Welcome to Dignity platform! The marketplace for local skills, where all the money goes to local causes. Your neighbours volunteer their time, and you donate your money. Everyone wins :)
Sign up with email
We tried to make the most readable, relatable legal disclaimer ever.
References to “Dignity”, “we”, “us” or “our” in this policy, refers to Dignity Platform C.I.C.
Listing on Dignity
Insurance and professional qualifications
Be aware that if the service you’re offering does require insurance or a professional qualification, you’ll need to explicitly express this in your listing – this is really important to help us make sure we keep all our members safe.
Trust your instincts
The users are themselves responsible for their actions on the platform and they should estimate the reliability of other users before dealing with them.
Gigs with other members
We expect Dignity members to be courteous, patient and friendly throughout the giving process and in all your online and face to face interactions. Remember, everyone is doing this from the goodness of their heart. Our community is built on trust and mutual respect, so we will not accept any rude, malicious, unwholesome or discriminatory behaviour between Dignity members, either within or outside of a Dignity gig.
We expect Dignity members to keep any promises made when agreeing to a gig. This includes being on time for any meetings or appointments agreed and providing goods or services at the time, date and location that you agreed. If you are delayed or cannot keep a promise you should inform the other Dignity member straight away.
We recommend that you take appropriate measures to make sure you’re safe during the giving process – where possible, we strongly recommend that you meet in a public place and that when using the website you don’t share any personal details (such as phone numbers, postal or email addresses). We are currently unable to vet users, and are not responsible for, any information which is posted on the website.
Please note that Dignity does not take any responsibility for members’ gigs. We do our very best to ensure a positive experience, but it’s up to members to make sure they’ve got relevant insurance (if required) and that they keep themselves safe during gigs.
We’ve built the marketplace so you can get on, connect and fundraise. If we feel a Dignity member has behaved in a way which isn’t in line with our community values, we reserve the right to remove or edit listings, or consider suspending membership as described in further detail below.
There are always risks to meeting new people. Use of our platform and service is entirely at your own risk.
Dignity Platform C.I.C shall not be liable for any losses or damages, whether direct, indirect or consequential, whether caused by breach of contract, tort (including negligence), breach of statutory duty, or otherwise, even if foreseeable, arising out of or in connection with the use of, or inability to use, or access to, the website, the Dignity platform and/or its content. In particular, Dignity Platform C.I.C will not be liable for loss of profits, sales, business, or revenue, business interruption, loss of anticipated savings, loss of business opportunity, goodwill or reputation, or any indirect or consequential loss or damage.
We do not seek to exclude or limit our liability for death or personal injury caused by negligence, or for fraudulent misrepresentation, or any other liability which may not be excluded by law.
The Dignity platform only enables connections between users to provide and request services. You are solely responsible for your interactions with other users and for compliance with all applicable laws and regulations. Dignity Platform C.I.C is not responsible for and does not guarantee (i) the conduct or performance of any Dignity platform user or third party, (ii) the existence, quality or safety of any user or listing on the Dignity platform, or (iii) the accuracy of any listing/user descriptions or content uploaded by Dignity platform users.
Policies for our community members
Creating a community where all members can enjoy a safe and rewarding Dignity experience requires trust. Being responsible and respectful to others are the building blocks that form our marketplace integrity.
We're passionate about connecting people ready to volunteer with people who need odd jobs done. As Dignity continues to grow it's important that the community follows guidelines that reflect our values and standards of behaviour. We work hard to enforce these guidelines so that we can maintain our authenticity and transparency, so that everyone has an enjoyable experience.
We strongly recommend keeping all communications with users on the Dignity platform and that members do not disclose personal contact details to other users. This helps to ensure the safety of users and in the event that you need to report a problem, we will be best equipped to help.
We can only currently verify member identities through their bank account, via stripe, so we encourage members to use Dignity with common sense and responsibility at all times. We do not assume any responsibility for the confirmation of any user’s identity. References to a user being "verified" indicates that the user has completed a relevant verification or identification process and nothing else. Users should always exercise caution when considering whether to offer or accept a service or interact with other users.
