Privacy Policy
privacy policy
last updated:- 21/03/2020
1. Introduction
1.1 We are
committed to safeguarding the privacy of [our website visitors and service
users].
1.2 This policy
applies where we are acting as a data controller with respect to the personal
data of [our website visitors and service users]; in other words, where we
determine the purposes and means of the processing of that personal data.
1.3 We use
cookies on our website. Insofar as those cookies are not strictly necessary for
the provision of [our website and services], we will ask you to consent to our
use of cookies when you first visit our website.
1.4 Our website
incorporates privacy controls which affect how we will process your personal
data. By using the privacy controls, you can [specify whether you would like to
receive direct marketing communications and limit the publication of your
information]. You can access the privacy controls via [URL].
1.5 In this
policy, "we", "us" and "our" refer to [data
controller name].[ For more information about us, see Section 13.]
3. How we use your personal data
3.1 In this
Section 3 we have set out:
(a) the general
categories of personal data that we may process;
(b) [in the case
of personal data that we did not obtain directly from you, the source and
specific categories of that data];
(c) the purposes
for which we may process personal data; and
(d) the legal
bases of the processing.
3.2 We may
process [data about your use of our website and services] ("usage data").
The usage data may include [your IP address, geographical location, browser
type and version, operating system, referral source, length of visit, page
views and website navigation paths, as well as information about the timing,
frequency and pattern of your service use]. The source of the usage data is
[our analytics tracking system]. This usage data may be processed [for the
purposes of analysing the use of the website and services]. The legal basis for
this processing is [consent] OR [our legitimate interests, namely [monitoring
and improving our website and services]] OR [[specify basis]].
3.3 We may
process [your website user account data] ("account data").[
The account data may [include your name and email address].][ The source of the
account data is [you or your employer].] The account data may be processed [for
the purposes of operating our website, providing our services, ensuring the
security of our website and services, maintaining back-ups of our databases and
communicating with you.] The legal basis for this processing is [consent] OR
[our legitimate interests, namely [the proper administration of our website and
business]] OR [the performance of a contract between you and us and/or taking
steps, at your request, to enter into such a contract] OR [[specify basis]].
3.4 We may
process [information that you post for publication on our website or through
our services] ("publication data"). The publication data may
be processed [for the purposes of enabling such publication and administering
our website and services]. The legal basis for this processing is [consent] OR
[our legitimate interests, namely [the proper administration of our website and
business]] OR [the performance of a contract between you and us and/or taking
steps, at your request, to enter into such a contract] OR [[specify basis]].
3.5 We may
process [information contained in any enquiry you submit to us regarding goods
and/or services] ("enquiry data"). The enquiry data may be
processed [for the purposes of offering, marketing and selling relevant goods
and/or services to you]. The legal basis for this processing is [consent] OR
[our legitimate interests, namely [the proper administration of our website and
business]] OR [the performance of a contract between you and us and/or the
taking steps, at your request, to enter into such a contract] OR [[specify
basis]].
3.6 We may
process [information relating to transactions, including purchases of goods
and/or services, that you enter into with us and/or through our website]
("transaction data").[ The transaction data may include [your
contact details, your card details and the transaction details].][ The source
of the transaction data is [you and/or our payment services provider].] The
transaction data may be processed [for the purpose of supplying the purchased
goods and/or services and keeping proper records of those transactions]. The
legal basis for this processing is [the performance of a contract between you
and us and/or taking steps, at your request, to enter into such a contract;
providing that, if you are not the person contracting with us, the legal basis
for this processing is our legitimate interests, namely [the proper
administration of our website and business]] OR [[specify basis]].
3.7 We may
process [information that you provide to us for the purpose of subscribing to
our email notifications and/or newsletters] ("notification data").
The notification data may be processed [for the purposes of sending you the
relevant notifications and/or newsletters]. The legal basis for this processing
is [consent] OR [our legitimate interests, namely [communications with our
website visitors and service users]] OR [the performance of a contract between
you and us and/or taking steps, at your request, to enter into such a contract]
OR [[specify basis]].
