HR training, conferences, webinars and events

Model Privacy Notice Data Collection Form

Mock Up: GDPR Privacy Policy

A model form created by PG to gather information to create a GDPR Privacy Policy
  • Data controller

    A controller determines the purposes and means of processing personal data - this is likely to be your company.

    Data Protection Officer

    Under the GDPR, you must appoint a DPO if:
    - you are a public authority (except for courts acting in their judicial capacity);
    - your core activities require large scale, regular and systematic monitoring of individuals (for example, online behaviour tracking); or
    - your core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences.

  • The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier. For example name, passport number, home address or private email address. Online identifiers include IP addresses and cookies.

    You will need to conduct an audit of the data you process for employees and replace the model answer below with your own information.

  • The GDPR refers to sensitive personal data as ‘special categories of personal data’ (as explained in Article 9 of GDPR). The special categories specifically include genetic data, and biometric data where processed to uniquely identify an individual. Other examples include racial and ethnic origin, sexual orientation, health data, trade union membership, political opinions, religious or philosophical beliefs.
  • The notice must include a description of all the purposes for which the personal data will be processed. It is advisable to keep the description of the purposes as broad as possible, whilst ensuring that it is accurate and not misleading. If a purpose is missed out, the personal data may not, in most cases, be used for that purpose without reissuing the data privacy notice, setting out the new purpose, processing condition and other relevant information. This does not mean that you can include in the notice every possible purpose; the purposes included must be reasonably foreseeable.

    NB "Process" - means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

  • YOU NEED TO IDENTIFY ONE LAWFUL BASIS FOR EACH PURPOSE OF PROCESSING. TICK MORE THAN ONE BOX, IF MORE THAN ONE APPLIES BUT INDICATE WHICH PURPOSE IT REFERS TO. Please select:
  • IF YOU PROCESS SPECIAL CATEGORIES OF DATA, YOU MUST SATISFY AT LEAST ONE CONDITION UNDER ARTICLE 6 AND AT LEAST ONE CONDITION UNDER ARTICLE 9 AS LISTED BELOW. IGNORE THIS SECTION IF YOU DO NOT PROCESS SPECIAL CATEGORIES OF DATA. TICK MORE THAN ONE BOX, IF MORE THAN ONE APPLIES BUT INDICATE WHICH PURPOSE IT REFERS TO.
  • Your personal data will be treated as strictly confidential, and will be shared only with (see below):
  • Whether personal data is transferred outside of the EEA and if so, details of the safeguards that are in place to protect the security of the data.
  • You need to include either a specific period of data retention or alternatively, you need to provide the criteria that can be used to determine how long you retain personal data.
  • Disclose why you need to process the individual’s personal data. Also explain what the implications will be if you don’t process the personal data.
  • This clause explains a data subjects rights in relation to their personal data. These are mandatory terms under GDPR. The only term that you are allowed to remove if it does not apply, is this one: [The right to withdraw your consent to the processing at any time, where CONSENT was your lawful basis for processing the data]
  • Please amend suggested text to suit your situation.
  • Please amend as appropriate.
  • Please amend as appropriate.
  • To exercise all relevant rights, queries or complaints please in the first instance contact our [DATA PROTECTION OFFICER/OUR DATA REPRESENTATIVE] on [INSERT CONTACT DETAILS]. If this does not resolve your complaint to your satisfaction, you have the right to lodge a complaint with the Information Commissioners Office on 03031231113 or via email https://ico.org.uk/global/contact-us/email/ or at the Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, England.