How can I report a problem?
If you have any issues with another member, would like to make a complaint, provide feedback or ask any questions in relation to the site or our service, please contact us at email@example.com.
Content standards and unacceptable behaviours
Community is at the heart of what we do at Dignity. Courtesy, mutual respect and seeing things from another person's perspective is essential to the platform.
We are committed to bringing communities together, however, this requires your support and cooperation.
The content standards below apply to any and all material which you contribute to our site, and to any interactive services associated with it. You must comply with the spirit and letter of the following standards.
Contributions on the Dignity platform must:
be accurate (where they state facts).
be genuinely held (where they state opinions).
comply with applicable law in the UK and in any country from which they are posted.
Contributions on the Dignity platform must not:
Contain any material which is defamatory of any person.
Contain any material which is obscene, offensive, hateful or inflammatory.
Promote sexually explicit material.
Promote discrimination based on race, sex, religion, nationality, disability, sexual orientation or age.
Infringe any intellectual property of any other person.
Be likely to deceive any person.
Be made in breach of any legal duty owed to a third party, such as a contractual duty or a duty of confidence.
Promote any illegal activity.
Be threatening, abuse or invade another’s privacy, or cause annoyance, inconvenience or needless anxiety (including any form of trolling).
Be likely to harass, upset, embarrass, alarm or annoy any other person.
Be used to impersonate any person, or to misrepresent your identity or affiliation with any person.
Give the impression that they emanate from us, if this is not the case.
Advocate, promote or assist any unlawful act such as (by way of example only) copyright infringement or computer misuse.
We do not support the following activities in our Dignity community:
fraudulent reviews on the Dignity platform; or
the harvesting of Dignity members information.
Suspension and termination
Immediate, temporary or permanent withdrawal of your right to use our site.
Immediate, temporary or permanent removal of any posting or material uploaded by you to our site.
Issue of a warning to you.
Legal proceedings against you for reimbursement of all costs on an indemnity basis (including, but not limited to, reasonable administrative and legal costs) resulting from the breach.
Further legal action against you.
Disclosure of such information to law enforcement authorities as we reasonably feel is necessary.
Pricing and payments
To ensure a safe and rewarding environment for all members of the Dignity community, it's important to understand how pricing and payments work.
Donation to Dignity
When you create your listing, you are required to choose a percentage to be donated to Dignity platform CIC. You can choose 0, 5,10,15 or 20%. This percentage will come out of the total gig value, and directly sustains the platform.
The offer price is the price you are willing to accept in exchange for the provision of a service volunteered by you on the Dignity platform. Offers placed must be totalled to the full amount of the task in question. We recommend that the offer price charged is similar in amount to the amount you would normally charge for the service. Our view is that you should not under-charge for the service just because it’s for charity! That would defeat the object of significant fundraising and undermine your valued skills.
Right now, Dignity platform cannot facilitate the payments of expenses in connection with the provision of the services on the platform. If the service and/or skills you are volunteering involve additional costs (such as the cost of materials, fuel, travel or food),these expenses must be paid for outside of the Dignity platform, by a separate method. Any such additional expenses should be discussed and agreed between users in advance of any service being provided. Dignity cannot take responsibility for the payment of expenses; you will have to take a view on whether to rely on good old fashioned trust with the relevant user.
The request price is the price you are offering to pay for the provision of a service on the Dignity platform. When deciding the price of a request, we suggest considering the cost involved in the provision of the service and the amount that you are willing to pay for such a service.
If you decide the amount you are willing to pay is different to the amount posted by a volunteer on the platform, or a volunteer quotes you a different price to the one you are willing to pay, you can always change the price of the listing on the platform.
Accurate banking details
To ensure seamless transition of donations, we require your bank account details when you sign up to the Dignity platform. The reason we require these details from you in advance is because our website does not allow us to make donations from your profile without first having your payment details.
We know you're eager to set up an account and get started on Dignity, but we need you to make sure you qualify to use the site and platform. All users must:
Be 18 years or older
All members of the Dignity community must be 18 years old or older in order to use the platform. Dignity reserves the right to request proof of age from any user should this be necessary.