3.8 We may
process [identify general category of data].[ This data may include [list
specific items of data].][ The source of this data is [identify source].]
This data may be processed for [specify purposes]. The legal basis for
this processing is [consent] OR [our legitimate interests, namely [specify
legitimate interests]] OR [the performance of a contract between you and us
and/or taking steps, at your request, to enter into such a contract] OR [[specify
basis]].
3.9 We may
process [any of your personal data identified in this policy] where necessary
for [the establishment, exercise or defence of legal claims, whether in court
proceedings or in an administrative or out-of-court procedure]. The legal basis
for this processing is our legitimate interests, namely [the protection and
assertion of our legal rights, your legal rights and the legal rights of
others].
3.10 We may process
[any of your personal data identified in this policy] where necessary for [the
purposes of obtaining or maintaining insurance coverage, managing risks, or
obtaining professional advice]. The legal basis for this processing is our
legitimate interests, namely [the proper protection of our business against
risks].
3.11 In addition to
the specific purposes for which we may process your personal data set out in
this Section 3, we may also process [any of your personal data] where such
processing is necessary[ for compliance with a legal obligation to which we are
subject, or] in order to protect your vital interests or the vital interests of
another natural person.
3.12 Please do not
supply any other person's personal data to us, unless we prompt you to do so.
4. Providing your personal data to others
4.1 We may
disclose [your personal data] to [our insurers and/or professional advisers]
insofar as reasonably necessary for the purposes of [obtaining or maintaining
insurance coverage, managing risks, obtaining professional advice, or the
establishment, exercise or defence of legal claims, whether in court
proceedings or in an administrative or out-of-court procedure].
4.2 [Your
personal data held in our website database] OR [[Identify personal data
category or categories]] will be stored on the servers of our hosting
services providers[ identified at [URL]].
4.3 We may
disclose [specify personal data category or categories] to [our
suppliers or subcontractors][ identified at [URL]] insofar as reasonably
necessary for [specify purposes].
4.4 In addition
to the specific disclosures of personal data set out in this Section 4, we may
disclose your personal data where such disclosure is necessary for compliance
with a legal obligation to which we are subject, or in order to protect your
vital interests or the vital interests of another natural person.[ We may also
disclose your personal data where such disclosure is necessary for the
establishment, exercise or defence of legal claims, whether in court
proceedings or in an administrative or out-of-court procedure.]
5. International transfers of your personal data
5.1 In this
Section 5, we provide information about the circumstances in which your
personal data may be transferred to [countries outside the European Economic
Area (EEA)].
5.2 The hosting
facilities for our website are situated in [specify countries].[ The
European Commission has made an "adequacy decision" with respect to
[the data protection laws of each of these countries].][ Transfers to [each of
these countries] will be protected by appropriate safeguards, namely [the use
of standard data protection clauses adopted or approved by the European
Commission, a copy of which you can obtain from [source]] OR [[specify
appropriate safeguards and means to obtain a copy]].]
5.3 [Specify
category or categories of supplier or subcontractor] [is] OR [are] situated
in [specify countries].[ The European Commission has made an
"adequacy decision" with respect to [the data protection laws of each
of these countries].][ Transfers to [each of these countries] will be protected
by appropriate safeguards, namely [the use of standard data protection clauses
adopted or approved by the European Commission, a copy of which can be obtained
from [source]] OR [[specify appropriate safeguards and means to
obtain a copy]].]
5.4 You
acknowledge that [personal data that you submit for publication through our
website or services] may be available, via the internet, around the world. We
cannot prevent the use (or misuse) of such personal data by others.
6. Retaining and deleting personal data
6.1 This Section
6 sets out our data retention policies and procedure, which are designed to
help ensure that we comply with our legal obligations in relation to the
retention and deletion of personal data.
6.2 Personal data
that we process for any purpose or purposes shall not be kept for longer than
is necessary for that purpose or those purposes.
