Docaro

UK Privacy Policy Clause Catalogue

Created:
Explore a structured catalogue of UK privacy policy clauses to compare wording, improve compliance drafting, and support faster document creation. For more resources, visit AI Generated British Privacy Policy.
Clause Name
Purpose
Typical Requirement Level
Relevant Use Cases
Drafting Notes
Controller identity
Controller Identity And Contact Details
Identifies who decides how and why personal data is used.
Usually required
All UK websites, apps, employers, charities and public bodies.
Include legal name, trading name, registered address, email and company number where relevant.
Data Protection Officer Contact Details
Gives users a direct contact for data protection questions.
Situational
Public authorities, large-scale monitoring, special category processing and regulated sectors.
Do not name an individual unless stable and necessary
a role email is often better.
UK Representative Details
Names a UK representative for overseas organisations subject to UK GDPR.
Situational
Non-UK SaaS, ecommerce, apps or services offering goods to UK users.
Check Article 27 exemptions and include representative contact details if required.
Joint Controller Arrangement
Explains shared controller responsibilities and user contact points.
Situational
Partnerships, co-branded services, events, group platforms and research collaborations.
Summarise the essence of the Article 26 arrangement and rights handling.
Processor Role Explanation
Clarifies when the organisation handles data only for a customer controller.
Situational
SaaS vendors, payroll providers, hosting services and outsourced support providers.
Separate processor activities from the organisation’s own controller activities.
Lawful basis
Lawful Bases For Processing
Explains the legal reasons relied on for each processing purpose.
Usually required
All organisations processing personal data.
Map each purpose to Article 6 lawful bases
avoid listing unused bases.
Contract Necessity Basis
Covers processing needed to provide requested goods or services.
Often required
Online shops, subscriptions, bookings, client services and customer accounts.
Use only where processing is objectively necessary for the contract or pre-contract steps.
Legal Obligation Basis
Covers processing required by UK law.
Often required
Employers, accountants, regulated businesses, tax records and statutory reporting.
Identify the type of legal duty, such as tax, employment or anti-money laundering.
Legitimate Interests Basis
Explains business interests relied on where rights do not override them.
Often required
Fraud prevention, analytics, service improvement, B2B marketing and network security.
Name the interests and ensure a legitimate interests assessment supports them.
Consent Basis And Withdrawal
Explains where consent is used and how users can withdraw it.
Situational
Marketing opt-ins, non-essential cookies, special category consent and optional features.
Consent must be specific, informed, freely given and as easy to withdraw as to give.
Vital Interests Basis
Covers processing needed to protect someone’s life.
Situational
Emergency response, safeguarding, healthcare support and crisis incidents.
Use narrowly
it rarely applies to routine commercial processing.
Public Task Basis
Covers processing needed for official functions or public powers.
Situational
Councils, regulators, schools, NHS bodies and contractors exercising public functions.
Identify the public function or statutory power relied on.
Special Category Data Conditions
Explains additional conditions for sensitive personal data.
Situational
Healthcare, HR, diversity monitoring, biometrics, religion, politics and trade unions.
State both the Article 6 basis and Article 9 condition
add DPA 2018 condition where needed.
Criminal Offence Data Conditions
Explains conditions for criminal convictions, offences and related security checks.
Situational
Employers, vetting providers, care services, schools and regulated roles.
Identify official authority or a DPA 2018 Schedule 1 condition.
Data categories
Categories Of Personal Data Collected
Lists the types of personal data collected and used.
Usually required
All organisations collecting customer, user, staff or supplier data.
Group data clearly, such as identity, contact, payment, technical and usage data.
Sources Of Personal Data
Explains whether data comes from users, third parties or public sources.
Often required
Lead generation, recruitment, credit checks, referrals and data brokers.
Article 14 notices need source details where data was not obtained from the individual.
How Personal Data Is Collected
Describes forms, accounts, transactions, communications and automated collection.
Often required
Websites, mobile apps, ecommerce, CRM systems and customer support channels.
Mention direct collection and passive collection, including device and usage data.
Children’s Personal Data
Explains collection and protection of data about children.
Situational
Edtech, games, apps, schools, childcare, youth charities and family services.