Be legally entitled to provide the services offered
All service providers on the platform must be legally entitled to perform the service they offer under applicable law.. To maintain the highest standards in our Dignity community, we seek to avoid situations that may cause legal risks to any of our members.
Now that you understand a little more about Dignity, we have some important information regarding Dignity accounts. You must establish an account to access and use certain features of the Dignity platform, such as offering or requesting a service.
You can create an account using an email address and creating a password, or through your account with certain third party social networking services, such as Facebook.
No account transfers
Your account is your responsibility and you must maintain control of it. It must not be transferred to another person as your account and reviews reflect your skills and abilities.
You are the sole authorised user of your account. You are solely responsible for all actions taken that occur under your password or account. You are responsible for keeping your account credentials confidential and secure and may not disclose your credentials to any third party.
No duplicate accounts
Members may only have a single, active account on the platform. As your account reflects your reputation in the marketplace and represents your skills and abilities, any duplicate accounts attempting to disguise a member's history will be removed immediately.
Identity on Dignity
Dignity is committed to building a community platform that is a positive and safe environment for all. This commitment is grounded in the principles of transparency and respect. To help foster trust in the community, Dignity members are required to have a profile photo and name that accurately identifies them.
Fake / miscellaneous photos and names are not permitted on Dignity platform. Members that do not have an accurate profile photo or name that meets Dignity profile standards will be asked to change their details.
Dignity profile standards
Your real name as confirmed by your identification documents (passport, drivers licence etc) must be used for the purposes of your Dignity account.
A clear profile photo of a member’s face must also be used for an account, so that it’s easily recognisable by other members. This helps other users know who you are, and ultimately trust you more.
We process information about you in accordance with our privacy and cookies policy [insert link to privacy and cookies policy].
- - -
Phew... Well done for getting through it : )
‘Our, ‘we’ and ‘us’ refers to aspects related to the incorporated organisation of Dignity Platform CIC.
‘Our users’ refers to users of the website www.Dignityplatform.org of whom have created a profile and had their identity verified through the platform.
You should read this Policy alongside our Terms and Conditions which are available here.
1. Contact Information
We are the data controller in respect of any personal data we collect about you for the purposes of the Data Protection Act 1998 and all other applicable law from time to time relating to the processing of personal data including (where applicable) the General Data Protection Regulation (EU) 2016/679 of the European Parliament.
If you have any comments or enquiries related to this Policy please do not hesitate to contact us:
(a) by post, to [the postal address given above];
(b) using our website contact form;
(c) by telephone, on [the contact number published on our website]; or
(d) by email, using [the email address published on our website].
You may also contact our data protection officer directly at [insert details]. Our data protection officer ensures, in an independent manner, that our processing of personal data is carried out in accordance with applicable law.
1.1 The policy sets out how we use and protect your personal data that you provide to us, or that is otherwise obtained or generated by us, in connection with your use of our website or mobile application.
1.2 This policy applies where we are acting as a data controller with respect to the personal data of our users; in other words, where we determine the purposes and means of the processing of that personal data.
1.4 Our website incorporates privacy controls which affect how we will process your personal data. By using the privacy controls, you can specify whether you would like to receive direct marketing communications and limit the publication of your information..
1.5 In this policy, "we", "us" and "our" refer to [data controller name].[ For more information about us, see Section Contact Information.]
2.1 This document was created using a template from SEQ Legal (https://seqlegal.com/free-legal-documents/privacy-policy).
3. Collection of your personal data
4. Legal ground for processing your personal data
5. What personal data we may process
5.1 In this section 5 we have set out the general categories of personal data that we may process
3.Use ofse your personal data
3.1 In this Section 3 we have set out:
(a) the general categories of personal data that we may process;
(b) [in the case of personal data that we did not obtain directly from you, the source and specific categories of that data];
(c) the purposes for which we may process personal data; and
(d) the legal bases of the processing.
