UK Privacy Policy Clause Catalogue
Clause Name | Purpose | Typical Requirement Level | Relevant Use Cases | Drafting Notes |
|---|---|---|---|---|
Controller identity | ||||
Controller Identity And Contact Details | Identifies who decides how and why personal data is used. | Usually required | All UK websites, apps, employers, charities and public bodies. | Include legal name, trading name, registered address, email and company number where relevant. |
Data Protection Officer Contact Details | Gives users a direct contact for data protection questions. | Situational | Public authorities, large-scale monitoring, special category processing and regulated sectors. | Do not name an individual unless stable and necessary a role email is often better. |
UK Representative Details | Names a UK representative for overseas organisations subject to UK GDPR. | Situational | Non-UK SaaS, ecommerce, apps or services offering goods to UK users. | Check Article 27 exemptions and include representative contact details if required. |
Joint Controller Arrangement | Explains shared controller responsibilities and user contact points. | Situational | Partnerships, co-branded services, events, group platforms and research collaborations. | Summarise the essence of the Article 26 arrangement and rights handling. |
Processor Role Explanation | Clarifies when the organisation handles data only for a customer controller. | Situational | SaaS vendors, payroll providers, hosting services and outsourced support providers. | Separate processor activities from the organisation’s own controller activities. |
Lawful basis | ||||
Lawful Bases For Processing | Explains the legal reasons relied on for each processing purpose. | Usually required | All organisations processing personal data. | Map each purpose to Article 6 lawful bases avoid listing unused bases. |
Contract Necessity Basis | Covers processing needed to provide requested goods or services. | Often required | Online shops, subscriptions, bookings, client services and customer accounts. | Use only where processing is objectively necessary for the contract or pre-contract steps. |
Legal Obligation Basis | Covers processing required by UK law. | Often required | Employers, accountants, regulated businesses, tax records and statutory reporting. | Identify the type of legal duty, such as tax, employment or anti-money laundering. |
Legitimate Interests Basis | Explains business interests relied on where rights do not override them. | Often required | Fraud prevention, analytics, service improvement, B2B marketing and network security. | Name the interests and ensure a legitimate interests assessment supports them. |
Consent Basis And Withdrawal | Explains where consent is used and how users can withdraw it. | Situational | Marketing opt-ins, non-essential cookies, special category consent and optional features. | Consent must be specific, informed, freely given and as easy to withdraw as to give. |
Vital Interests Basis | Covers processing needed to protect someone’s life. | Situational | Emergency response, safeguarding, healthcare support and crisis incidents. | Use narrowly it rarely applies to routine commercial processing. |
Public Task Basis | Covers processing needed for official functions or public powers. | Situational | Councils, regulators, schools, NHS bodies and contractors exercising public functions. | Identify the public function or statutory power relied on. |
Special Category Data Conditions | Explains additional conditions for sensitive personal data. | Situational | Healthcare, HR, diversity monitoring, biometrics, religion, politics and trade unions. | State both the Article 6 basis and Article 9 condition add DPA 2018 condition where needed. |
Criminal Offence Data Conditions | Explains conditions for criminal convictions, offences and related security checks. | Situational | Employers, vetting providers, care services, schools and regulated roles. | Identify official authority or a DPA 2018 Schedule 1 condition. |
Data categories | ||||
Categories Of Personal Data Collected | Lists the types of personal data collected and used. | Usually required | All organisations collecting customer, user, staff or supplier data. | Group data clearly, such as identity, contact, payment, technical and usage data. |
Sources Of Personal Data | Explains whether data comes from users, third parties or public sources. | Often required | Lead generation, recruitment, credit checks, referrals and data brokers. | Article 14 notices need source details where data was not obtained from the individual. |
How Personal Data Is Collected | Describes forms, accounts, transactions, communications and automated collection. | Often required | Websites, mobile apps, ecommerce, CRM systems and customer support channels. | Mention direct collection and passive collection, including device and usage data. |
Children’s Personal Data | Explains collection and protection of data about children. | Situational | Edtech, games, apps, schools, childcare, youth charities and family services. | Use child-friendly wording where services target children consider the Children’s Code. |
Employee And Recruitment Data | Covers applicant, worker, payroll, performance and HR data. | Situational | Employers, recruiters, staffing platforms and HR software providers. | Consider a separate staff privacy notice for detailed employment processing. |
Payment And Transaction Data | Explains use of billing, payment status and purchase history data. | Often required | Ecommerce, subscriptions, marketplaces, charities and paid services. | State whether card data is handled directly or by a payment processor. |