6.3 We will
retain your personal data as follows:
(a) [usage data
will be retained for a minimum period of [period] following the date of
collection, and for a maximum period of [period] following that date];
(b) [account data
will be retained for a minimum period of [period] following the date of
closure of the relevant account, and for a maximum period of [period]
following that date];
(c) [publication
data will be retained for a minimum period of [period] following the
date when the relevant publication ceases to be published on our website or
through our services, and for a maximum period of [period] following
that date];
(d) [enquiry data
will be retained for a minimum period of [period] following the date of
the enquiry, and for a maximum period of [period] following that date];
(e) [transaction
data will be retained for a minimum period of [period] following the
date of the transaction, and for a maximum period of [period] following
that date];
(f) [notification
data will be retained for a minimum period of [period] following the
date that we are instructed to cease sending the notifications, and for a
maximum period of [period] following that date (providing that we will
retain notification data insofar as necessary to fulfil any request you make to
actively suppress notifications)]; and
(g) [[data
category] will be retained for a minimum period of [period]
following [date], and for a maximum period of [period] following [date]].
[additional list items]
6.4 Notwithstanding
the other provisions of this Section 6, we may retain your personal data where
such retention is necessary for compliance with a legal obligation to which we
are subject, or in order to protect your vital interests or the vital interests
of another natural person.
7. Your rights
7.1 In this
Section 7, we have listed the rights that you have under data protection law.
7.2 Your principal
rights under data protection law are:
(a) the right to
access - you can ask for copies of your personal data;
(b) the right to
rectification - you can ask us to rectify inaccurate personal data and to
complete incomplete personal data;
(c) the right to
erasure - you can ask us to erase your personal data;
(d) the right to
restrict processing - you can ask use to restrict the processing of your
personal data;
(e) the right to
object to processing - you can object to the processing of your personal data;
(f) the right to
data portability - you can ask that we transfer your personal data to another
organisation or to you;
(g) the right to
complain to a supervisory authority - you can complain about our processing of
your personal data; and
(h) the right to
withdraw consent - to the extent that the legal basis of our processing of your
personal data is consent, you can withdraw that consent.
7.3 These rights
are subject to certain limitations and exceptions. You can learn more about the
rights of data subjects by visiting https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/.
7.4 You may
exercise any of your rights in relation to your personal data [by written
notice to us, using the contact details set out below].
8. About cookies
8.1 A cookie is a
file containing an identifier (a string of letters and numbers) that is sent by
a web server to a web browser and is stored by the browser. The identifier is
then sent back to the server each time the browser requests a page from the
server.
8.2 Cookies may
be either "persistent" cookies or "session" cookies: a
persistent cookie will be stored by a web browser and will remain valid until
its set expiry date, unless deleted by the user before the expiry date; a
session cookie, on the other hand, will expire at the end of the user session,
when the web browser is closed.
8.3 Cookies do
not typically contain any information that personally identifies a user, but
personal data that we store about you may be linked to the information stored
in and obtained from cookies.
9. Cookies that we use
9.1 We use
cookies for the following purposes:
(a) [authentication
and status - we use cookies [to identify you when you visit our website and as
you navigate our website, and to determine if you are logged into the website][
(cookies used for this purpose are: [identify cookies])]];
(b) [personalisation
- we use cookies [to store information about your preferences and to
personalise the website for you][ (cookies used for this purpose are: [identify
cookies])]];
(c) [security -
we use cookies [as an element of the security measures used to protect user
accounts, including preventing fraudulent use of login credentials, and to
protect our website and services generally][ (cookies used for this purpose
are: [identify cookies])]];
(d) [advertising
- we use cookies [to help us to display advertisements that will be relevant to
you][ (cookies used for this purpose are: [identify cookies])]];
(e) [analysis -
we use cookies [to help us to analyse the use and performance of our website
and services][ (cookies used for this purpose are: [identify cookies])]];
and
(f) [cookie
consent - we use cookies [to store your preferences in relation to the use of
cookies more generally][ (cookies used for this purpose are: [identify
cookies])]].
[additional list items]
10. Cookies used by our service providers
10.1 Our service
providers use cookies and those cookies may be stored on your computer when you
visit our website.