Use child-friendly wording where services target children
consider the Children’s Code.
Employee And Recruitment Data
Covers applicant, worker, payroll, performance and HR data.
Situational
Employers, recruiters, staffing platforms and HR software providers.
Consider a separate staff privacy notice for detailed employment processing.
Payment And Transaction Data
Explains use of billing, payment status and purchase history data.
Often required
Ecommerce, subscriptions, marketplaces, charities and paid services.
State whether card data is handled directly or by a payment processor.
Technical And Usage Data
Covers IP addresses, device data, logs, analytics and browsing behaviour.
Often required
Websites, SaaS platforms, apps, analytics tools and security monitoring.
Align with cookie, analytics, security and retention clauses.
Data sharing
Recipients Of Personal Data
Identifies categories of people or organisations data is shared with.
Usually required
All organisations using suppliers, professional advisers or public authorities.
Use specific recipient categories
name recipients where transparency requires it.
Service Providers And Processors
Explains sharing with suppliers that process data on instructions.
Often required
Hosting, email, CRM, payroll, support, cloud storage and analytics suppliers.
Ensure Article 28 processor contracts exist
do not describe processors as independent controllers.
Group Company Sharing
Explains sharing within a corporate group for administration or services.
Situational
Company groups, franchises, shared service centres and multinational businesses.
Clarify controllers, purposes, jurisdictions and transfer safeguards.
Professional Advisers And Insurers
Covers disclosure to lawyers, accountants, auditors, banks and insurers.
Often required
Most businesses, charities, landlords, professional services and regulated entities.
Explain disclosure for advice, audit, banking, insurance, claims and compliance.
Regulators And Public Authorities
Explains disclosure where required by law or regulatory request.
Often required
Regulated firms, employers, charities, tax reporting and law enforcement requests.
Avoid implying routine disclosure if sharing is only occasional or legally compelled.
Business Sale Or Reorganisation Sharing
Covers disclosure during mergers, acquisitions, asset sales or restructuring.
Situational
Companies seeking investment, sale, merger, insolvency or corporate restructuring.
Limit disclosure to due diligence and transaction purposes with confidentiality controls.
Third Party Platform Sharing
Explains data sharing with marketplaces, social platforms or integrations.
Situational
Marketplace sellers, booking platforms, social login, embedded widgets and app integrations.
Clarify whether the third party is a controller, processor or joint controller.
International transfers
International Data Transfers
Explains if personal data is transferred outside the UK.
Often required
Cloud services, global groups, offshore support, SaaS, analytics and remote teams.
State countries or regions where possible and identify the transfer mechanism.
UK Adequacy Regulation Transfers
Explains transfers to countries approved as providing adequate protection.
Situational
Transfers to countries covered by UK adequacy regulations.
Check current UK adequacy status before naming a country as adequate.
IDTA Or UK Addendum Transfers
Explains contractual safeguards for restricted transfers from the UK.
Situational
US cloud providers, offshore support, global SaaS and non-adequate country transfers.
Use the UK IDTA or UK Addendum and consider transfer risk assessments.
Binding Corporate Rules Transfers
Explains intra-group transfers protected by approved corporate rules.
Situational
Multinational groups with approved UK binding corporate rules.
Only reference BCRs if they are approved and apply to the transfer.
International Transfer Exceptions
Explains limited derogations for occasional restricted transfers.
Situational
One-off user-requested transfers, legal claims or explicit consent situations.
Use Article 49 exceptions sparingly
they are not for routine large-scale transfers.
Retention
Data Retention Periods
Explains how long personal data is kept and why.
Usually required
All organisations storing personal data.
Use specific periods where possible
otherwise state clear retention criteria.
Account Data Retention
Explains how long account and profile data is kept.
Often required
Membership sites, SaaS platforms, ecommerce accounts and online communities.
Address inactive accounts, closure requests, backups and fraud or dispute holds.
Marketing Data Retention
Explains retention of subscriber, preference and suppression data.
Often required
Email newsletters, SMS marketing, CRM lists and lead generation.
Keep suppression records to avoid contacting users who opted out.
Financial And Tax Record Retention
Explains retention of invoices, payments and accounting records.
Often required
Companies, sole traders, charities, ecommerce and paid services.
