Stay Legal UK

What is a website privacy policy?

Orange background, blue icon representing a privacy policy

An online business must have a privacy policy that complies with the General Data Protection Regulations ((EU) 2016/679) (GDPR) and the Data Protection Act 2018. A privacy policy informs the websites users on how it collects, uses, stores, transfers, and secures personal data through using its website and to provide goods and services.

The GDPR sets outs principles which must be complied with when processing personal data. These include transparency requirements which state that controllers must notify data subjects about their personal data handling practices via a privacy policy at the time data is collected.

The GDPR states that businesses must provide data subjects with the following information:

  • The controller’s identity (legal entity) and contact details and its representative, if any.
  • The contact details of the data protection officer, where applicable.
  • The intended purposes of the data and the legal basis for the processing.
  • If the processing is based on Article 6(1)(f) of the GDPR then the legitimate interest pursued by the business or by a third party should be given.
  • The recipients or categories of recipients of the personal data, if any.
  • If the business intends to transfer the data outside of the EU or to an international organisation, then information about the appropriate or suitable safeguards given to secure the data and the means to obtain a copy should be given.
  • The period that the personal data will be stored, or the criteria used to determine that period.
  • The existence of the individuals right of access, rectification, erasure, restriction of processing, object to processing and, data portability.
  • If processing is based on the individual’s consent, the right to withdraw that consent at any time is pertinent.
  • The right to lodge a complaint with the supervisory authority.
  • If providing personal data is a statutory or contractual requirement then the individual must be informed of their obligation and the consequences if they fail to do so.
  • The existence of automated decision making or profiling. Including, meaningful information about the logic involved and the significant/envisaged consequences of that for the individual.

The GDPR authorises member states limited rights to maintain, adapt or introduce more specific provisions regarding the compliance with a legal obligation and, the performance of a task carried out in the public interest or, in the exercise of official authority. In the UK this is done with the Data Protection Act 2018.

It is vital that a privacy policy does not make statements or promises that the business cannot fulfil. This is because data subjects or privacy regulators can enforce any privacy policy terms. Before a privacy policy is publicly released it should be reviewed by the senior management, employees responsible for operating the website and collecting data and, IT groups responsible for security. As well as the operating units responsible for controlling access to and using the personal data collected and, legal counsel. It is important to regularly audit and verify compliance with the statements contained in the privacy policy.

At Lawdit Stay Legal we can draft your websites privacy policy to ensure that your business is complying with the data protection laws.


image to represent data protection

More From Stay Legal

Share this with your network
Share on linkedin
Share on twitter
Share on facebook
Share on email
Share on whatsapp