Privacy Policy (UK)
UK GDPR & Data Protection Act 2018
This Privacy Policy is issued by [Controller Name], [Controller Entity Type], with its registered or principal address at [Controller Address], [Controller City], [Controller County], [Controller Postcode], England (the "Data Controller", "we", "us", or "our").
This Privacy Policy applies to the website located at [Website URL] and the services described as [Service Description] (collectively, the "Service").
This Privacy Policy explains how we collect, use, store, share, and protect personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 (PECR).
This Privacy Policy takes effect on [Effective Date].
1. DATA CONTROLLER CONTACT DETAILS
1.1 The data controller responsible for your personal data is:
[Controller Name] (Companies House registration number: [Registration Number])
Address: [Controller Address], [Controller City], [Controller County], [Controller Postcode]
Email: [Controller Email]
Telephone: [Controller Phone]
2. PERSONAL DATA WE COLLECT
2.1 We may collect, use, store, and transfer the following categories of personal data about you:
[Data Categories]
2.2 We collect personal data through the following methods: directly from you when you provide information (such as completing forms, creating an account, or contacting us); automatically through your use of our Service (including cookies and similar technologies); and from third parties (such as analytics providers, advertising networks, and public databases).
2.3 Where we need to collect personal data by law or under the terms of a contract we have with you, and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you.
3. LAWFUL BASIS FOR PROCESSING
3.1 Under UK GDPR Article 6, we will only process your personal data where we have a lawful basis to do so. The lawful bases on which we rely are:
[Lawful Basis]
3.2 Where we rely on legitimate interests as the lawful basis for processing your personal data, we have conducted a legitimate interests assessment to ensure that our interests are not overridden by your rights and freedoms. Our legitimate interests include: [Legitimate Interests]
3.3 Where we rely on consent as the lawful basis for processing, you have the right to withdraw your consent at any time by contacting us at [Controller Email]. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.
4. HOW WE USE YOUR PERSONAL DATA
4.1 We use your personal data for the following purposes:
- to provide, maintain, and improve the Service;
- to process and fulfil transactions, and send related information including purchase confirmations and invoices;
- to register you as a new user and manage your account;
- to communicate with you, including sending service-related notices and responding to your enquiries;
- to send marketing communications where we have a lawful basis to do so (you may opt out at any time);
- to comply with legal obligations, including tax reporting to HMRC;
- to detect, prevent, and address fraud, security breaches, or other illegal activities;
- to enforce our terms of service and protect our legal rights; and
- to carry out data analytics to improve our Service, marketing, customer relationships, and user experience.
4.2 We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason that is compatible with the original purpose. If we need to use your personal data for an unrelated purpose, we will notify you and explain the legal basis that allows us to do so.
5. DATA SHARING
5.1 We may share your personal data with the following categories of third-party recipients:
[Third-Party Recipients]
5.2 We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.
5.3 We may also disclose your personal data if required to do so by law, court order, or regulatory authority, or if we reasonably believe that disclosure is necessary to protect our rights, property, or safety, or that of our users or the public.
6. DATA RETENTION
6.1 We will retain your personal data for [Retention Period], unless a longer or shorter retention period is required or permitted by law.
6.2 In determining the appropriate retention period, we apply the following criteria: [Retention Criteria]
6.3 In some circumstances, we may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.
7. YOUR RIGHTS UNDER UK GDPR
7.1 Under the UK GDPR, you have the following rights in relation to your personal data:
- Right of access (Article 15): You have the right to request a copy of the personal data we hold about you. This is commonly known as a "subject access request" (SAR). We must respond within one month of receiving your request.
- Right to rectification (Article 16): You have the right to request that we correct any personal data that is inaccurate or incomplete.
- Right to erasure (Article 17): You have the right to request the deletion of your personal data in certain circumstances, such as where the data is no longer necessary for the purpose for which it was collected. This is also known as the "right to be forgotten".
- Right to restriction of processing (Article 18): You have the right to request that we restrict the processing of your personal data in certain circumstances, such as where you contest the accuracy of the data.
