Checklist: what to include in your website privacy notice to comply with the UK GDPR
What information should my website privacy notice include?
Use our privacy notice checklist to make sure that you include all the key information needed to comply with Article 13 of the UK GDPR:
1. Name and contact details of your organisation
A website privacy notice must contain details of the relevant “controller” of personal data, including the organisation’s name and contact details. The UK GDPR defines a controller as “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data”.
2. Contact details of your data protection officer and representative (if applicable)
Data protection officer (DPO) - if your business has a DPO, the DPO’s details should be set out in the website privacy notice. A DPO is an organisation's internal expert who monitors the processing of personal data and helps with adhering to privacy laws. Appointing a data protection officer is mandatory (under data protection law) in three cases:
the company's business requires the extensive, regular and systematic tracking of the data subjects. In telephone and telecom service companies, for example, a data protection officer is generally required;
the company's core business is the extensive processing of special category data. Health data is a typical example of special category data, so the major healthcare operators must appoint a data protection officer; and
the data processing is performed by an authority or a public body.
It is also possible to voluntarily appoint a data protection officer, even when not mandatory to do so.
Representative - if your business has a representative, the representative’s details should be set out in the website privacy notice. A representative is an organisation that represents you if you are based outside the UK, but monitor or offer services to people in the UK.
3. Purposes of the processing
You must tell the website visitor why you need to collect personal data from them. Your website privacy notice should set out the different purposes that personal data is being processed for in a clear and granular way e.g. to process the customer’s online order or to send marketing materials to them.
4. Lawful basis for the processing
Whenever you collect, use or share personal data, there must be a lawful basis for it.
There are six legal justifications which organisations can rely on under the UK GDPR:
Contract - the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract;
Legal obligation - the processing is necessary for you to comply with the law;
Legitimate interests - the processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests;
Consent - the individual has given clear and explicit consent for you to process their personal data for a specific purpose;
Vital interests - the processing is necessary to protect someone’s life; or
Public task - the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
5. Legitimate interests for the processing
If one of the lawful bases that is being relied upon is legitimate interests, your website privacy notice should tell individuals what that legitimate interest is. To rely on the legitimate interests lawful basis, the company must consider whether its legitimate interest (i.e. its good business reason) outweighs the data subject's rights and freedoms (e.g. their right to privacy). The company should conduct a legitimate interest assessment whenever it relies on legitimate interest as a lawful basis. Some examples of legitimate interest could be: customer service, processing of personal data within a group structure, investigation of misconduct (e.g. camera surveillance), product and service development, call recording and log register activities.
6. Recipients, or categories of recipients, of the personal data
A website privacy notice must tell data subjects who their data is shared with. You should include people you share information with internally (e.g. the company's employees and contractors), third parties that support the company's business operations (e.g. your website developer or other suppliers) and other third parties you share information with (e.g. the tax authorities).
7. International transfers
The website visitor must be informed if their personal data is (or could be) transferred outside the UK. If personal data is transferred outside of the UK and it is being transferred to a third country, you should include details of the safeguard mechanism being relied upon to ensure that is a lawful transfer in your website privacy notice. A “third country” is a country outside of the UK that does not have an adequacy decision.
8. Retention periods
You must tell the website visitors when their personal data will be permanently deleted after the purpose for processing it has ended (known as the "retention period"). If you cannot provide an exact timeframe (e.g. six months) then you must instead explain the criteria you use to decide how long to keep the data subject's personal data. Data retention is permitted under data protection laws for only as long as necessary to fulfil the purposes for which it has been collected.
9. Data subject rights
It is a legal requirement for privacy notices to ensure that the data subject is informed of their specific rights under data protection laws. These rights include:
Right to request access to personal data - data subjects (i.e. individuals whose personal data is being processed) have the right to receive confirmation as to whether personal data concerning them is being processed and, if it is, the right to receive a copy of their personal data. This type of request from a data subject is often called a "Data subject access request" or "DSAR".
Right to rectification - the data subject can ask for their personal data to be rectified (i.e. corrected) or updated if they believe it is incorrect. You can refuse to update or change their personal data until you have proof of the update / change e.g. a utility bill which confirms their new address.
Right to erasure - also known as the "right to be forgotten". There are a few exceptions under which the personal data does not need to be erased even if requested by the data subject. For example, you do not have to delete their personal data if the request is manifestly unfounded or excessive. If you decide you will not delete their personal data, you should explain your decision to the data subject.
Right to restriction of processing - the data subject may request you stop collecting, using or sharing their personal data if they are unclear or disagree with how their personal data is being used. For example, if the data subject states their personal data is incorrect, they may prohibit you from collecting, using or sharing their personal data until it has been corrected.
Right to object - if the data subject asks you to stop collecting, using or sharing their personal data, you do not have to comply provided you can demonstrate you have a good business reason to keep using their personal data (and that reason outweighs the data subject's rights and freedoms, e.g. their right to privacy). However, you must comply with their request if a data subject tells you to: (i) stop sending them marketing information; (ii) stop any automatic decision-making you make about them; or (iii) stop profiling them.
Right to data portability - if the data subject asks you to, and it is technically possible to do so, you should transfer their personal data to them or the organisation the data subject has specified.
Right to lodge a complaint with a supervisory authority - the data subject can always complain to the Information Commissioner's Office (ICO) if they believe you have breached data protection law. You cannot oblige them to follow your complaints procedure – they are always free to contact the regulator. However, you can encourage the data subject to contact you with any concerns first.
Right to withdraw consent - if you rely on consent as a lawful basis for processing, you must let people know that they can withdraw their consent for your processing of their personal data at any time. Consent must be as easy to withdraw as it is to give and you should tell people how they can do this.
10. Automated decision-making, including profiling
If personal data is used for profiling or other automated decision-making concerning the data subject, data subjects must be provided with relevant information concerning the logic related to the processing in the website privacy notice.
“Profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular, to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
Automated decision-making is the process of making a decision by automated means without any human involvement. These decisions can be based on factual data, as well as on digitally created profiles or inferred data e.g. awarding a loan online.
Find out more about privacy notices by reading this comprehensive guide.
How can Docue help? Use our website privacy notice template!
All of the areas listed above can be easily included in our website privacy notice template, plus more, so that you have a fully customised and compliant website privacy notice. All you need to do is answer a series of simple questions and your document will be updated in real-time to reflect your answers. And don’t worry if you get stuck along the way - our lawyer-drafted guidance notes are there to guide you through every step of the process.
Tags: website privacy notice, website privacy notice template, privacy notice checklist
Related legal templates
Docue is trusted by so many growth companies – from sole traders to listed companies.