Website privacy policy

About this privacy statement template

Most businesses and organisations collect data about the people who visit their websites.

Often it is clear to visitors what data is collected and when it happens, for example, when they request that you send them information about your products or services. However, at other times, it might be less obvious, such as when you track their browsing behaviour to measure website and page performance.

From May 2018, the General Data Protection Regulation or GDPR comes into force. This aims to harmonise data protection law across the European Union and strengthen the rights of individuals to know what personal data about them is collected, used and managed.

This template provides the basis for your own privacy policy in a way that allows you to show that you comply with every aspect of the law.

Editing the template

Your privacy statement should reflect the way that your business or organisation collects and uses data.

Although this will differ from organisation to organisation enough to make each privacy notice unique, there are common elements to every policy.

By giving you options for wording these common situations, we hope that we have done as much of the work for you as we can.

However, you will need to spend time editing this policy template. There are advantages to this.

While considering how data is collected, used, and managed, the task of editing should prompt you to think about data handling processes might need to change. For example, you might need to separate access to different types of information.

One aspect of the GDPR that has caught the headlines is the ability of a supervisory body (the Data Protection Commissioner or DPC in Ireland) to hand out large fines for non-compliance.

Based on past action, our opinion is that the DPC is unlikely to use its full powers against smaller businesses and organisations from day one. More likely, a warning will be issued before a fine with time to make good, especially if it can be shown that there was an intention to comply with the law.

Your privacy statement is likely to be the first thing that the DPC will consider when judging whether you have made an attempt to comply with the GDPR and other law. A well written notice is therefore likely to reduce the likelihood of immediate punitive action.

Free to use

We provide this template completely free of charge.

We don't ask you to acknowledge our copyright in it, mention us in any way or link to our site in return for using it.

Features and contents

The document is written in plain language that is visitor friendly, and structured so that it is both easy to read and easy to edit.

The first part of the privacy notice explains the legal bases you have chosen for processing different types of information and how these types are used.

The second part deals with specific uses – less designed to comply with the GDPR and more for the purposes of reassuring customers and protecting you under different law (for example, regarding copyright).

The third part sets out requirements under GDPR once again: whether data is shared with other organisations; how it can be reviewed; and other miscellaneous matters.

In places we have provided a number of options, where you choose the most appropriate and delete the others. In other places, we have provided ideas and the most common scenarios. The notice may require a little customisation to reflect fully your policy, but because it is written in plain English, editing it is easy.

This notice can be used by a wide range of types of business and non-profit organisations. Examples of those currently using it include:

• accountants, solicitors and other business consultants
• e-commerce sites
• service providers such as career development coaches and fitness trainers
• blogs and information sites
• web hosting providers
• hotels
• community projects
• not for profit organisations and charities

The contents of the document cover:

• Categories of information collected and used, organised by the legal basis for use
• Visitor contributed content
• Payment and other financial information
• Cookies
• Other personal identifiers from browsing activity
• Advertising, including use of remarketing
• Data transfers and processing outside the EU
• Access to personal information
• Removal of personal information
• Data retention
• Complaints