- Right to data portability (Article 20): You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit it to another controller.
- Right to object (Article 21): You have the right to object to the processing of your personal data where we rely on legitimate interests as the lawful basis, or where we process your data for direct marketing purposes.
- Rights related to automated decision-making (Article 22): You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal or similarly significant effects concerning you.
7.2 To exercise any of these rights, please contact us at [Controller Email] or write to us at our registered address. We will respond to your request within one month of receiving it, or within two months if the request is complex or we have received a number of requests. We will not charge a fee for responding to your request unless it is manifestly unfounded or excessive.
7.3 We may need to verify your identity before processing your request. If we cannot verify your identity, we may ask you to provide additional information.
8. DATA SECURITY
8.1 We have implemented appropriate technical and organisational measures to protect your personal data against unauthorised or unlawful processing and against accidental loss, destruction, or damage, as required by UK GDPR Article 32.
8.2 These measures include, where appropriate: encryption of personal data; measures to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems; the ability to restore access to personal data in a timely manner in the event of a physical or technical incident; and regular testing, assessment, and evaluation of the effectiveness of our technical and organisational measures.
8.3 In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO without undue delay and, where feasible, not later than 72 hours after becoming aware of the breach, in accordance with UK GDPR Article 33. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly in accordance with Article 34.
9. COMPLAINTS
9.1 If you are unhappy with how we have handled your personal data, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO). The ICO is the UK’s independent authority for data protection.
9.2 The ICO can be contacted at:
Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Telephone: 0303 123 1113
Website: ico.org.uk
9.3 We would, however, appreciate the opportunity to address your concerns before you approach the ICO. Please contact us first at [Controller Email] so that we may attempt to resolve the issue.
10. CHANGES TO THIS PRIVACY POLICY
10.1 We may update this Privacy Policy from time to time to reflect changes in our processing activities, legal requirements, or best practices. Any material changes will be communicated to you by posting the updated policy on our website with a revised effective date.
10.2 Where changes significantly affect your rights or the way we use your personal data, we will notify you by email (where we hold your email address) or by a prominent notice on our website prior to the changes taking effect.
10.3 We encourage you to review this Privacy Policy periodically to stay informed about how we protect your personal data.
11. GOVERNING LAW
11.1 This Privacy Policy and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with it shall be governed by and construed in accordance with the laws of England and Wales.
11.2 The courts of England and Wales shall have non-exclusive jurisdiction to settle any dispute or claim arising out of or in connection with this Privacy Policy.
This Privacy Policy was approved and authorised by:
Name: [Representative Name]
Title: [Representative Title]
Organisation: [Controller Name]
Data Controller Representative
________________
Signature
Date: ________________
What Is a Privacy Policy (UK)?
A Privacy Policy in the United Kingdom sets out the standards, responsibilities, and procedures the organisation expects everyone to follow, as regulated by the Data Protection Act 2018.
The UK GDPR was created when the European Union's General Data Protection Regulation was incorporated into domestic law following the UK's departure from the European Union on 31 January 2020. It was retained as part of UK law through the European Union (Withdrawal) Act 2018 and subsequently amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019. The Data Protection Act 2018 supplements the UK GDPR by providing additional provisions specific to the United Kingdom, including exemptions, enforcement powers of the Information Commissioner's Office (ICO), and special provisions for law enforcement and intelligence services processing.
Articles 13 and 14 of the UK GDPR require data controllers to provide data subjects with detailed information about how their personal data is processed at the time of collection (Article 13) or, where data is obtained from a third party, within a reasonable period (Article 14). This information must be provided in a concise, transparent, intelligible, and easily accessible form, using clear and plain language. A privacy policy is the primary mechanism through which organisations fulfil this transparency obligation.
In addition to the UK GDPR and Data Protection Act 2018, the Privacy and Electronic Communications Regulations 2003 (PECR) impose additional requirements regarding cookies, direct marketing by electronic means, and the security of electronic communications services. A thorough UK privacy policy should address all three legislative instruments to confirm full compliance.