Technical And Usage Data | Covers IP addresses, device data, logs, analytics and browsing behaviour. | Often required | Websites, SaaS platforms, apps, analytics tools and security monitoring. | Align with cookie, analytics, security and retention clauses. |
Data sharing | ||||
Recipients Of Personal Data | Identifies categories of people or organisations data is shared with. | Usually required | All organisations using suppliers, professional advisers or public authorities. | Use specific recipient categories name recipients where transparency requires it. |
Service Providers And Processors | Explains sharing with suppliers that process data on instructions. | Often required | Hosting, email, CRM, payroll, support, cloud storage and analytics suppliers. | Ensure Article 28 processor contracts exist do not describe processors as independent controllers. |
Group Company Sharing | Explains sharing within a corporate group for administration or services. | Situational | Company groups, franchises, shared service centres and multinational businesses. | Clarify controllers, purposes, jurisdictions and transfer safeguards. |
Professional Advisers And Insurers | Covers disclosure to lawyers, accountants, auditors, banks and insurers. | Often required | Most businesses, charities, landlords, professional services and regulated entities. | Explain disclosure for advice, audit, banking, insurance, claims and compliance. |
Regulators And Public Authorities | Explains disclosure where required by law or regulatory request. | Often required | Regulated firms, employers, charities, tax reporting and law enforcement requests. | Avoid implying routine disclosure if sharing is only occasional or legally compelled. |
Business Sale Or Reorganisation Sharing | Covers disclosure during mergers, acquisitions, asset sales or restructuring. | Situational | Companies seeking investment, sale, merger, insolvency or corporate restructuring. | Limit disclosure to due diligence and transaction purposes with confidentiality controls. |
Third Party Platform Sharing | Explains data sharing with marketplaces, social platforms or integrations. | Situational | Marketplace sellers, booking platforms, social login, embedded widgets and app integrations. | Clarify whether the third party is a controller, processor or joint controller. |
International transfers | ||||
International Data Transfers | Explains if personal data is transferred outside the UK. | Often required | Cloud services, global groups, offshore support, SaaS, analytics and remote teams. | State countries or regions where possible and identify the transfer mechanism. |
UK Adequacy Regulation Transfers | Explains transfers to countries approved as providing adequate protection. | Situational | Transfers to countries covered by UK adequacy regulations. | Check current UK adequacy status before naming a country as adequate. |
IDTA Or UK Addendum Transfers | Explains contractual safeguards for restricted transfers from the UK. | Situational | US cloud providers, offshore support, global SaaS and non-adequate country transfers. | Use the UK IDTA or UK Addendum and consider transfer risk assessments. |
Binding Corporate Rules Transfers | Explains intra-group transfers protected by approved corporate rules. | Situational | Multinational groups with approved UK binding corporate rules. | Only reference BCRs if they are approved and apply to the transfer. |
International Transfer Exceptions | Explains limited derogations for occasional restricted transfers. | Situational | One-off user-requested transfers, legal claims or explicit consent situations. | Use Article 49 exceptions sparingly they are not for routine large-scale transfers. |
Retention | ||||
Data Retention Periods | Explains how long personal data is kept and why. | Usually required | All organisations storing personal data. | Use specific periods where possible otherwise state clear retention criteria. |
Account Data Retention | Explains how long account and profile data is kept. | Often required | Membership sites, SaaS platforms, ecommerce accounts and online communities. | Address inactive accounts, closure requests, backups and fraud or dispute holds. |
Marketing Data Retention | Explains retention of subscriber, preference and suppression data. | Often required | Email newsletters, SMS marketing, CRM lists and lead generation. | Keep suppression records to avoid contacting users who opted out. |
Financial And Tax Record Retention | Explains retention of invoices, payments and accounting records. | Often required | Companies, sole traders, charities, ecommerce and paid services. | Companies commonly keep accounting records for at least six years under UK requirements. |
Legal Claims Retention | Explains keeping records while disputes or legal claims may arise. | Often required | Customer services, contracts, HR, complaints, professional services and insurance. | Align with limitation periods and document hold processes. |
Deletion And Anonymisation | Explains deletion, anonymisation and backup handling at end of retention. | Often required | All organisations with retention schedules, backups or archived systems. | Anonymised data must not identify individuals explain backup deletion timing if relevant. |
Data subject rights | ||||
Your Data Protection Rights | Summarises rights available to individuals under UK data protection law. | Usually required | All UK privacy policies. | List rights accurately and explain they may be subject to legal limits. |
Right Of Access | Explains how users can request a copy of their personal data. | Usually required | All controllers receiving subject access requests. | Give request route and note identity checks and statutory response times. |