3.2 We may process data about your use of our website and services ("usage data"). The usage data may include your IP address, geographical location, browser type and version, operating system, referral source, length of visit, page views and website navigation paths, as well as information about the timing, frequency and pattern of your service use. The source of the usage data is our analytics tracking system. This usage data may be processed for the purposes of analysing the use of the website and services. The legal basis for this processing is our legitimate interests, namely monitoring and improving our website and services.
3.3 Use of personal details (purpose of register)
Personal details are collected to make communication and use of service possible. Details can be used for communication between service providers and users and also for direct communication between users. Some personal details are visible on the profile page of the user, but those details are voluntary (except name).
The handling of personal details is not outsourced, but the register data is stored on a server that is rented from a third party company.
Information content of the register
The following information may be stored in the register:
Personal details: Name, email address, phone number, street address
Account details: username, password (stored in encrypted format)
The description text that the user may write about him/herself
The offers and requests the user has posted to the service
The given and received feedback and badges
Statistical data about service usage, e.g. number times the user has logged in
Regular sources of information
Personal details are given by the user on registration to the service or when using it later.
3.4 We may process your website user account data ("account data").[ The account data may include your name and email address.][ The source of the account data is [you or your employer].] The account data may be processed for the purposes of operating our website, providing our services, ensuring the security of our website and services, maintaining back-ups of our databases and communicating with you. The legal basis for this processing is our legitimate interests, namely [the proper administration of our website and business].
3.5 We may process information that you post for publication on our website or through our services ("publication data"). The publication data may be processed [for the purposes of enabling such publication and administering our website and services]. The legal basis for this processing is our legitimate interests, namely [the proper administration of our website and business].
3.11 In addition to the specific purposes for which we may process your personal data set out in this Section 3, we may also process [any of your personal data] where such processing is necessary[ for compliance with a legal obligation to which we are subject, or] in order to protect your vital interests or the vital interests of another natural person.
3.12 Please do not supply any other person's personal data to us, unless we prompt you to do so.
4.Providing your personal data to others
4.1 We may disclose your personal data to our insurers and/or professional advisers insofar as reasonably necessary for the purposes of obtaining or maintaining insurance coverage, managing risks, obtaining professional advice, or the establishment, exercise or defence of legal claims, whether in court proceedings or in an administrative or out-of-court procedure.
4.2 Your personal data held in our website database.
4.4 In addition to the specific disclosures of personal data set out in this Section 4, we may disclose your personal data where such disclosure is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another natural person.[ We may also disclose your personal data where such disclosure is necessary for the establishment, exercise or defence of legal claims, whether in court proceedings or in an administrative or out-of-court procedure.]
5.International transfers of your personal data
5.1 In this Section 5, we provide information about the circumstances in which your personal data may be transferred to [countries outside the European Economic Area (EEA)].
5.2 The hosting facilities for our website are situated in the UK.
5.4 You acknowledge that personal data that you submit for publication through our website or services may be available, via the internet, around the world. We cannot prevent the use (or misuse) of such personal data by others.
6.Retaining and deleting personal data
6.1 This Section 6 sets out our data retention policies and procedures, which are designed to help ensure that we comply with our legal obligations in relation to the retention and deletion of personal data.
6.2 Personal data that we process for any purpose or purposes shall only be stored for as long (i) as it may be necessary for us to fulfil our contractual obligations in respect of the provision of services and administration of our business; and (ii) is required by applicable law. Any data kept longer will be anonymised.
6.3 We will retain your personal data as follows:
(a) usage data will be retained for a minimum period of 6 months following the date of collection, and for a maximum period of 50 years following that date;
(b) account data will be retained for a minimum period of 6 months following the date of closure of the relevant account, and for a maximum period of 50 years following that date;
(c) publication data will be retained for a minimum period of 6 months following the date when the relevant publication ceases to be published on our website or through our services, and for a maximum period of 50 years following that date;
(d) enquiry data will be retained for a minimum period of 6 months following the date of the enquiry, and for a maximum period of 50 years following that date;
(e) transaction data will be retained for a minimum period of 6 months following the date of the transaction, and for a maximum period of 50 years following that date;
(f) notification data will be retained for a minimum period of 6 months following the date that we are instructed to cease sending the notifications, and for a maximum period of 50 years following that date (providing that we will retain notification data insofar as necessary to fulfil any request you make to actively suppress notifications)
6.4 Notwithstanding the other provisions of this Section 6, we may retain your personal data where such retention is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another natural person.