Companies commonly keep accounting records for at least six years under UK requirements.
Legal Claims Retention
Explains keeping records while disputes or legal claims may arise.
Often required
Customer services, contracts, HR, complaints, professional services and insurance.
Align with limitation periods and document hold processes.
Deletion And Anonymisation
Explains deletion, anonymisation and backup handling at end of retention.
Often required
All organisations with retention schedules, backups or archived systems.
Anonymised data must not identify individuals
explain backup deletion timing if relevant.
Data subject rights
Your Data Protection Rights
Summarises rights available to individuals under UK data protection law.
Usually required
All UK privacy policies.
List rights accurately and explain they may be subject to legal limits.
Right Of Access
Explains how users can request a copy of their personal data.
Usually required
All controllers receiving subject access requests.
Give request route and note identity checks and statutory response times.
Right To Rectification
Explains how users can correct inaccurate or incomplete data.
Usually required
All controllers holding user, customer, staff or account data.
Explain that disputed accuracy may lead to restriction while checked.
Right To Erasure
Explains when users can ask for personal data to be deleted.
Usually required
All controllers, especially apps, accounts, marketing lists and communities.
Mention legal, contractual and claims-related reasons deletion may be refused or delayed.
Right To Restrict Processing
Explains when users can ask processing to be limited.
Usually required
All controllers handling rights requests or disputed data.
Clarify that storage may continue while other uses are paused.
Right To Data Portability
Explains when users can receive or transfer their data in reusable format.
Usually required
Digital services, apps, SaaS, accounts, subscriptions and user-upload platforms.
Applies mainly to consent or contract data processed by automated means.
Right To Object
Explains objection rights, including objections to direct marketing.
Usually required
Marketing, profiling, legitimate interests and public task processing.
Direct marketing objections must be honoured
other objections require balancing unless exempt.
Automated Decision-Making And Profiling Rights
Explains rights where significant decisions are made solely by automated means.
Situational
Credit scoring, recruitment screening, insurance pricing, fraud tools and eligibility checks.
If used, explain logic, significance, consequences and safeguards in plain English.
How To Exercise Rights
Tells users how to submit privacy rights requests.
Usually required
All controllers with email, forms, dashboards or support channels.
Include contact method, identity verification and possible extension for complex requests.
Withdrawal Of Consent
Explains how users can withdraw consent-based processing.
Situational
Marketing consent, cookie consent, optional features and special category consent.
Withdrawal must not affect processing already carried out lawfully before withdrawal.
Cookies and tracking
Cookies And Similar Technologies
Explains use of cookies, pixels, SDKs and similar tracking tools.
Often required
Most websites, apps, ecommerce, analytics and advertising-funded services.
Coordinate with cookie banner and cookie policy
cover non-cookie tracking too.
Strictly Necessary Cookies
Explains cookies needed for core site functions and requested services.
Often required
Login, shopping cart, security, load balancing and user-requested settings.
Do not over-classify analytics or advertising cookies as strictly necessary.
Analytics Cookies
Explains tracking used to measure visits, performance and user behaviour.
Often required
Websites using Google Analytics, product analytics, heatmaps or app analytics.
Non-essential analytics generally need consent under PECR unless a narrow exemption applies.
Advertising And Retargeting Cookies
Explains tracking for personalised ads, retargeting and campaign measurement.
Situational
Ecommerce, publishers, lead generation, social ads and affiliate marketing.
Obtain consent before setting non-essential advertising cookies or pixels.
Cookie Consent And Preference Controls
Explains how users accept, reject or change cookie choices.
Often required
Sites using analytics, advertising, embedded media or preference cookies.
Reject options should be as accessible as accept options
record consent choices.
Cookie List And Duration Table
Lists cookie names, providers, purposes and expiry periods.
Often required
Websites using multiple first-party or third-party cookies.
Keep the table current after tag manager or marketing tool changes.
Social Media Plugins And Pixels
Explains tracking and data sharing through social widgets and pixels.
Situational
Meta Pixel, TikTok Pixel, LinkedIn Insight Tag, social login and share buttons.
Address consent, joint controller issues and links to platform privacy notices.
Email Tracking Technologies
