cillum dolore eu fugiat nulla pariatur lorem ipsum dolor sit amet consectetur adipiscing elit sed do eiusmod tempor incididunt ut labore et dolore magna aliqua ut enim ad minim veniam quis nostrud exercitation ullamco laboris.

The safeguard we rely upon in respect of the transfers described above is:

________

§ 10. Children

Our website is not intended for children (anybody under the age of 18) and we do not knowingly collect data from children. Where we offer information society services directly to a child, we will only rely on consent where the child is at least 13 years of age, in accordance with section 9 of the Data Protection Act 2018.

§ 11. Your rights

Under the UK GDPR you have a number of important rights, which you may exercise free of charge. In summary, these include the rights to:

(1) be informed about how we use your personal data and to fair and transparent processing;

(2) access to your personal data and to certain supplementary information;

(3) require us to correct any inaccurate personal data we hold about you;

(4) require the erasure of your personal data in certain situations;

(5) receive the personal data you have provided to us in a structured, commonly used and machine-readable format, and to have it transmitted to a third party in certain situations (data portability);

(6) object at any time to the processing of your personal data for direct marketing;

(7) not be subject to decisions taken solely by automated means which produce legal effects concerning you or similarly significantly affect you;

(8) restrict our processing of your personal data in certain circumstances;

(9) object to our processing of your personal data where we rely upon a legitimate interest of our own or of a third party;

(10) claim compensation for damage caused by our breach of data protection law; and/or

(11) withdraw your consent at any time where we rely upon consent for processing (without affecting the lawfulness of processing before withdrawal).

For further information on each of these rights, including the circumstances in which they apply, please refer to the guidance published by the UK Information Commissioner's Office (ICO).

If you would like to exercise any of these rights, please contact ________ in the following manner:

________

We will respond to any valid request within one month of receipt, although this period may be extended by a further two months where requests are complex or numerous, in which case we will inform you.

§ 12. How to make a complaint

We hope that we can resolve any query or concern you may raise about our use of your personal data.

The UK GDPR also gives you the right to lodge a complaint with a supervisory authority. The supervisory authority in the United Kingdom is the Information Commissioner's Office (ICO), which may be contacted at https://ico.org.uk/concerns or by telephone on 0303 123 1113.

We would, however, appreciate the opportunity to deal with your concerns before you approach the ICO, so please contact us in the first instance using the details set out above.

§ 13. Changes to this privacy policy

This privacy policy was published on ________ and last updated on ________.

We may change this privacy policy from time to time and will notify you of any material changes by:

________

§ 14. Contacting us

The relevant person to contact regarding your personal data is: ________.

Any requests or questions regarding the use of your personal data should be made to the above-named person using the following method:

________

§ 15. Sources of further information

This policy provides key information regarding the processing of your data. For certain areas of our information processing, we hold further comprehensive details in other documentation, which can be located as follows:

• Our policy regarding the use of cookies and other similar technologies, entitled ________, can be located at:

________

• Our policy regarding the use of your special category (sensitive) data, entitled ________, can be located at:

________

• Our policy regarding the use of criminal offence data, entitled ________, can be located at:

________

• As described above, we use credit reference agencies to perform credit checking. The three credit reference agencies have a joint Credit Reference Agency Information Notice (CRAIN) available at:

https://www.transunion.co.uk/crain

https://www.equifax.co.uk/crain

https://www.experian.co.uk/crain