Guide

Sample IT policies, disclaimers and notices

Sample privacy notice

A privacy notice (also sometimes referred to as a privacy policy) is a key document which you must have if you collect, use or process personal data of European Union citizens.

Under the EU General Data Protection Regulation (GDPR), you must provide this document:

  • to inform people how you collect, process and use their personal data
  • typically at the point of data collection
  • in plain and clear language, accessible format, and free of charge

The GDPR sets out the specific information you must supply to individuals and when.

How to write a GDPR privacy notice?

If you collect personal data from the individuals themselves, you must include the following in your privacy notice at the time you obtain the data:

  • the data controller's identity and contact details
  • details of your data protection officer (if you are required to have one)
  • the purpose and legal basis for data processing
  • where the legal basis for processing is legitimate interest, what that interest is
  • where the legal basis is consent, the right to withdraw consent at any time
  • the existence of individual's rights (known as data subject rights)
  • with whom you will share personal data (named parties or categories of recipients)
  • whether you plan to transfer data to third countries and what safeguards will exist
  • how long you will keep the personal data for (or details of your retention criteria)
  • the right to lodge a complaint with the Information Commissioner's Office
  • if there is a statutory or contractual requirement for the data subject to provide personal data, and if so, the consequences of failing to provide data
  • if you intend to carry out any automated decision making (eg profiling), how you will make these decisions, their significance and possible consequences

In addition to the above, if you collect data from a third party (ie from a source other than the data subject), you must also include in the privacy notice:

  • categories of personal data concerned
  • the source of data (and whether it came from publicly available sources

Your privacy notice will usually sit on your website. You should link to it when asking people to eg subscribe to your newsletter, register with your service or provide you any personal information in any other way.

Example format for a GDPR-compliant privacy notice

A template document is unlikely to describe your business' exact practices around privacy and data processing. However, you can use our sample privacy notice document below to structure your privacy information in a way that addresses the key GDPR requirements.

It is essential that you customise the document to fit the specific circumstances of your business and the type of data processing that you do.

Download sample privacy notice document (DOC, 19K).

Important

Please note that this sample privacy notice is intended for business use only. We have excluded certain provisions of the GDPR relating to public authorities and other official bodies.

In addition, we reserve the right to review and update this sample document at any point to reflect emerging best practice and case law around the GDPR.

For more information on providing privacy information, see GDPR compliance checklist.