You must be transparent with individuals about the way in which you use their personal data, and you are legally required to provide them with certain information about this. It’s common to set all of this information out in a single privacy policy. To find out what a privacy policy is, read this blog.
Assuming your business is handling personal data as a data controller, we’ve set out below the key privacy information that should be included in your privacy policy.
A data controller is the person or company that decides how and why personal data will be processed. Most of the data processing a business carries out will be as a data controller, because they will be using the personal data for their own purposes. For example, your business will be acting as a data controller when it uses customers’ personal details to process orders they have made on your ecommerce website.
Key information to include in a privacy policy
1. The identity and contact details of your business and of your data protection officer (if you have one)
It’s mandatory to appoint a data protection officer (DPO) in some circumstances, although most SMEs won’t need to. To find out more about when a DPO must be appointed, see our Q&A on Data protection officers and staff training.
2. What personal data you will collect (and where from, if you are not getting it from the individual directly)
If you didn’t get the personal data directly from the individuals concerned (eg because you bought a marketing list containing their details), it’s important for your privacy policy to set out where you got the information from.
3. What you plan to do with the personal data
4. Your justification for using the personal data
You can only use someone’s personal data if you have a lawful basis for doing so. There are a limited number of lawful bases available to you, and you can only process personal data if one of these apply. For example, you can process personal data if you need to do so in order to fulfil their order or if the individual has given their consent to you processing their data. You’ll need to set out which lawful basis you’re relying on for each type of data processing you carry out in your privacy policy.
You can find guidance about the lawful bases for processing personal data in our Q&A on When to use personal data.
5. Whether individuals are required by law or contract to provide their data, and what will happen if they don’t provide it
6. Details about any plans you have to share the personal data
Bear in mind that you may need an individual’s consent if you want to share their personal data.
You can find guidance about what you need to think about before you share personal data in our Q&A on Sharing personal data.
7. How long you will keep the data for
If possible, your privacy policy should say how long you will keep each type of personal data. If that’s not possible, it should set out what criteria you will use to decide how long you will keep it for.
For guidance about storing personal data, see our Q&A on The rules about storing data.
8. What rights individuals have in relation to their data
When you process someone’s personal data, they have the right to make certain requests of you. For example, they can request a copy of their data, they can ask you to amend the data and they can ask you to delete their data. If you’re relying on their consent as your lawful basis (see above), you should also let individuals know that they have the right to withdraw their consent at any time. You must set out all of these rights in your privacy policy.
For guidance about individuals rights in relation to their personal data, see our Q&A on Individuals’ access to personal data.
How to provide a privacy policy
You need to provide individuals with your privacy policy at the point at which you’re collecting their personal data. If you didn’t collect the personal data from the individuals directly, you need to provide them with your privacy policy within a reasonable period of time, but within at least one month, or by the time you use their data to contact them (if this is earlier).
How you provide it will depend on how you’re collecting the personal data, but you must always make sure the policy is easily accessible, clear, concise and written in plain language. Read this blog in our ecommerce series for more information about when to provide your privacy policy, and this blog for how to provide and display your privacy policy on your website.
Creating a privacy policy
To create a bespoke privacy policy for your ecommerce website, you can use our template.
The content in this article is up to date at the date of publishing. The information provided is intended only for information purposes, and is not for the purpose of providing legal advice. Sparqa Legal’s Terms of Use apply.
Before joining Sparqa Legal as a Senior Legal Editor in 2017, Frankie spent five years training and practising as a corporate disputes and investigations lawyer at leading international law firm Hogan Lovells. As legal insights lead, Frankie regularly contributes to Sparqa Legal’s blog, writing content across employment law, data protection, disputes and more.