Right To Rectification | Explains how users can correct inaccurate or incomplete data. | Usually required | All controllers holding user, customer, staff or account data. | Explain that disputed accuracy may lead to restriction while checked. |
Right To Erasure | Explains when users can ask for personal data to be deleted. | Usually required | All controllers, especially apps, accounts, marketing lists and communities. | Mention legal, contractual and claims-related reasons deletion may be refused or delayed. |
Right To Restrict Processing | Explains when users can ask processing to be limited. | Usually required | All controllers handling rights requests or disputed data. | Clarify that storage may continue while other uses are paused. |
Right To Data Portability | Explains when users can receive or transfer their data in reusable format. | Usually required | Digital services, apps, SaaS, accounts, subscriptions and user-upload platforms. | Applies mainly to consent or contract data processed by automated means. |
Right To Object | Explains objection rights, including objections to direct marketing. | Usually required | Marketing, profiling, legitimate interests and public task processing. | Direct marketing objections must be honoured other objections require balancing unless exempt. |
Automated Decision-Making And Profiling Rights | Explains rights where significant decisions are made solely by automated means. | Situational | Credit scoring, recruitment screening, insurance pricing, fraud tools and eligibility checks. | If used, explain logic, significance, consequences and safeguards in plain English. |
How To Exercise Rights | Tells users how to submit privacy rights requests. | Usually required | All controllers with email, forms, dashboards or support channels. | Include contact method, identity verification and possible extension for complex requests. |
Withdrawal Of Consent | Explains how users can withdraw consent-based processing. | Situational | Marketing consent, cookie consent, optional features and special category consent. | Withdrawal must not affect processing already carried out lawfully before withdrawal. |
Cookies and tracking | ||||
Cookies And Similar Technologies | Explains use of cookies, pixels, SDKs and similar tracking tools. | Often required | Most websites, apps, ecommerce, analytics and advertising-funded services. | Coordinate with cookie banner and cookie policy cover non-cookie tracking too. |
Strictly Necessary Cookies | Explains cookies needed for core site functions and requested services. | Often required | Login, shopping cart, security, load balancing and user-requested settings. | Do not over-classify analytics or advertising cookies as strictly necessary. |
Analytics Cookies | Explains tracking used to measure visits, performance and user behaviour. | Often required | Websites using Google Analytics, product analytics, heatmaps or app analytics. | Non-essential analytics generally need consent under PECR unless a narrow exemption applies. |
Advertising And Retargeting Cookies | Explains tracking for personalised ads, retargeting and campaign measurement. | Situational | Ecommerce, publishers, lead generation, social ads and affiliate marketing. | Obtain consent before setting non-essential advertising cookies or pixels. |
Cookie Consent And Preference Controls | Explains how users accept, reject or change cookie choices. | Often required | Sites using analytics, advertising, embedded media or preference cookies. | Reject options should be as accessible as accept options record consent choices. |
Cookie List And Duration Table | Lists cookie names, providers, purposes and expiry periods. | Often required | Websites using multiple first-party or third-party cookies. | Keep the table current after tag manager or marketing tool changes. |
Social Media Plugins And Pixels | Explains tracking and data sharing through social widgets and pixels. | Situational | Meta Pixel, TikTok Pixel, LinkedIn Insight Tag, social login and share buttons. | Address consent, joint controller issues and links to platform privacy notices. |
Email Tracking Technologies | Explains pixels and link tracking in marketing or service emails. | Situational | Newsletters, CRM campaigns, sales outreach and product notifications. | Explain opens, clicks, profiling and opt-out or preference choices. |
Security | ||||
Security Measures | Explains technical and organisational measures protecting personal data. | Usually required | All controllers and processors storing or transmitting personal data. | Describe measures generally without exposing sensitive security details. |
Access Controls And Confidentiality | Explains limiting data access to authorised people with confidentiality duties. | Often required | Employers, SaaS, support teams, healthcare, finance and professional services. | Mention role-based access, staff training and confidentiality where accurate. |
Encryption And Secure Transmission | Explains encryption or secure transmission used to protect data. | Often required | Online forms, payment flows, cloud storage, laptops and remote access. | Only claim encryption where actually implemented avoid absolute security promises. |
Personal Data Breach Handling | Explains how security incidents involving personal data are managed. | Optional | Organisations handling sensitive, financial, account, health or large-scale data. | Do not promise notice for every incident UK GDPR notification depends on risk. |
User Account Security Responsibilities | Reminds users to protect passwords and account credentials. | Situational | Online accounts, SaaS, memberships, marketplaces and customer portals. | Keep distinct from terms of use avoid shifting controller security duties to users. |
