Docaro

Personal Data Categories By Business Activity In The United Kingdom

Created:
This dataset helps you understand which types of personal data may be processed across common business activities, making it easier to assess privacy obligations and improve documentation. It is especially useful when creating or reviewing an AI Generated British Privacy Policy.
Processing Activity
Personal Data Examples
Data Sensitivity Level
Processing Purpose
Disclosure Notes
Account management
Customer account registration
Name, email address, password, username, phone number
Medium
Create and manage user accounts
Explain account creation, authentication, required fields, and use of identity or hosting providers.
Customer profile management
Profile name, contact details, preferences, saved addresses, account settings
Medium
Personalise and administer customer accounts
Describe editable profile data, personalisation use, and service provider access.
Account management, Security
Login authentication
Email address, password hash, login time, IP address, device data
Medium
Verify user identity and protect accounts
Explain authentication logs, password security, and anti-abuse monitoring.
Password reset
Email address, reset token, IP address, time stamp
Medium
Restore account access securely
State that reset links and security logs are used to prevent unauthorised access.
Multi-factor authentication
Phone number, authenticator identifier, device ID, verification codes
Medium
Add account security verification
Identify MFA providers and explain use of phone or device data for verification.
Account management, Orders and payments
Subscription management
Name, email, plan type, renewal date, billing status
Medium
Administer paid or recurring services
Explain renewals, cancellations, billing communications, and payment platform sharing.
Account management
Preference centre management
Communication preferences, topic interests, consent records, opt-out status
Low
Record user choices and consent preferences
Explain preference recording and sharing with email or CRM platforms.
Customer support
Customer support enquiries
Name, email, account ID, enquiry content, support history
Medium
Respond to customer questions and issues
Describe helpdesk systems, internal access, and retention of support correspondence.
Live chat support
Chat messages, name, email, IP address, browser data
Medium
Provide real-time customer assistance
Name chat providers and state whether transcripts are stored or reviewed.
Telephone support
Phone number, call notes, account details, issue description
Medium
Handle support calls and follow-ups
Explain call handling, notes, telephony providers, and any call recording.
Customer support, Security, Legal administration
Call recording
Voice recording, phone number, call time, call content
High
Quality monitoring, training, dispute evidence
Disclose recording purposes, retention, access controls, and how callers are notified.
Customer support, Legal administration
Complaints handling
Complainant details, complaint content, evidence, correspondence
High
Investigate and resolve complaints
Explain escalation, professional adviser access, and disclosure to regulators if required.
Customer support, Service delivery
Product feedback surveys
Name, email, ratings, comments, usage opinions
Low
Improve products and customer experience
State whether feedback is anonymous, published, or shared with survey providers.
Orders and payments
Online orders
Name, email, delivery address, order items, order number
Medium
Process and fulfil customer orders
Explain order processing, confirmation emails, fulfilment partners, and retention for records.
Payment processing
Billing name, billing address, payment token, transaction ID, card last four digits
High
Take and verify customer payments
Identify payment processors and avoid implying full card data is stored unless true.
Orders and payments, Legal administration
Invoicing
Name, business name, billing address, VAT number, transaction details
Medium
Issue invoices and keep tax records
Explain accounting records, tax compliance, accountants, and HMRC disclosure where required.
Orders and payments, Customer support
Refunds and returns
Order number, payment reference, return reason, address, correspondence
Medium
Process refunds, exchanges, and returns
Describe sharing with payment processors, couriers, and customer support teams.
Orders and payments, Service delivery
Delivery and shipping
Recipient name, postal address, phone number, delivery instructions
Medium
Deliver goods or service materials
Identify courier or fulfilment sharing and any delivery tracking communications.
Orders and payments, Security, Legal administration
Fraud screening
Name, address, payment data, IP address, device data, risk scores
High
Detect and prevent fraud
Explain fraud checks, automated scoring if used, and sharing with fraud prevention agencies.
Orders and payments, Legal administration
Debt recovery
Contact details, unpaid balances, invoices, payment history, correspondence
High
Recover unpaid amounts
Disclose sharing with debt collection agencies, solicitors, courts, or credit reference agencies if applicable.
Service delivery
Service onboarding
Name, email, role, organisation, onboarding responses
Medium
Set up access and configure services
Explain onboarding forms, access setup, and use of project or CRM tools.
Service delivery, Legal administration
Contract performance
Contact details, service requirements, correspondence, deliverables
Medium
Provide contracted services
Link data use to service provision and identify subcontractors or platform providers.
Service delivery, Customer support
Appointment booking
Name, email, phone number, appointment time, booking notes
Medium
Schedule and manage appointments
Disclose booking platforms, reminders, cancellation handling, and calendar integrations.
Service delivery
Document generation services
Questionnaire answers, names, addresses, business details, document content
High
Generate requested legal or business documents
Explain user input processing, AI or automation use, storage, and confidentiality safeguards.
Service delivery, Security
AI prompt processing
Prompt text, uploaded content, user ID, generated outputs, usage logs
High
Provide AI-assisted outputs and monitor misuse
Disclose AI providers, whether prompts are retained or used for training, and user precautions.
Service delivery, Account management
Service usage analytics
User ID, feature use, session events, device data, timestamps
Medium
Measure and improve service performance
Explain analytics tools, pseudonymisation, cookie use, and opt-out choices where available.
Account management