The legal framework governing the Privacy Policy (UK) in United Kingdom draws on several key statutes and regulatory bodies. Under the Companies Act 2006, Companies House maintains the register of UK companies. Section 386 of the Companies Act 2006 sets accounting record obligations. The Competition and Markets Authority (CMA) enforces the Consumer Rights Act 2015. The Financial Conduct Authority (FCA) regulates financial services under the Financial Services and Markets Act 2000. The High Court of Justice has jurisdiction under the Senior Courts Act 1981. Parties executing a Privacy Policy (UK) in United Kingdom should confirm the document reflects current law, including any amendments enacted since the original drafting date. The UK General Data Protection Regulation (UK GDPR) sets the foundational requirements.
When Do You Need a Privacy Policy (UK)?
A Privacy Policy is required whenever an organisation processes personal data of individuals in the United Kingdom. Under UK GDPR, personal data means any information relating to an identified or identifiable natural person, which includes names, email addresses, IP addresses, location data, and online identifiers. The processing of personal data covers virtually any operation performed on the data, including collection, recording, storage, retrieval, use, disclosure, and erasure.
You need a Privacy Policy if you operate a website or mobile application that collects any form of user data, whether directly through registration forms and contact forms or indirectly through cookies and analytics tools such as Google Analytics. Even if your website only uses basic analytics or a contact form, you are processing personal data and must comply with UK GDPR transparency requirements. The ICO has issued specific guidance confirming that IP addresses and cookie identifiers constitute personal data in many circumstances.
You also need a Privacy Policy if you operate an e-commerce business that processes customer names, addresses, payment information, and purchase history. Businesses that employ staff must also have a privacy policy addressing the processing of employee data, including payroll information, performance records, and health data.
Organisations that use social media advertising, email marketing, or customer relationship management (CRM) systems are processing personal data and require a privacy policy. Under PECR, if you send marketing emails, text messages, or make automated marketing calls, you must comply with specific consent and opt-out requirements that should be reflected in your privacy policy.
If your organisation processes special category data under UK GDPR Article 9 (such as health data, biometric data, or data revealing racial or ethnic origin), you must document the lawful basis and the specific condition under Article 9(2) and Schedule 1 of the Data Protection Act 2018 that applies. Healthcare providers, insurance companies, employers processing occupational health data, and organisations providing services to vulnerable individuals are particularly likely to process special category data and must address this in their privacy policy.
What to Include in Your Privacy Policy (UK)
A UK GDPR-compliant Privacy Policy must contain several essential elements prescribed by Articles 13 and 14 of the regulation, supplemented by ICO guidance and enforcement practice.
The identity and contact details of the data controller are the starting point. The controller must be clearly identified by name, registered address, and contact information. If the organisation has appointed a Data Protection Officer (DPO) under Article 37 (mandatory for public authorities, organisations conducting large-scale systematic monitoring, or organisations processing special category data on a large scale), the DPO's contact details must also be provided.
The purposes and lawful basis for processing must be stated for each processing activity. UK GDPR Article 6 provides six lawful bases: consent, performance of a contract, legal obligation, vital interests, public task, and legitimate interests. Where legitimate interests are relied upon, the specific interests must be identified and the organisation must confirm that a legitimate interests assessment has been conducted. Where consent is the lawful basis, the policy must explain how consent can be withdrawn.
The categories of personal data collected should be listed clearly, along with the sources from which data is obtained (whether directly from the data subject or from third parties). The recipients or categories of recipients of personal data must be identified, including third-party service providers, group companies, and regulatory authorities.
Data retention periods or the criteria used to determine them must be specified for each category of personal data. The ICO expects organisations to have a documented retention schedule and to be able to justify why they retain data for the period stated. The Limitation Act 1980, which sets a general six-year limitation period for contractual claims, is often referenced as a benchmark for retention of transactional data.