Explains pixels and link tracking in marketing or service emails.
Situational
Newsletters, CRM campaigns, sales outreach and product notifications.
Explain opens, clicks, profiling and opt-out or preference choices.
Security
Security Measures
Explains technical and organisational measures protecting personal data.
Usually required
All controllers and processors storing or transmitting personal data.
Describe measures generally without exposing sensitive security details.
Access Controls And Confidentiality
Explains limiting data access to authorised people with confidentiality duties.
Often required
Employers, SaaS, support teams, healthcare, finance and professional services.
Mention role-based access, staff training and confidentiality where accurate.
Encryption And Secure Transmission
Explains encryption or secure transmission used to protect data.
Often required
Online forms, payment flows, cloud storage, laptops and remote access.
Only claim encryption where actually implemented
avoid absolute security promises.
Personal Data Breach Handling
Explains how security incidents involving personal data are managed.
Optional
Organisations handling sensitive, financial, account, health or large-scale data.
Do not promise notice for every incident
UK GDPR notification depends on risk.
User Account Security Responsibilities
Reminds users to protect passwords and account credentials.
Situational
Online accounts, SaaS, memberships, marketplaces and customer portals.
Keep distinct from terms of use
avoid shifting controller security duties to users.
Third Party Websites And Links
Explains that external websites have separate privacy practices.
Optional
Websites linking to partners, social media, advertisers or embedded services.
Do not use as a substitute for explaining embedded third-party tracking.
Complaints
Right To Complain To The ICO
Tells users they can complain to the UK data protection regulator.
Usually required
All UK privacy policies and notices.
Include ICO website, phone or postal details and encourage contacting the organisation first.
How To Raise A Privacy Complaint
Explains how users can raise privacy concerns with the organisation.
Often required
All organisations with customer support, DPO, compliance or legal teams.
Provide a clear email or form and avoid discouraging ICO complaints.
Controller identity
Changes To This Privacy Policy
Explains how updates to the privacy policy will be communicated.
Often required
Websites, apps, SaaS platforms and organisations with changing services.
State effective date and consider direct notice for material processing changes.
Lawful basis
Direct Marketing Communications
Explains marketing emails, texts, calls, post and opt-out rights.
Often required
Retailers, SaaS, newsletters, charities, B2B sales and event organisers.
Align UK GDPR lawful basis with PECR consent or soft opt-in rules.
Customer Soft Opt-In Marketing
Explains marketing to existing customers about similar products or services.
Situational
Ecommerce, paid SaaS, bookings and businesses marketing similar services to customers.
Only use if PECR conditions are met, including opt-out at collection and each message.
Profiling For Personalisation
Explains use of data to infer preferences or personalise services.
Situational
Streaming, ecommerce recommendations, targeted content, loyalty schemes and ads.
Explain inputs, purpose, consequences and objection choices
assess fairness risks.
Fraud Prevention And Security Monitoring
Explains processing to detect, prevent and investigate fraud or misuse.
Often required
Financial services, ecommerce, marketplaces, SaaS, ticketing and account platforms.
Identify data types, sharing with fraud agencies if applicable and legitimate interests.
Data categories
CCTV And Video Surveillance
Explains collection and use of images, audio or surveillance footage.
Situational
Retail premises, offices, landlords, venues, schools, care homes and workplaces.
Include purpose, retention, signage, access controls and audio recording justification.
Call Recording And Monitoring
Explains recording or monitoring of calls and communications.
Situational
Call centres, financial services, customer support, sales teams and helplines.
State purposes such as training, evidence, compliance or quality monitoring.
Location Data
Explains use of GPS, delivery, IP-derived or workplace location data.
Situational
Delivery apps, transport, field staff, maps, dating apps and local services.
Distinguish precise and approximate location
explain controls and background tracking.
User-Generated Content Data
Explains processing of posts, reviews, comments, uploads and messages.
Situational
Forums, marketplaces, review sites, social apps and community platforms.
Explain visibility, moderation, deletion limits and data included in public content.
Health And Medical Data
Explains collection and use of health-related personal data.
Situational
Clinics, wellness apps, employers, insurers, gyms and care providers.
State Article 9 condition, confidentiality safeguards and any professional duties.
Biometric Data