7.Your rights regarding the personal data you provide to us
7.1 In this Section 7, we have listed the rights that you have under data protection law.
7.2 Your principal rights under the data protection law are:
(a) the right to access - you can ask for copies of your personal data that we store;
(b) the right to rectification - you can ask us to correct any inaccurate personal data we hold on you or to complete any incomplete personal data we hold on you;p
(c) the right to erasure - you can ask us to delete or amend your personal data;
(d) the right to restrict processing - you can restrict or object to the processing of your personal data;;
(e) the right to object to processing - you can object to the processing of your personal data;
(f) the right to data portability - you can ask that we transfer your personal data to another organisation or to you;
(g) the right to complain to a supervisory authority - you can lodge a complaint with national data protection authorities regarding our processing of your personal data; and
(h) the right to withdraw consent - to the extent that the legal basis of our processing of your personal data is consent, you can withdraw that consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
7.3 These rights are subject to certain limitations and exceptions. You can learn more about the rights of data subjects by visiting https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/.
7.4 You may exercise any of your rights in relation to your personal data by written notice to us, using the contact details set out below.
7.5 Sadly, if you do not accept our modest requirements, it will not be possible for us to provide you with our services.
8.1 A cookie is a file containing an identifier (a string of letters and numbers) that is sent by a web server to a web browser and is stored by the browser. The identifier is then sent back to the server each time the browser requests a page from the server.
8.2 Cookies may be either "persistent" cookies or "session" cookies: a persistent cookie will be stored by a web browser and will remain valid until its set expiry date, unless deleted by the user before the expiry date; a session cookie, on the other hand, will expire at the end of the user session, when the web browser is closed.
8.3 Cookies do not typically contain any information that personally identifies a user, but personal data that we store about you may be linked to the information stored in and obtained from cookies.
9.Cookies that we use
10.Cookies used by our service providers
11.1 Most browsers allow you to refuse to accept cookies and to delete cookies. The methods for doing so vary from browser to browser, and from version to version. You can however obtain up-to-date information about blocking and deleting cookies via these links:
(a) https://support.google.com/chrome/answer/95647 (Chrome);
(d) https://support.microsoft.com/en-gb/help/17442/windows-internet-explorer-delete-manage-cookies (Internet Explorer);
11.2 Blocking all cookies will have a negative impact upon the usability of many websites.
11.3 If you block cookies, you will not be able to use all the features on our website.
12.Chnages to this Policy
12.1 We will review and may update this Policy from time to time. Any changes to this Policy will become effective when we post the revised Policy on our website.
12.2 You should check our website frequently to ensure you are happy with any updates or changes to this policy, a summary of which we will set out in section [x] below.
12.3 We may notify you of significant changes to this policy by email.
12.4 This Policy has been last updated on [XX.XX.XX]
13. Previous changes to this policy
13.Previous changes to this policy
To complete this template, you will need detailed information about how you or your organisation uses personal data. For example, you will need to know what personal data is processed, the purposes for which that personal data is used, the persons or categories of persons to whom that personal data may be disclosed and the periods for which that personal data will be retained. You will also need to establish the legal bases of the your processing.
Separate rules regulate the provision of information about cookies, and this document includes optional provisions dealing with cookie-related disclosures. If you retain these provisions, you will need to know the purposes for which cookies and similar technologies are used on your website.
You should consider whether you need to take specialist legal advice on data protection.
You can find out more about the information disclosure requirements of data protection law with the following resources.
The GDPR - https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016R0679
European Data Protection Board (EDPB) guidance on transparency - https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=622227
UK Information Commissioner's Office guidance on the right to be informed - https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/the-right-to-be-informed/
Section 1: Introduction
These introductory provisions may be used to draw individuals' attention to some of the key issues addressed in the document.