The privacy policy must set out the data subject rights available under UK GDPR: the right of access (Article 15), right to rectification (Article 16), right to erasure (Article 17), right to restriction (Article 18), right to data portability (Article 20), right to object (Article 21), and rights related to automated decision-making (Article 22). The policy must also inform data subjects of their right to lodge a complaint with the ICO.
For organisations that transfer personal data outside the UK, the policy must identify the countries or organisations to which data is transferred and the safeguard mechanism used (UK adequacy regulations, International Data Transfer Agreement, binding corporate rules, or Article 49 derogations). Cookie information should address the types of cookies used, their purposes, and how users can manage their preferences, in compliance with PECR Regulation 6.
Additional compliance elements for a Privacy Policy (UK) used in United Kingdom include: Under the Companies Act 2006, Companies House maintains the register of UK companies. Section 386 of the Companies Act 2006 sets accounting record obligations. The Competition and Markets Authority (CMA) enforces the Consumer Rights Act 2015. The Financial Conduct Authority (FCA) regulates financial services under the Financial Services and Markets Act 2000. The High Court of Justice has jurisdiction under the Senior Courts Act 1981. Forms-legal.com provides this template as a starting point for United Kingdom-compliant documentation.
Sources & Citations
Statutory citations link to official government sources.
- GDPR Article 9EU – GDPR
- GDPR Article 6EU – GDPR
Cite this page
Reference this free template in an article, syllabus, or research note:
Forms Legal. (2026). Privacy Policy (UK) (United Kingdom) [Legal document template]. Forms Legal. https://forms-legal.com/uk/business/contracts/privacy-policy-uk
"Privacy Policy (UK) (United Kingdom)." Forms Legal, 2026, https://forms-legal.com/uk/business/contracts/privacy-policy-uk.
@misc{formslegal-privacy-policy-uk,
author = {{Forms Legal}},
title = {Privacy Policy (UK) (United Kingdom)},
year = {2026},
howpublished = {\url{https://forms-legal.com/uk/business/contracts/privacy-policy-uk}},
note = {Free legal document template. Based on UK General Data Protection Regulation (UK GDPR)}
}
Frequently Asked Questions
Yes. Under the UK General Data Protection Regulation (UK GDPR) Articles 13 and 14, any organisation that processes personal data must provide data subjects with specific information about how their data is collected, used, stored, and shared. The Data Protection Act 2018, which supplements the UK GDPR, reinforces this requirement. Additionally, the Privacy and Electronic Communications Regulations 2003 (PECR) require you to inform users about cookies and similar technologies. The Information Commissioner's Office (ICO) has stated that a clear, detailed privacy policy is a fundamental transparency obligation. Failure to provide adequate privacy information can result in enforcement action by the ICO, including fines of up to 17.5 million pounds or 4 per cent of annual global turnover (whichever is higher) under UK GDPR Article 83.
UK GDPR Articles 13 and 14 set out specific information that must be provided to data subjects. This includes: the identity and contact details of the data controller; the contact details of the Data Protection Officer (if one has been appointed); the purposes and lawful basis for processing; the categories of personal data collected; the recipients or categories of recipients of the data; details of any international transfers and the safeguards in place; the data retention period or criteria used to determine it; the existence of each data subject right (access, rectification, erasure, restriction, portability, objection); the right to withdraw consent at any time (where consent is the lawful basis); the right to lodge a complaint with the ICO; whether the provision of personal data is a statutory or contractual requirement; and the existence of automated decision-making including profiling, together with meaningful information about the logic involved.
Under Section 29 of the Data Protection Act 2018 and the Data Protection (Charges and Information) Regulations 2018, most organisations and sole traders that process personal data must pay an annual data protection fee to the ICO and be listed on the Data Protection Register. There are limited exemptions, including for organisations that process personal data only for core business purposes such as staff administration and accounts and records, and only have fewer than a specified number of employees. The ICO provides an online self-assessment tool to determine whether you need to register. Failure to pay the fee when required is a criminal offence under Section 198 of the Data Protection Act 2018. While registering with the ICO is separate from publishing a privacy policy, including your ICO registration number in your privacy policy is considered good practice and demonstrates accountability.