Explains biometric identification data such as fingerprints or facial templates.
Situational
Access control, identity verification, fintech, security systems and attendance tools.
Explain necessity, alternatives, Article 9 condition and DPIA where high risk.
Research And Survey Data
Explains use of survey responses, study data and feedback for research.
Situational
Universities, charities, market research, product research and public consultations.
Address anonymisation, consent, ethics approvals and special category data if relevant.
AI Tools And Automated Processing
Explains use of personal data in AI systems, prompts, outputs or model features.
Situational
AI document tools, chatbots, recruitment AI, analytics, summarisation and recommendation systems.
State whether data trains models, is retained by vendors, or is used only to provide outputs.
Chatbot And Live Chat Data
Explains processing of chat transcripts, support messages and bot interactions.
Situational
Customer support chat, AI assistants, sales chat and helpdesk integrations.
Warn users not to submit unnecessary sensitive data if chats are not designed for it.
Data Minimisation Statement
Explains that only necessary personal data is requested or used.
Optional
Forms, onboarding, recruitment, health services and high-risk data collection.
Support with actual form design and avoid collecting optional data by default.
Data subject rights
Keeping Personal Data Accurate
Encourages users to update details and explains accuracy obligations.
Optional
Accounts, subscriptions, deliveries, HR records and regulated customer records.
Provide a practical update route rather than only stating the principle.
Controller identity
Who This Privacy Policy Applies To
Defines the people and activities covered by the privacy policy.
Often required
Businesses covering customers, website users, suppliers, applicants and visitors.
Do not mix unrelated audiences if separate notices would be clearer.
Data categories
Contact Form And Enquiry Data
Explains processing of enquiries, messages and contact details.
Often required
Websites with contact forms, quote requests, demos, bookings or support requests.
State response purpose, CRM storage and whether enquiries trigger marketing follow-up.
Newsletter Subscription Data
Explains collection and use of email addresses for newsletters.
Situational
Blogs, ecommerce, SaaS, charities, events and professional services.
Explain opt-in method, unsubscribe link, analytics and mailing platform sharing.
Providing Other People’s Data
Explains responsibilities when users provide data about someone else.
Situational
Bookings, referrals, emergency contacts, family accounts and employer submissions.
Explain that the provider should have authority and inform the other person where appropriate.
If You Do Not Provide Personal Data
Explains consequences of not providing required personal data.
Often required
Contracts, accounts, age checks, payments, employment and regulated services.
Identify data needed by contract or law and the likely consequence of refusal.
Age Assurance And Verification
Explains use of age checks to protect children or restrict services.
Situational
Online games, adult products, social platforms, gambling and age-restricted content.
Use proportionate checks and explain data shared with verification providers.
Retention
Complaint And Dispute Records
Explains retention of complaints, investigation notes and outcomes.
Often required
Customer services, regulated firms, healthcare, education, charities and employers.
Align retention with limitation periods, regulator expectations and evidence needs.
Data sharing
Sub-Processors
Explains onward use of sub-processors by a processor service provider.
Situational
SaaS, cloud hosting, payroll, email platforms and managed service providers.
Maintain a current sub-processor list and align with customer data processing agreements.
Data categories
Aggregated And Anonymised Data
Explains use of data that no longer identifies individuals.
Optional
Analytics, reporting, benchmarking, research, product improvement and public statistics.
Do not call data anonymous if re-identification remains reasonably likely.
Data sharing
Safeguarding And Welfare Disclosures
Explains sharing data to protect children or vulnerable people.
Situational
Schools, charities, healthcare, care providers, clubs and youth services.
Balance confidentiality with safeguarding duties
avoid requiring consent where inappropriate.
Legal Compliance Disclosures
Explains disclosures needed to comply with law, court orders or lawful requests.
Often required
All organisations that may receive official, legal or regulatory requests.
Distinguish legal obligation disclosures from voluntary sharing under legitimate interests.
Customer Instructions For Processor Services
Explains that customer data is processed under customer instructions.
Situational
B2B SaaS, IT providers, outsourced HR, payroll, storage and managed services.
Point end users to the customer controller’s privacy notice for controller decisions.