"Personal data" is defined in Article 4(1) of the GDPR:
"'personal data' means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person".
Section 2: Credit
Section: Free documents licensing warning
Optional element. Although you need to retain the credit, you should remove the inline copyright warning from this document before use.
Section 3: How we use your personal data
The GDPR requires that controllers disclose to data subjects detailed information about their processing of personal data.
Article 13(1) of the GDPR provides that:
"Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with all of the following information: ... (c) the purposes of the processing for which the personal data are intended as well as the legal basis for the processing; (d) where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third party".
Article 14(1) of the GDPR provides that:
"Where personal data have not been obtained from the data subject, the controller shall provide the data subject with the following information: ... (c) the purposes of the processing for which the personal data are intended as well as the legal basis for the processing; (d) the categories of personal data concerned ...".
Article 14(2) of the GDPR, which also applies in the case that the personal data have not been obtained from the data subject, provides that:
"In addition to the information referred to in paragraph 1, the controller shall provide the data subject with the following information necessary to ensure fair and transparent processing in respect of the data subject: ... (b) where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third party ... (f) from which source the personal data originate, and if applicable, whether it came from publicly accessible sources ... ".
Article 6(1)(f) of the GDPR, which is referred to in Articles 13 and 14, provides that:
"(1) Processing shall be lawful only if and to the extent that at least one of the following applies: ... (f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child."
As regards the identification of the source of personal data in the case that the personal data is not obtained from the data subject, the guidance from the European Data Protection Board states that:
"The specific source of the data should be provided unless it is not possible to do so … . If the specific source is not named then information provided should include: the nature of the sources (i.e. publicly / privately held sources) and the types of organisation / industry / sector."
Note that, while Article 14 of the GDPR provides that information about "the categories of personal data concerned" must be supplied to data subjects, Article 13 does not include an equivalent provision. Nonetheless, we have included references to general categories of data in this document, because this facilitates the identification of particular purposes of processing and the legal bases of processing - information which does need to be provided under Article 13.
The UK Information Commissioner's Office website provides useful guidance in relation to the selection of the legal bases for processing:
Section 4: Providing your personal data to others
Article 13(1)(e) of the GDPR requires that where personal data are collected from the data subject, the data controller must provide the data subject with information about "the recipients or categories of recipients of the personal data".
Equivalent rules for data collected from someone other than the data subject are in Article 14(1)(e).
Although the GDPR refers to "categories of recipients", the guidance from the European Data Protection Board on this subject states:
"The term 'recipient' is defined in Article 4.9 as 'a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not' [emphasis added]. As such, a recipient does not have to be a third party. Therefore, other data controllers, joint controllers and processors to whom data is transferred or disclosed are covered by the term 'recipient' and information on such recipients should be provided in addition to information on third party recipients. The actual (named) recipients of the personal data, or the categories of recipients, must be provided. In accordance with the principle of fairness, controllers must provide information on the recipients that is most meaningful for data subjects. In practice, this will generally be the named recipients, so that data subjects know exactly who has their personal data. If controllers opt to provide the categories of recipients, the information should be as specific as possible by indicating the type of recipient (i.e. by reference to the activities it carries out), the industry, sector and sub-sector and the location of the recipients."
Article 13(1)(f) of the GDPR requires that data controllers disclose to data subjects "where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 [transfers subject to appropriate safeguards] or 47 [binding corporate rules], or the second subparagraph of Article 49(1) [limited transfers for compelling legitimate interests], reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available".
The European Data Protection Board guidance on this issue states:
"The relevant GDPR article permitting the transfer and the corresponding mechanism ... should be specified. Information on where and how the relevant document may be accessed or obtained should also be provided e.g. by providing a link to the mechanism used. In accordance with the principle of fairness, the information provided on transfers to third countries should be as meaningful as possible to data subjects; this will generally mean that the third countries be named."
Section 6: Retaining and deleting personal data
Article 5(1)(e) of the GDPR sets out the storage limitation, one of the fundamental rules of the regime:
"Personal data shall be: ... kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject ... ".
