How to write a Privacy Policy?

The Privacy Notice (Privacy Policy)  is a document intended for external use, i.e. publication on a website or in your office.

This document should be as transparent and clear as possible for the recipients.

GDPR Picture 1

For this reason, it should be written in a basic language, contain specific information, it is also a good practice to prepare it in the native language of customers (although it is not a legal requirement), e.g. in Spanish, if the content of your website is written in this language, directed to Spanish customers in the UK.

The minimum information you need to provide to your customers  in this document is:

  • who is the controller of personal data and his contact details (usually the owner of the website, who should be listed by name and address of the company);
  • contact details of the Data Protection Officer / EU Representative / UK Representative, if one has been appointed;
  • the purposes of personal data processing and the legal basis for this processing (legal basis can be found in Article 6 of the GDPR) – however, it is about specifying the purposes of your processing and the legal basis you choose, not about rewriting the content of Article 6;
  • if the processing is based on the legitimate interest of the controller, an indication of what that interest is;
  • information on recipients of personal data or categories of recipients, if any;
  • information on whether the data will be transferred to third countries or international organisations;
  • the period of personal data processing – retention time (specifically for each processing purpose – in the minimum time needed to achieve the goal by the controller);
  • data subjects rights – information on the right to request access to personal data, rectification, portability deletion or limitation of processing or the right to object to the processing, as well as the right to transfer data;
  • if you process data on the basis of consent – information about the right to withdraw consent at any time without affecting the lawfulness of the processing that was carried out before its withdrawal;
  • about the right to lodge a complaint with the supervisory authority;
  •  whether providing personal data is a statutory/contractual requirement or a condition for concluding a contract and whether the person is obliged to provide it and what are the possible consequences of not providing data;
  • about automated decision making, including profiling.

Remember, however, that although this document is very important, it does not replace your company’s internal document in the event of an inspection, which lists all the most important principles according to which you protect personal data.

We usually refer to it as “Privacy Policy” or “Security Policy”.

Despite the publication of your “Privacy Notice” on the website, you should still post brief information about the UK GDPR rules in your company under the contact form, on company portals in social media.

It is your responsibility to inform anyone who entrusts you with their personal data about the rules of data processing in your company – within a maximum of 30 days – from the moment of receiving the data.

By publishing your Privacy Policy on your website and social media accounts, and sending a shortened version of your Processing Policy via email, only to those who entrust you with their data, bypassing the website or social media, you can ensure that your policies are clearly communicated to those who need them.

This can help to build trust with your customers and show that you take data protection seriously.

in data protection law data processing companies will not pay a penalty only,
if they can prove that they have done everything to protect the data

Have a question?

Go to our service page if you need a consultation or other help related to UK GDPR

Our Service
Scroll to Top
Cookie Consent with Real Cookie Banner