1. Fill in your business/company name, domain name(s) and the name of the person who is nominated as your data controller where indicated. As the clause notes, you will generally need to be registered with the Information Commissioner’s Office if you handle personal data for marketing purposes. If in doubt it is better to register, as the cost of being registered is £35 per year and this will generally mean you avoid prosecution for not being registered (although you still have to comply with the 8 principles of data protection). For more information on data protection and to register (called “making a notification”) go to https://www.ico.org.uk.
2. If you do not offer an e-newsletter, delete the phrase that is in square brackets. Add any other purposes for which you might process their personal data.
3. This clause states that you do not receive (and therefore do not retain) their payment details. If you use certain payment agencies to take card payments for you this should be correct, but you will need to check this and make amendments if it is not the case. On line 4 fill in your business/company name.
4. This clause says what you use the personal data for (i.e. to run your business) and states that you will not sell, etc the personal data to third parties. If correct remove the square brackets. If this is not correct, then delete the phrase that is in square brackets.
5. This clause warns customers that their data may not be secure as they transmit it to you, but that, once received, you will then do your best to keep it safe (this is one of the 8 data protection principles you must comply with). In clauses 5.5 and 5.6, if you will not transfer personal data to third parties, delete the phrase that is in square brackets.
6. You must give customers an easy opportunity to opt out of your using their data for marketing. Fill in your contact email for this purpose. If you do not share data with third parties, then delete the phrase that is in square brackets. You may need to adapt this clause to suit how you collect personal data.
7. This clause is a note about use of statistics.
8. As the Data Protection Act 1998 states that personal information must not be transferred to other countries without adequate protection (this is one of the 8 data protection principles you must comply with), although you can warn people that you might be transferring their data abroad, and therefore they consent to it by implication, the onus is still on you to ensure that any parties hosting your data on overseas servers that are outside of the EEA (as is common) agree to abide by similar restrictions to those imposed by the Data Protection Act 1998. Within the EU, member states are under similar laws to the Data Protection Act 1998, as it originates from the EU, so transfers to other EU countries are covered.
9. You are not permitted to process sensitive personal data without the owner’s explicit consent. Most online businesses would have no need to gather or use such information.
10. This clause gives you the right to transfer the personal data in the event that your business is sold. Fill in the name of your business/company on line 4.
11. This clause advises customers that you can also process/disclose personal data where required by law.
12. You have to offer people the right to opt out of marketing material in the future. Fill in your preferred contact email address. Ideally any marketing emails you send should repeat this opt-out provision.
13. Security – This clause warns customers that data while being transmitted to you might not be secure.
14. This warns your customers to choose a secure password and to keep it secure.
15. Third party links – This clause warns customers that you are not responsible for how other websites that have links on your site might handle personal data.
17. Access to information – As required by the Data Protection Act, you must permit a person you hold personal data about to check and inspect that personal data, but you can make a nominal charge for such access.
18. Changes to this policy – This clause provides that you can amend the policy over time. Fill in your preferred contact postal address and email address in the unnumbered clause that follows. Then at the end of the document fill in the month and year when you adopt this policy. If you update it again in the future, update this date.