10.2 We use Google
Analytics. Google Analytics gathers information about the use of our website by
means of cookies. The information gathered is used to create reports about the
use of our website. You can find out more about Google's use of information by
visiting https://www.google.com/policies/privacy/partners/
and you can review Google's privacy policy at https://policies.google.com/privacy.[
The relevant cookies are: [identify cookies].]
10.3 We use [identify
service provider] to [specify service]. This service uses cookies
for [specify purpose(s)]. You can view the privacy policy of this
service provider at [URL].[ The relevant cookies are: [identify
cookies].]
11. Managing cookies
11.1 Most browsers
allow you to refuse to accept cookies and to delete cookies. The methods for
doing so vary from browser to browser, and from version to version. You can
however obtain up-to-date information about blocking and deleting cookies via
these links:
(a) https://support.google.com/chrome/answer/95647
(Chrome);
(d) https://support.microsoft.com/en-gb/help/17442/windows-internet-explorer-delete-manage-cookies
(Internet Explorer);
(e) https://support.apple.com/en-gb/guide/safari/manage-cookies-and-website-data-sfri11471/mac
(Safari); and
[additional list items]
11.2 Blocking all
cookies will have a negative impact upon the usability of many websites.
11.3 If you block
cookies, you will not be able to use all the features on our website.
12. Amendments
12.1 We may update
this policy from time to time by publishing a new version on our website.
12.2 You should
check this page occasionally to ensure you are happy with any changes to this
policy.
12.3 We [may] OR
[will] notify you of [changes] OR [significant changes] to this policy [by
email].
13. Our details
13.1 This website
is owned and operated by [name].
13.2 We are
registered in [England and Wales] under registration number [number],
and our registered office is at [address].
13.3 Our principal
place of business is at [address].
13.4 You can
contact us:
(a) [by post, to
[the postal address given above]];
(b) [using our
website contact form];
(c) [by
telephone, on [the contact number published on our website]]; or
(d) [by email,
using [the email address published on our website]].
[additional list items]
14. Data protection officer
14.1 Our data
protection officer's contact details are: [contact details].
Free privacy policy: drafting
notes
This is a website privacy policy template. It may
be used in relation to many different types of website.
The main purpose of a privacy policy is to help a
website operator to comply with information disclosure obligations under data
protection legislation. Across the EU, that means compliance with the General
Data Protection Regulation (GDPR). Within the UK, the Data Protection Act 2018
applies. Failure to comply with data protection legislation may lead to civil
liability and/or criminal law penalties.
This privacy policy is a shorter version of our
privacy and cookies policy document. That document is more flexible than this
policy, although at the cost of greater complexity.
To complete this template, you will need detailed
information about how you or your organisation uses personal data. For example,
you will need to know what personal data is processed, the purposes for which
that personal data is used, the persons or categories of persons to whom that
personal data may be disclosed and the periods for which that personal data
will be retained. You will also need to establish the legal bases of the your
processing.
Separate rules regulate the provision of
information about cookies, and this document includes optional provisions
dealing with cookie-related disclosures. If you retain these provisions, you
will need to know the purposes for which cookies and similar technologies are
used on your website.
You should consider whether you need to take
specialist legal advice on data protection.
If you collect sensitive personal information (such
as information about a person's health, sexuality or political affiliations),
or if you collect personal information from children or about children, you
should always take advice before using this (or indeed any other) privacy
policy template. In any case, use of a privacy policy is only one aspect of data
protection compliance.
You can find out more about the information
disclosure requirements of data protection law with the following resources.
The GDPR -
https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016R0679
European Data Protection Board (EDPB) guidance on
transparency -
https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=622227
UK Information Commissioner's Office guidance on
the right to be informed -
https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/the-right-to-be-informed/
Section 1: Introduction
These introductory provisions may be used to draw
individuals' attention to some of the key issues addressed in the document.
Section 1.1
Optional element.
Section 1.2
"Personal data" is defined in Article
4(1) of the GDPR:
"'personal data' means any information
relating to an identified or identifiable natural person ('data subject'); an
identifiable natural person is one who can be identified, directly or indirectly,
in particular by reference to an identifier such as a name, an identification
number, location data, an online identifier or to one or more factors specific
to the physical, physiological, genetic, mental, economic, cultural or social
identity of that natural person".