The Privacy and Electronic Communications Regulations 2003 (PECR) Regulation 6 requires that you obtain informed consent from website visitors before storing or accessing information on their device (including cookies, tracking pixels, and similar technologies). The only exception is for strictly necessary cookies that are essential for the operation of the website or for providing a service explicitly requested by the user. The ICO has confirmed that implied consent through continued browsing is not sufficient to meet the PECR standard. Consent must be freely given, specific, informed, and unambiguous, consistent with the UK GDPR definition of consent. This means you must provide clear information about what cookies you use and their purposes, present users with a genuine choice (pre-ticked boxes do not constitute valid consent), and allow users to withdraw consent as easily as they gave it.
Under UK GDPR Articles 44 to 49, transfers of personal data to countries outside the United Kingdom are restricted unless one of the specified safeguards is in place. The primary mechanisms are: UK adequacy regulations, where the Secretary of State has determined that a country ensures an adequate level of data protection (as of 2025, the EU, EEA countries, and several other jurisdictions have received UK adequacy decisions); the International Data Transfer Agreement (IDTA) or UK Addendum to the EU Standard Contractual Clauses, which are approved by the ICO as appropriate safeguards under Article 46; binding corporate rules approved by the ICO for intra-group transfers; and Article 49 derogations including explicit consent, contractual necessity, and public interest. The ICO requires organisations to conduct a Transfer Risk Assessment (TRA) when relying on the IDTA or UK Addendum to confirm that the legal framework of the recipient country provides adequate protection in practice.
This template is provided for informational purposes only and does not constitute legal advice. Laws vary by jurisdiction and change over time. Consult a qualified attorney for advice specific to your situation.Full disclaimer
Found an error? Let us knowRelated Documents
You may also find these documents useful:
Terms of Service (UK)
Create a detailed Terms of Service for your UK website or online platform, drafted in compliance with the Consumer Rights Act 2015, Consumer Contracts Regulations 2013, Electronic Commerce Regulations 2002, and the Unfair Contract Terms Act 1977. This template covers company identification, service description, user registration, pricing and VAT, the 14-day consumer cancellation right, acceptable use, intellectual property, limitation of liability, termination, and dispute resolution. Fill out the form, preview instantly, and download as PDF or Word.
Non-Disclosure Agreement (NDA) (UK)
Protect your confidential business information in England and Wales with a legally sound Non-Disclosure Agreement. Whether you are sharing trade secrets with a prospective partner, disclosing proprietary technology to a developer, or presenting financial projections to a potential investor, a properly drafted UK NDA keeps your sensitive information under strict legal protection. Our template is drafted in accordance with English common law and incorporates the key provisions required for enforceability in England and Wales.
Consent Form (UK)
Create a general Consent Form for use in England and Wales. This versatile template covers medical consent, activity consent, data processing consent, photography consent, and research participation consent. Compliant with common law informed consent principles, the Mental Capacity Act 2005, the Children Act 1989, and UK GDPR Article 7. Includes risk and benefit disclosures, right to withdraw, capacity confirmation, parental consent for minors, and emergency contact information. Fill in the details and download as PDF or Word.
Service Agreement (UK)
Create a detailed UK service agreement governed by the laws of England and Wales. Covers the Consumer Rights Act 2015, Supply of Goods and Services Act 1982, Late Payment of Commercial Debts (Interest) Act 1998, UK GDPR, IR35, VAT, intellectual property, and confidentiality. Suitable for consultants, freelancers, agencies, and businesses of all sizes.
Employment Contract (England & Wales)
Hiring someone in England or Wales? You are legally required to give them a written statement of employment particulars on or before their first day of work. Our UK Employment Contract template meets all requirements of the Employment Rights Act 1996 and covers working hours, salary, holiday entitlement, notice periods, pension auto-enrolment, confidentiality, and optional restrictive covenants. Download as PDF or Word in minutes.