Third Party Websites And Links | Explains that external websites have separate privacy practices. | Optional | Websites linking to partners, social media, advertisers or embedded services. | Do not use as a substitute for explaining embedded third-party tracking. |
Complaints | ||||
Right To Complain To The ICO | Tells users they can complain to the UK data protection regulator. | Usually required | All UK privacy policies and notices. | Include ICO website, phone or postal details and encourage contacting the organisation first. |
How To Raise A Privacy Complaint | Explains how users can raise privacy concerns with the organisation. | Often required | All organisations with customer support, DPO, compliance or legal teams. | Provide a clear email or form and avoid discouraging ICO complaints. |
Controller identity | ||||
Changes To This Privacy Policy | Explains how updates to the privacy policy will be communicated. | Often required | Websites, apps, SaaS platforms and organisations with changing services. | State effective date and consider direct notice for material processing changes. |
Lawful basis | ||||
Direct Marketing Communications | Explains marketing emails, texts, calls, post and opt-out rights. | Often required | Retailers, SaaS, newsletters, charities, B2B sales and event organisers. | Align UK GDPR lawful basis with PECR consent or soft opt-in rules. |
Customer Soft Opt-In Marketing | Explains marketing to existing customers about similar products or services. | Situational | Ecommerce, paid SaaS, bookings and businesses marketing similar services to customers. | Only use if PECR conditions are met, including opt-out at collection and each message. |
Profiling For Personalisation | Explains use of data to infer preferences or personalise services. | Situational | Streaming, ecommerce recommendations, targeted content, loyalty schemes and ads. | Explain inputs, purpose, consequences and objection choices assess fairness risks. |
Fraud Prevention And Security Monitoring | Explains processing to detect, prevent and investigate fraud or misuse. | Often required | Financial services, ecommerce, marketplaces, SaaS, ticketing and account platforms. | Identify data types, sharing with fraud agencies if applicable and legitimate interests. |
Data categories | ||||
CCTV And Video Surveillance | Explains collection and use of images, audio or surveillance footage. | Situational | Retail premises, offices, landlords, venues, schools, care homes and workplaces. | Include purpose, retention, signage, access controls and audio recording justification. |
Call Recording And Monitoring | Explains recording or monitoring of calls and communications. | Situational | Call centres, financial services, customer support, sales teams and helplines. | State purposes such as training, evidence, compliance or quality monitoring. |
Location Data | Explains use of GPS, delivery, IP-derived or workplace location data. | Situational | Delivery apps, transport, field staff, maps, dating apps and local services. | Distinguish precise and approximate location explain controls and background tracking. |
User-Generated Content Data | Explains processing of posts, reviews, comments, uploads and messages. | Situational | Forums, marketplaces, review sites, social apps and community platforms. | Explain visibility, moderation, deletion limits and data included in public content. |
Health And Medical Data | Explains collection and use of health-related personal data. | Situational | Clinics, wellness apps, employers, insurers, gyms and care providers. | State Article 9 condition, confidentiality safeguards and any professional duties. |
Biometric Data | Explains biometric identification data such as fingerprints or facial templates. | Situational | Access control, identity verification, fintech, security systems and attendance tools. | Explain necessity, alternatives, Article 9 condition and DPIA where high risk. |
Research And Survey Data | Explains use of survey responses, study data and feedback for research. | Situational | Universities, charities, market research, product research and public consultations. | Address anonymisation, consent, ethics approvals and special category data if relevant. |
AI Tools And Automated Processing | Explains use of personal data in AI systems, prompts, outputs or model features. | Situational | AI document tools, chatbots, recruitment AI, analytics, summarisation and recommendation systems. | State whether data trains models, is retained by vendors, or is used only to provide outputs. |
Chatbot And Live Chat Data | Explains processing of chat transcripts, support messages and bot interactions. | Situational | Customer support chat, AI assistants, sales chat and helpdesk integrations. | Warn users not to submit unnecessary sensitive data if chats are not designed for it. |
Data Minimisation Statement | Explains that only necessary personal data is requested or used. | Optional | Forms, onboarding, recruitment, health services and high-risk data collection. | Support with actual form design and avoid collecting optional data by default. |
Data subject rights | ||||
Keeping Personal Data Accurate | Encourages users to update details and explains accuracy obligations. | Optional | Accounts, subscriptions, deliveries, HR records and regulated customer records. | Provide a practical update route rather than only stating the principle. |
Controller identity | ||||
Who This Privacy Policy Applies To | Defines the people and activities covered by the privacy policy. | Often required | Businesses covering customers, website users, suppliers, applicants and visitors. | Do not mix unrelated audiences if separate notices would be clearer. |