Section 1.3
Optional element.
The inclusion of this statement in your privacy
policy will not in itself satisfy the requirements of the Privacy and
Electronic Communications (EC Directive) Regulations 2003 as regards consent to
the use of cookies. Guidance concerning methods of obtaining such consent is
included on the Information Commissioner's website.
https://ico.org.uk/for-organisations/guide-to-pecr/cookies-and-similar-technologies/
Section 1.4
Optional element.
Section 1.5
Optional element.
Section 2: Credit
Section: Free documents licensing
warning
Optional element. Although you need to retain the
credit, you should remove the inline copyright warning from this document
before use.
Section 3: How we use your
personal data
The GDPR requires that controllers disclose to data
subjects detailed information about their processing of personal data.
Article 13(1) of the GDPR provides that:
"Where personal data relating to a data
subject are collected from the data subject, the controller shall, at the time
when personal data are obtained, provide the data subject with all of the
following information: ... (c) the purposes of the processing for which the
personal data are intended as well as the legal basis for the processing; (d) where
the processing is based on point (f) of Article 6(1), the legitimate interests
pursued by the controller or by a third party".
Article 14(1) of the GDPR provides that:
"Where personal data have not been obtained
from the data subject, the controller shall provide the data subject with the
following information: ... (c) the purposes of the processing for which the
personal data are intended as well as the legal basis for the processing; (d)
the categories of personal data concerned ...".
Article 14(2) of the GDPR, which also applies in
the case that the personal data have not been obtained from the data subject,
provides that:
"In addition to the information referred to in
paragraph 1, the controller shall provide the data subject with the following
information necessary to ensure fair and transparent processing in respect of
the data subject: ... (b) where the processing is based on point (f) of Article
6(1), the legitimate interests pursued by the controller or by a third party
... (f) from which source the personal data originate, and if applicable,
whether it came from publicly accessible sources ... ".
Article 6(1)(f) of the GDPR, which is referred to
in Articles 13 and 14, provides that:
"(1) Processing shall be lawful only if and to
the extent that at least one of the following applies: ... (f) processing is
necessary for the purposes of the legitimate interests pursued by the
controller or by a third party, except where such interests are overridden by
the interests or fundamental rights and freedoms of the data subject which
require protection of personal data, in particular where the data subject is a
child."
As regards the identification of the source of
personal data in the case that the personal data is not obtained from the data
subject, the guidance from the European Data Protection Board states that:
"The specific source of the data should be
provided unless it is not possible to do so … . If the specific source is not
named then information provided should include: the nature of the sources (i.e.
publicly / privately held sources) and the types of organisation / industry /
sector."
https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=622227
Note that, while Article 14 of the GDPR provides
that information about "the categories of personal data concerned"
must be supplied to data subjects, Article 13 does not include an equivalent
provision. Nonetheless, we have included references to general categories of
data in this document, because this facilitates the identification of particular
purposes of processing and the legal bases of processing - information which
does need to be provided under Article 13.
The UK Information Commissioner's Office website
provides useful guidance in relation to the selection of the legal bases for
processing:
https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/
Section 3.2
Optional element.
Section 3.3
Optional element.
Section 3.4
Optional element.
Section 3.5
Optional element.
Section 3.6
Optional element.
Section 3.7
Optional element.
Section 3.8
Optional element. Use this form of provision to
identify and provide relevant information about other categories of personal
data that you may process.
Section 3.9
Optional element.
Section 3.10
Optional element.
Section 3.12
Optional element.
Section 4: Providing your
personal data to others
Article 13(1)(e) of the GDPR requires that where
personal data are collected from the data subject, the data controller must provide
the data subject with information about "the recipients or categories of
recipients of the personal data".
Equivalent rules for data collected from someone
other than the data subject are in Article 14(1)(e).