What Clauses Should A UK Privacy Policy Usually Include?

Most UK privacy policies should identify the controller, describe the categories of personal data collected, explain the lawful bases used under UK GDPR, state who data is shared with, explain retention periods, and set out data subject rights and ICO complaint routes. These points are central to the transparency information expected by Articles 13 and 14 of the UK GDPR.

When Does A Privacy Policy Need Extra Clauses?

Additional clauses are commonly needed where an organisation uses cookies or similar tracking, transfers data outside the UK, processes children’s data, uses special category data, runs direct marketing, relies on consent, uses automated decision-making, or shares data with processors and group companies. These situations usually require more tailored wording rather than a short generic notice.

Why Is The Lawful Basis Clause So Important?

A UK privacy policy should link each main processing purpose to a lawful basis, such as contract, legal obligation, legitimate interests, consent, vital interests or public task. Where legitimate interests are used, the policy should identify the interests relied on. Where consent is used, the policy should explain withdrawal. This helps users understand why processing is permitted and supports accountability.

How Should UK Privacy Policies Handle Cookies And Tracking?

Non-essential cookies and similar technologies normally need clear information and consent under PECR before they are set. A privacy policy can summarise tracking practices, but detailed cookie names, purposes, durations and controls are often better placed in a linked cookie policy or consent platform notice.

What Should Be Checked Before Using A Template?

  • Map data first: match clauses to the organisation’s actual data categories, purposes, recipients and retention periods.
  • Avoid vague wording: phrases such as we may use your data for business purposes are unlikely to be sufficiently transparent.
  • Check high-risk processing: children’s data, special category data, profiling, international transfers and automated decisions require more precise drafting.
  • Keep contact routes current: controller details, DPO details where applicable, and ICO complaint information should be accurate and easy to find.
UK Privacy Policy Clause Catalogue
Want to Generate Your own Privacy Policy?
Docaro AI can help you write your own Privacy Policy for use in the United Kingdom in minutes.
Generate Your Document Now

FAQs

A UK Privacy Policy Clause Catalogue is a structured list of common clauses used to build privacy policies for UK websites, apps and online services.
Show All FAQs

You Might Also Be Interested In

Personal Data Categories by Business Activity
Explore UK personal data categories by business activity to support privacy policy drafting, compliance reviews, and data mapping.
UK GDPR Lawful Basis Reference
UK GDPR lawful basis reference for compliant data processing, privacy notices, and British privacy policy preparation.

References and Information Sources