Email marketing
Email address, name, marketing preferences, engagement data
Medium
Send promotional or informational emails
Explain consent or soft opt-in, unsubscribe links, and email platform tracking.
SMS marketing
Mobile number, name, opt-in status, message history
Medium
Send promotional text messages
State consent basis, opt-out method, message providers, and frequency expectations.
Customer support, Service delivery
Website contact forms
Name, email, phone number, message content, IP address
Medium
Receive and respond to enquiries
Explain routing to CRM, email, spam filtering, and response handling.
Recruitment
Recruitment applications
CV, cover letter, contact details, employment history, qualifications
High
Assess suitability for roles
Explain applicant tracking systems, hiring manager access, and unsuccessful applicant retention.
Interview scheduling
Name, email, phone number, availability, interview notes
Medium
Arrange and conduct interviews
Mention calendar tools, interview panels, video platforms, and recording if used.
Recruitment, Legal administration
Right to work checks
Passport details, immigration status, date of birth, share code, copies of documents
High
Verify legal right to work in the UK
Explain statutory checks, document retention, and possible Home Office verification.
Recruitment
Employment references
Referee contact details, role history, performance comments, dates of employment
High
Verify candidate background and experience
State when references are sought, who is contacted, and how reference data is used.
Recruitment, Legal administration
Criminal record checks
Identity details, DBS certificate information, criminal offence data
High
Assess role suitability and safeguarding risk
Disclose DBS checks only where relevant, lawful basis, access restrictions, and retention limits.
Equality monitoring in recruitment
Age range, sex, ethnicity, disability status, religion, sexual orientation
High
Monitor equal opportunities
Explain voluntary collection, separation from selection decisions, and aggregated reporting.
Events
Event registration
Name, email, organisation, ticket type, attendance preferences
Medium
Register attendees and manage event access
Name ticketing platforms and explain attendee communications and badge details.
Event dietary requirements
Dietary needs, allergy information, accessibility requests, attendee name
High
Provide safe and accessible event arrangements
Warn that some dietary or accessibility data may reveal health or religious information.
Event photography
Images, video, name tags, speaker details, audience participation
Medium
Record and promote events
Explain photography notices, publication channels, opt-out zones, and consent for close-up promotional use.
Events, Service delivery
Webinar hosting
Name, email, attendee logs, questions, chat messages, recording
Medium
Deliver online events and training
Identify webinar platforms and state whether recordings, chats, and attendance reports are retained.
Security, Events
Premises visitor logs
Visitor name, organisation, host, arrival time, departure time, vehicle registration
Medium
Manage site access and safety
Explain visitor log retention, building management access, and emergency use.
Security
CCTV monitoring
Video images, time, location, vehicle registration, incident footage
High
Protect premises, staff, visitors, and assets
Disclose CCTV locations, signage, retention, access controls, and police disclosure routes.
Access control systems
Name, access card ID, entry logs, role, location, time stamps
Medium
Control access to systems or premises
Explain access logs, monitoring, administrators, and security incident use.
Biometric access control
Fingerprint template, facial template, access logs, user ID
High
Verify identity for secure access
Explain biometric necessity, alternatives, template storage, and special category safeguards.
Network security monitoring
IP address, device identifiers, login logs, traffic metadata, alerts
High
Detect threats and protect systems
Describe security logging, monitoring tools, retention, and incident response sharing.
Security, Service delivery
Website cookies
Cookie IDs, device data, session IDs, preferences, analytics events
Medium
Operate, secure, and analyse websites
Provide cookie purposes, consent controls, third-party cookies, and retention periods.
Security, Legal administration
Security incident response
Affected user details, incident logs, breach evidence, communications
High
Investigate, contain, and report incidents
Explain possible disclosure to ICO, affected individuals, IT providers, insurers, and law enforcement.
Legal administration, Customer support
Data subject rights requests
Requester identity, correspondence, request details, response records
High
Handle UK GDPR rights requests
Explain identity verification, response process, exemptions, and record keeping.
Legal administration
Legal claims management
Claimant details, evidence, correspondence, contracts, witness information
High
Establish, exercise, or defend legal claims
Disclose sharing with solicitors, insurers, courts, experts, and counterparties.
Regulatory compliance records
Contact details, compliance evidence, audit trails, declarations, policy acknowledgements
High
Meet legal and regulatory obligations
Identify regulators, auditors, advisers, and statutory retention duties where applicable.
Legal administration, Service delivery
Supplier contact management
Business contact name, work email, phone number, role, correspondence
Low
Manage supplier relationships and contracts
Explain business contact processing, procurement systems, and adviser access.
Legal administration
Insurance administration
Policyholder details, claim details, incident reports, health or injury information
High
Arrange insurance and manage claims
Disclose sharing with insurers, brokers, loss adjusters, medical experts, and solicitors.
Company secretarial records
Director names, service addresses, shareholdings, signatures, meeting minutes
Medium
Maintain statutory company records
Explain Companies House filings, public registers, advisers, and corporate record retention.
Legal administration, Security
Safeguarding reports
Names, incident details, welfare concerns, health information, family details
High
Protect children or vulnerable people
Explain safeguarding disclosures to local authorities, police, schools, or care bodies where lawful.
Account management, Security, Legal administration
Age verification
Date of birth, age range, identity document, verification result
High
Restrict age-gated services or content
Explain age checks, verification providers, minimisation, and child privacy safeguards.