Data categories | ||||
Contact Form And Enquiry Data | Explains processing of enquiries, messages and contact details. | Often required | Websites with contact forms, quote requests, demos, bookings or support requests. | State response purpose, CRM storage and whether enquiries trigger marketing follow-up. |
Newsletter Subscription Data | Explains collection and use of email addresses for newsletters. | Situational | Blogs, ecommerce, SaaS, charities, events and professional services. | Explain opt-in method, unsubscribe link, analytics and mailing platform sharing. |
Providing Other People’s Data | Explains responsibilities when users provide data about someone else. | Situational | Bookings, referrals, emergency contacts, family accounts and employer submissions. | Explain that the provider should have authority and inform the other person where appropriate. |
If You Do Not Provide Personal Data | Explains consequences of not providing required personal data. | Often required | Contracts, accounts, age checks, payments, employment and regulated services. | Identify data needed by contract or law and the likely consequence of refusal. |
Age Assurance And Verification | Explains use of age checks to protect children or restrict services. | Situational | Online games, adult products, social platforms, gambling and age-restricted content. | Use proportionate checks and explain data shared with verification providers. |
Retention | ||||
Complaint And Dispute Records | Explains retention of complaints, investigation notes and outcomes. | Often required | Customer services, regulated firms, healthcare, education, charities and employers. | Align retention with limitation periods, regulator expectations and evidence needs. |
Data sharing | ||||
Sub-Processors | Explains onward use of sub-processors by a processor service provider. | Situational | SaaS, cloud hosting, payroll, email platforms and managed service providers. | Maintain a current sub-processor list and align with customer data processing agreements. |
Data categories | ||||
Aggregated And Anonymised Data | Explains use of data that no longer identifies individuals. | Optional | Analytics, reporting, benchmarking, research, product improvement and public statistics. | Do not call data anonymous if re-identification remains reasonably likely. |
Data sharing | ||||
Safeguarding And Welfare Disclosures | Explains sharing data to protect children or vulnerable people. | Situational | Schools, charities, healthcare, care providers, clubs and youth services. | Balance confidentiality with safeguarding duties avoid requiring consent where inappropriate. |
Legal Compliance Disclosures | Explains disclosures needed to comply with law, court orders or lawful requests. | Often required | All organisations that may receive official, legal or regulatory requests. | Distinguish legal obligation disclosures from voluntary sharing under legitimate interests. |
Customer Instructions For Processor Services | Explains that customer data is processed under customer instructions. | Situational | B2B SaaS, IT providers, outsourced HR, payroll, storage and managed services. | Point end users to the customer controller’s privacy notice for controller decisions. |
What Clauses Should A UK Privacy Policy Usually Include?
Most UK privacy policies should identify the controller, describe the categories of personal data collected, explain the lawful bases used under UK GDPR, state who data is shared with, explain retention periods, and set out data subject rights and ICO complaint routes. These points are central to the transparency information expected by Articles 13 and 14 of the UK GDPR.
When Does A Privacy Policy Need Extra Clauses?
Additional clauses are commonly needed where an organisation uses cookies or similar tracking, transfers data outside the UK, processes children’s data, uses special category data, runs direct marketing, relies on consent, uses automated decision-making, or shares data with processors and group companies. These situations usually require more tailored wording rather than a short generic notice.
Why Is The Lawful Basis Clause So Important?
A UK privacy policy should link each main processing purpose to a lawful basis, such as contract, legal obligation, legitimate interests, consent, vital interests or public task. Where legitimate interests are used, the policy should identify the interests relied on. Where consent is used, the policy should explain withdrawal. This helps users understand why processing is permitted and supports accountability.
How Should UK Privacy Policies Handle Cookies And Tracking?
Non-essential cookies and similar technologies normally need clear information and consent under PECR before they are set. A privacy policy can summarise tracking practices, but detailed cookie names, purposes, durations and controls are often better placed in a linked cookie policy or consent platform notice.
What Should Be Checked Before Using A Template?
- Map data first: match clauses to the organisation’s actual data categories, purposes, recipients and retention periods.
- Avoid vague wording: phrases such as we may use your data for business purposes are unlikely to be sufficiently transparent.
- Check high-risk processing: children’s data, special category data, profiling, international transfers and automated decisions require more precise drafting.
- Keep contact routes current: controller details, DPO details where applicable, and ICO complaint information should be accurate and easy to find.

FAQs
You Might Also Be Interested In

