The policy should be as short as possible, and clear so people can fully understand it. As well as being accurate, it should also be written in laymen’s terms and in uncomplicated language.
- Legal name, address and registered number (for a limited company)
You should be sure to include your full legal entity name and trading name too.
- The right to make a complaint to a supervisory authority
Users must be informed that they can contact the ICO freely.
- That personal data is being collected
Here you should detail the types of personal data you collect, and where it comes from. Also ensure the information is genuinely needed.
- Explain why you are collecting the personal data
You need to explain why the personal data is needed – for example, to provide the user with the services they request.
- Whether there are joint data controllers involved
You need to be clear on who else is looking after, or has access to your data.
- Whether the website is aimed at under 16’s
This is something that you need to consider.
- How you will contact users based on the information they have provided – for example, via email, phone, text
You need to have a record of how the users would like to be contacted
- Details of how users can opt out
You must clearly explain how users can opt out, and delete their account should they wish.
It must be explained how users can view and access the updated versions, and whether or not a user is required to save their policy.
- Be clear about retention
You need to specify how long you will hold the personal data, and your reasons for this time frame.
- Legal rights
It must be clear to users what information they are allowed to ask for, in relation to their personal data.
You must keep users’ personal data secure, and clearly highlight the measures you are taking to protect their data.
- DPO contact
If you are required to have a data protection officer, you need to add in their contact details.
- Third parties with who you share the information
If you do share the data with other parties, you need to not only make this clear, but specify who they are.
- International transfers
You also need to specify if the data will be transferred outside of the EEA, and if so with whom.