What Personal Data Should A UK Privacy Policy Cover?

A UK privacy policy should map each business activity to the personal data actually used, not just list broad labels such as contact details. The dataset shows that account management, orders, support, service delivery, recruitment, events, security, and legal administration commonly involve different data types, purposes, and disclosures.

Which Activities Usually Need Extra Care?

  • Recruitment, accessibility, health, safeguarding, fraud prevention, CCTV, biometrics, and legal claims often involve high-sensitivity data or special category/criminal offence data under UK GDPR and the Data Protection Act 2018.
  • Payments, identity checks, security logs, complaints, and debt recovery may involve financial, fraud, or dispute data and should explain retention, recipients, and security safeguards clearly.
  • Marketing, analytics, cookies, call recording, and event photography need specific transparency about tracking, consent where required, and opt-out rights.

What Disclosures Are Most Useful In A Privacy Policy?

  • State the processing purpose for each activity, such as fulfilling orders, providing support, assessing candidates, or maintaining security.
  • Name the categories of recipients, such as payment processors, delivery partners, hosting providers, background-check providers, professional advisers, insurers, and law enforcement where relevant.
  • Flag whether data may be special category data, criminal offence data, or data collected through monitoring technologies such as CCTV, cookies, access logs, or call recordings.
  • For UK users, make sure the privacy policy aligns with transparency duties under UK GDPR Article 13, the Data Protection Act 2018, and cookie rules under PECR.
Personal Data Categories by Business Activity
Want to Generate Your own Privacy Policy?
Docaro AI can help you write your own Privacy Policy for use in the United Kingdom in minutes.
Generate Your Document Now

FAQs

It is a reference page showing common types of personal data collected by different UK business activities, helping organisations prepare accurate privacy policies.
Show All FAQs

You Might Also Be Interested In

UK Privacy Policy Clause Catalogue
UK privacy policy clause catalogue for reviewing common wording, compliance topics, and drafting guidance.
UK GDPR Lawful Basis Reference
UK GDPR lawful basis reference for compliant data processing, privacy notices, and British privacy policy preparation.