Although the GDPR refers to "categories of
recipients", the guidance from the European Data Protection Board on this
subject states:
"The term 'recipient' is defined in Article
4.9 as 'a natural or legal person, public authority, agency or another body, to
which the personal data are disclosed, whether a third party or not' [emphasis
added]. As such, a recipient does not have to be a third party. Therefore,
other data controllers, joint controllers and processors to whom data is
transferred or disclosed are covered by the term 'recipient' and information on
such recipients should be provided in addition to information on third party
recipients. The actual (named) recipients of the personal data, or the
categories of recipients, must be provided. In accordance with the principle of
fairness, controllers must provide information on the recipients that is most
meaningful for data subjects. In practice, this will generally be the named
recipients, so that data subjects know exactly who has their personal data. If
controllers opt to provide the categories of recipients, the information should
be as specific as possible by indicating the type of recipient (i.e. by
reference to the activities it carries out), the industry, sector and
sub-sector and the location of the recipients."
https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=622227
Section 4.1
Optional element.
Section 4.2
Optional element.
Section 4.3
Optional element.
Section 5: International
transfers of your personal data
Optional element.
Article 13(1)(f) of the GDPR requires that data
controllers disclose to data subjects "where applicable, the fact that the
controller intends to transfer personal data to a third country or
international organisation and the existence or absence of an adequacy decision
by the Commission, or in the case of transfers referred to in Article 46
[transfers subject to appropriate safeguards] or 47 [binding corporate rules],
or the second subparagraph of Article 49(1) [limited transfers for compelling
legitimate interests], reference to the appropriate or suitable safeguards and
the means by which to obtain a copy of them or where they have been made
available".
The European Data Protection Board guidance on this
issue states:
"The relevant GDPR article permitting the
transfer and the corresponding mechanism ... should be specified. Information
on where and how the relevant document may be accessed or obtained should also
be provided e.g. by providing a link to the mechanism used. In accordance with
the principle of fairness, the information provided on transfers to third
countries should be as meaningful as possible to data subjects; this will
generally mean that the third countries be named."
https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=622227
Section 5.2
Optional element.
Section 5.3
Optional element.
Section 5.4
Optional element. Will users have the opportunity
to publish personal information on the website?
Section 6: Retaining and
deleting personal data
Article 5(1)(e) of the GDPR sets out the storage
limitation, one of the fundamental rules of the regime:
"Personal data shall be: ... kept in a form
which permits identification of data subjects for no longer than is necessary
for the purposes for which the personal data are processed; personal data may
be stored for longer periods insofar as the personal data will be processed
solely for archiving purposes in the public interest, scientific or historical
research purposes or statistical purposes in accordance with Article 89(1)
subject to implementation of the appropriate technical and organisational
measures required by this Regulation in order to safeguard the rights and
freedoms of the data subject ... ".
Article 13(2) of the GDPR provides, in relation to
personal data collected from the data subject, that:
"... the controller shall, at the time when
personal data are obtained, provide the data subject with the following further
information necessary to ensure fair and transparent processing: (a) the period
for which the personal data will be stored, or if that is not possible, the
criteria used to determine that period ...".
Article 14(2) of the GDPR makes similar provision
in relation to personal data that is not collected from the data subject.
The European Data Protection Board guidance on this
issue states:
"This is linked to the data minimisation
requirement in Article 5.1(c) and storage limitation requirement in Article
5.1(e). The storage period (or criteria to determine it) may be dictated by
factors such as statutory requirements or industry guidelines but should be
phrased in a way that allows the data subject to assess, on the basis of his or
her own situation, what the retention period will be for specific data /
purposes. It is not sufficient for the data controller to generically state
that personal data will be kept as long as necessary for the legitimate
purposes of the processing. Where relevant, the different storage periods
should be stipulated for different categories of personal data and/or different
processing purposes, including where appropriate, archiving periods."
https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=622227
Section 6.3
For guidance on setting retention periods, see:
https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/principles/storage-limitation/
Section 7: Your rights
Article 13(2) of the GDPR provides that, where
personal data is collected from a data subject, certain information about data
subject rights must be provided:
"In addition to the information referred to in
paragraph 1, the controller shall, at the time when personal data are obtained,
provide the data subject with the following further information necessary to
ensure fair and transparent processing: ... (b) the existence of the right to
request from the controller access to and rectification or erasure of personal
data or restriction of processing concerning the data subject or to object to
processing as well as the right to data portability; (c) where the processing
is based on point (a) of Article 6(1) or point (a) of Article 9(2), the
existence of the right to withdraw consent at any time, without affecting the
lawfulness of processing based on consent before its withdrawal; ...".
