PoliclyPolicly
← All samples
Sample preview. Placeholders in [brackets] are replaced automatically with your answers from the post-purchase customisation form.
Sample

GDPR Compliance Suite

Privacy Notice (External)

Document 1 of [number of documents in suite] · One-time £20 for the full suite

1. Who we are

[Company Name] ("we", "us", "our") is the controller of the personal data described in this notice. Our registered address is [Registered Address]. You can contact our Data Protection Officer at [DPO Email].

2. What this notice covers

This notice explains what personal data we collect when you visit our website, contact us, or use our services, why we collect it, who we share it with, how long we keep it, and the rights you have over it.

3. Personal data we collect

  • Identity & contact data: name, job title, employer, email address, phone number.
  • Account data: username, password (hashed), account preferences.
  • Transaction data: orders, invoices, payment confirmations (payment card data is handled by our payment processor, not stored by us).
  • Technical data: IP address, browser type, device identifiers, pages viewed, referring URL.
  • Communications data: messages you send us through forms, email or chat.
  • Marketing data: your preferences for receiving marketing from us.

    • 4. How we collect it

    We collect personal data directly from you (when you fill in a form, place an order, or contact us), automatically (cookies and similar technologies — see section 11), and occasionally from third parties such as business directories or your employer.

    5. Why we use it (purposes) and the lawful basis

    PurposeLawful basis

    |---|---|

    Provide and operate our servicesPerformance of a contract
    Customer support and account administrationPerformance of a contract; legitimate interests
    Security, fraud prevention, audit loggingLegitimate interests; legal obligation
    Service improvement and analyticsLegitimate interests
    Marketing communicationsConsent (you can withdraw at any time)
    Comply with legal and regulatory obligationsLegal obligation

    Where we rely on legitimate interests, we have carried out a balancing assessment which is available on request.

    6. Who we share it with

  • Service providers / processors acting on our instructions (hosting, email delivery, analytics, customer support tooling). All are bound by written contracts that meet Article 28 UK GDPR requirements.
  • Professional advisers such as accountants, auditors and lawyers, under duties of confidentiality.
  • Authorities, regulators and law enforcement where required by law or to defend our legal rights.
  • Successors in the event of a merger, acquisition or reorganisation of [Company Name].

    • We do not sell your personal data.

    7. International transfers

    Where personal data is transferred outside the United Kingdom or the European Economic Area, we rely on an adequacy decision, the UK Addendum to the EU Standard Contractual Clauses, the IDTA, or another approved safeguard. A copy of the relevant safeguard is available from [DPO Email].

    8. How long we keep it

    We keep personal data only as long as we need it for the purposes set out above, to meet our legal and accounting obligations, and to defend or pursue legal claims. Our default retention period is [Default Retention Period]. Specific retention periods per record type are set out in our Records Retention Schedule.

    9. Your rights

    Under UK GDPR you have the right to:

  • Access the personal data we hold about you.
  • Have inaccurate data rectified.
  • Have data erased where there is no good reason to continue processing.
  • Restrict or object to certain processing, including direct marketing.
  • Receive your data in a portable format.
  • Withdraw consent at any time, where processing is based on consent.
  • Complain to the Information Commissioner's Office ([ico.org.uk](https://ico.org.uk)) or your local supervisory authority.

    • To exercise any right, contact [DPO Email]. We will respond within one calendar month.

    10. Security

    We use appropriate technical and organisational measures including encryption in transit and at rest, role-based access control, vulnerability management, staff training and incident response procedures. No system is perfectly secure; we keep our measures under review.

    11. Cookies

    Our website uses essential cookies needed to operate the site, and (with your consent) analytics and marketing cookies. You can manage your preferences through the cookie banner on first visit or by clearing cookies in your browser. A full cookie list is available at [Cookie Policy URL].

    12. Children

    Our services are not directed at children under 16 and we do not knowingly collect personal data from them. If you believe a child has provided us with personal data, contact [DPO Email].

    13. Changes to this notice

    We may update this notice from time to time. Material changes will be highlighted on this page and, where appropriate, notified to you by email.

    Controller: [Company Name] Data Protection Officer: [Data Protection Officer][DPO Email] Effective date: [Effective Date] Next review: [Review Date]

    Like what you see?

    Get the full GDPR Compliance Suite bundle, tailored to your business, for £20.

    Other samples

    Data Protection PolicyUK Data Protection PolicyAccess Control Policy (AC family)Information Security PolicyExport Compliance Program (ECP)Incident & Breach Response PolicyData Governance Policy (Enterprise Technology)Data Governance Policy (Operational Technology)Data Management PolicyAcceptable Use Policy