GDPR Guidance

General guidance:

  • The first step is to read our factsheets on GDPR and the lawful processing of personal data.
  • The Information Commissioner’s Office (ICO) regularly provides updates to their guidance around the data protection rules. We will update our documents accordingly, so please ensure that you are using the most up-to-date version of our documents. Further guidance from the ICO is likely to affect the content of our Privacy Notices.
  • There will be developments in relation to website cookies which are expected at some point in 2018, please check back regularly, as we’ll update our Privacy Notices to comply with any changes in the law in this regard where it’s needed.
  • This example is not suitable if you collect any Special Categories of Personal Dataabout individuals (this includes details about an individual’s race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about their health and genetic and biometric data).

This example is also not suitable if:

  • You provide interactive features;
  • Social media applications;
  • You are offering online information services to children, or
  • You process data about criminal convictions or offences.
  • In addition, businesses will typically provide suppliers and employees’ privacy notices through separate policies.
  • We suggest that you copy and paste the content of the template notice to your business headed notepaper. As it’s only a template, you have to amend the contents of the notice to personalise it for your circumstances.
  • You need to pay careful attention to any information in brackets [ ] on the template, as you need to insert the correct required information.
  • This notice is drafted for use if you are a data controller i.e. a data controller determines the purposes and means of processing personal data.
  • You must determine your purpose and lawful basis for processing before you begin your processing activities and you should document it. For an online business this will usually be done through your website privacy notice.
  • Where your processing is based on legitimate interest, you must specify what interest is.
  • This template may be used and amended if you collect general personal data (such as name and contact details) for the purpose of supplying goods/services, providing content or information or marketing your products/services. It may also be adapted for use about users’ online behaviour, i.e. IP addresses.
  • Please note that if your purposes change, you may only be able to continue processing under the original lawful basis if your new purpose is compatible with your initial purpose (unless your original lawful basis was consent – you will need to obtain fresh consent if your purpose changes).

More information on lawful processing can be found on the ICO website.

  • Once you’ve completed this template you should make it clearly visible on each page of your website. You should also use this in conjunction with your terms of use and cookie policy.
  • You may present this privacy notice in a layered notice format, which combines a short summary with a link to more detailed pieces of information.
  • To be able to complete this template you may need to do an analysis or audit to determine exactly how your business collects, use, stores and shares personal data.
  • You may not need all of the sections that we’ve included in this template, as each business and its processing activities will vary.

Other suggestions with reference to the Data Privacy Notice for Websites:


The controller's identity (meaning the name of the legal entity) and contact details and its representative, if any.


You need to list the personal data that you collect on individuals via your website. This may include, but is not limited to, identity data, financial data and contact data. You need to personalise the list to suit your business needs.

Remove the paragraph that deals with Aggregated Data if you do not collect that type of personal data.

For example, online businesses often collect:

  • Financial Dataincludes [bank account/payment card details].
  • Transaction Dataincludes [details about payments to and from you/other details of products and services you have purchased from us].
  • Technical Dataincludes [IP address/your login data/browser type and version/ location/operating system and platform/other technology on the devices you use to access this website].
  • Profile Data includes[your username and password/purchases or orders made by you/your interests/preferences/feedback].
  • Usage Dataincludes [information about how you use our website, products and services].
  • Marketing and Communications Data includes [your preferences in receiving marketing from us and our third parties/your communication preferences].

You need to clarify the methods you use to collect personal data. We have added more examples below but you will need to personalise this to your business.

  • Automated technologies or interactions.As you interact with our website, we may automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this personal data by using cookies and other similar technologies. Please see our cookie policy [INSERT LINK] for further details.
  • Third parties or publicly available sources.We may receive personal data about you from various third parties [and public sources] as set out below [DELETE OR ADD TO THIS LIST AS APPROPRIATE]:
    • [Technical Data from the following parties:]

(a) Analytics providers [such as Google based outside the EU];

(b) Search information providers [such as [NAME] based [inside OR outside] the EU].

  • Contact, Financial and Transaction Data from providers of technical, payment and delivery services [such as [NAME] based [inside ORoutside] the EU].
  • Identity and Contact Data from publicly availably sources [such as Companies House and the Electoral Register based inside the EU].

The GDPR says you must set out the purpose and legal basis of any processing. This implies that each purpose or activity should be matched to a specific legal basis, including making it clear if you have an additional legal basis per activity, where relevant.

If you rely on the basis of legitimate interest, the GDPR requires you to set out the legitimate interests being relied on.

More information on this and the different lawful bases under GDPR can be found on the ICO website.

You should also provide information around any marketing activities and cookies that you use on your website.

If you do not rely on consent as a legal basis for processing, then remove the paragraph that refers to consent which can be found above the heading: Purposes for which we will use your personal data.



You need to include both internal and external parties that you share the data with.


Where applicable, you need to confirm if your business intends to transfer the personal data to a recipient in a country outside the EEA or an international organisation, and the existence or absence of a Commission adequacy decision or information about the appropriate or suitable safeguards adduced to secure the data and the means to obtain a copy of them. The ICO website has more information about international transfers.


In this section you need to explain the appropriate technical and organisational measures that you have in place to process data securely and to prevent personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed.


You must inform tell individuals the period for which the personal data will be stored, or, if that is not possible, the criteria used to determine that period.


You have to inform individuals of their rights under the Data Protection Legislation. This includes:

  • The right of access;
  • The right to be informed;
  • The right to rectification;
  • The right to erasure;
  • The right to restriction of processing;
  • Rights related to automated decision making (including profiling);
  • The right to object to processing; and
  • Right to data portability.
  1. Changes to this notice and your duty to inform us of changes

You should provide information to the individual to confirm when you make changes to your website privacy policy. You should also request that individuals keep you informed if their personal data changes during their relationship with you.


State who in your business deals with data matters. If you have a Data Protection Officer or Representative, you should add that information and contact details. The individual's right to lodge a complaint with the supervisory authority.


Markel Law owns the copyright in this document.  You must not use this document in any way that infringes the intellectual property rights in it.  You may download and print this document which you may then use, copy or reproduce for your own internal non-profit making purposes. However, under no circumstances are you permitted to use, copy or reproduce this document with a view to profit or gain.  In addition, you must not sell or distribute this document to third parties who are not members of your organisation, whether for monetary payment or otherwise.

This document is intended to serve as general guidance only and does not constitute legal advice. The application and impact of laws can vary widely based on the specific facts involved. This document should not be used as a substitute for consultation with professional legal or other competent advisers. Before making any decision or taking any action, you should consult a Markel Law professional.


In no circumstances will Markel Law LLP, or any company within the Markel Group be liable for any decision made or action taken in reliance on the information contained within this document or for any consequential, special or similar damages, even if advised of the possibility of such damages.