Similar provisions are set out in Article 14 in
relation to personal data which is not collected from the relevant data
subject.
The European Data Protection Board guidance on this
issue states:
"This information should be specific to the
processing scenario and include a summary of what the right involves and how
the data subject can take steps to exercise it and any limitations on the right
… . In particular, the right to object to processing must be explicitly brought
to the data subject's attention at the latest at the time of first communication
with the data subject and must be presented clearly and separately from any
other information."
https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=622227
Section 8: About cookies
Optional element.
Under EU law, there are two additional requirements
in relation to the use of cookies and similar technologies, which apply
over-and-above the rules regulating the processing of personal data: a consent
requirement and an information disclosure requirement. The provisions of this
document relating to cookies are designed to aid compliance with the
information disclosure requirement.
This requirement derives from Article 5(3) of
Directive 2002/58/EC of the European Parliament and of the Council of 12 July
2002 concerning the processing of personal data and the protection of privacy
in the electronic communications sector (Directive on privacy and electronic
communications), which provides that:
"Member States shall ensure that the use of
electronic communications networks to store information or to gain access to
information stored in the terminal equipment of a subscriber or user is only
allowed on condition that the subscriber or user concerned is provided with
clear and comprehensive information in accordance with Directive 95/46/EC, inter
alia about the purposes of the processing, and is offered the right to refuse
such processing by the data controller. This shall not prevent any technical
storage or access for the sole purpose of carrying out or facilitating the
transmission of a communication over an electronic communications network, or
as strictly necessary in order to provide an information society service
explicitly requested by the subscriber or user."
https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32002L0058&from=EN
The requirement is implemented in the UK in the
Privacy and Electronic Communications (EC Directive) Regulations 2003. In its
current (amended) form, Regulation 6 states:
"(1) Subject to paragraph (4), a person shall
not store or gain access to information stored, in the terminal equipment of a
subscriber or user unless the requirements of paragraph (2) are met.
(2) The requirements are that the subscriber or
user of that terminal equipment - (a) is provided with clear and comprehensive
information about the purposes of the storage of, or access to, that
information; and (b) has given his or her consent.
(3) Where an electronic communications network is
used by the same person to store or access information in the terminal
equipment of a subscriber or user on more than one occasion, it is sufficient
for the purposes of this regulation that the requirements of paragraph (2) are
met in respect of the initial use.
(3A) For the purposes of paragraph (2), consent may
be signified by a subscriber who amends or sets controls on the internet
browser which the subscriber uses or by using another application or programme
to signify consent.
(4) Paragraph (1) shall not apply to the technical
storage of, or access to, information - (a) for the sole purpose of carrying out
the transmission of a communication over an electronic communications network;
or (b) where such storage or access is strictly necessary for the provision of
an information society service requested by the subscriber or user."
In their original form, these Regulations can be
found at:
http://www.legislation.gov.uk/uksi/2003/2426/made
Section 8.2
Optional element.
Section 8.3
Optional element.
Section 9: Cookies that we use
Optional element.
Section 10: Cookies used by
our service providers
Does the website serve any third party cookies,
analytics cookies or tracking cookies to users?
Section 10.2
Optional element.
Section 10.3
Optional element.
Section 11: Managing cookies
Optional element.
Section 11.3
Optional element. Will the blocking of cookies have
a negative effect upon the use of the website from a user perspective?
Section 12: Amendments
Optional element.
Section 12.2
Optional element.
Section 12.3
Optional element. Will you contact users to notify
them of changes to this policy?
Contact us :- 99bloggingtimes@gmail.com
Comments
Post a Comment