Article 13(2) of the GDPR provides, in relation to personal data collected from the data subject, that:
"... the controller shall, at the time when personal data are obtained, provide the data subject with the following further information necessary to ensure fair and transparent processing: (a) the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period ...".
Article 14(2) of the GDPR makes similar provision in relation to personal data that is not collected from the data subject.
The European Data Protection Board guidance on this issue states:
"This is linked to the data minimisation requirement in Article 5.1(c) and storage limitation requirement in Article 5.1(e). The storage period (or criteria to determine it) may be dictated by factors such as statutory requirements or industry guidelines but should be phrased in a way that allows the data subject to assess, on the basis of his or her own situation, what the retention period will be for specific data / purposes. It is not sufficient for the data controller to generically state that personal data will be kept as long as necessary for the legitimate purposes of the processing. Where relevant, the different storage periods should be stipulated for different categories of personal data and/or different processing purposes, including where appropriate, archiving periods."
For guidance on setting retention periods, see:
Section 7: Your rights
Article 13(2) of the GDPR provides that, where personal data is collected from a data subject, certain information about data subject rights must be provided:
"In addition to the information referred to in paragraph 1, the controller shall, at the time when personal data are obtained, provide the data subject with the following further information necessary to ensure fair and transparent processing: ... (b) the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability; (c) where the processing is based on point (a) of Article 6(1) or point (a) of Article 9(2), the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal; ...".
Similar provisions are set out in Article 14 in relation to personal data which is not collected from the relevant data subject.
The European Data Protection Board guidance on this issue states:
"This information should be specific to the processing scenario and include a summary of what the right involves and how the data subject can take steps to exercise it and any limitations on the right … . In particular, the right to object to processing must be explicitly brought to the data subject's attention at the latest at the time of first communication with the data subject and must be presented clearly and separately from any other information."
Section 8: About cookies
This requirement derives from Article 5(3) of Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), which provides that:
"Member States shall ensure that the use of electronic communications networks to store information or to gain access to information stored in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned is provided with clear and comprehensive information in accordance with Directive 95/46/EC, inter alia about the purposes of the processing, and is offered the right to refuse such processing by the data controller. This shall not prevent any technical storage or access for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network, or as strictly necessary in order to provide an information society service explicitly requested by the subscriber or user."
The requirement is implemented in the UK in the Privacy and Electronic Communications (EC Directive) Regulations 2003. In its current (amended) form, Regulation 6 states:
"(1) Subject to paragraph (4), a person shall not store or gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met.
(2) The requirements are that the subscriber or user of that terminal equipment - (a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and (b) has given his or her consent.
(3) Where an electronic communications network is used by the same person to store or access information in the terminal equipment of a subscriber or user on more than one occasion, it is sufficient for the purposes of this regulation that the requirements of paragraph (2) are met in respect of the initial use.
(3A) For the purposes of paragraph (2), consent may be signified by a subscriber who amends or sets controls on the internet browser which the subscriber uses or by using another application or programme to signify consent.
(4) Paragraph (1) shall not apply to the technical storage of, or access to, information - (a) for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or (b) where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user."
In their original form, these Regulations can be found at:
Section 10: Cookies used by our service providers
Does the website serve any third party cookies, analytics cookies or tracking cookies to users?
Optional element. Will the blocking of cookies have a negative effect upon the use of the website from a user perspective?
Optional element. Will you contact users to notify them of changes to this policy?
How will users be notified of changes to the document?
Section 13: Our details
UK companies must provide their corporate names, their registration numbers, their place of registration and their registered office address on their websites (although not necessarily in this document).
Sole traders and partnerships that carry on a business in the UK under a "business name" (i.e. a name which is not the name of the trader/names of the partners or certain other specified classes of name) must also make certain website disclosures: (a) in the case of a sole trader, the individual's name; (b) in the case of a partnership, the name of each member of the partnership; and (c) in either case, in relation to each person named, an address in the UK at which service of any document relating in any way to the business will be effective. All websites covered by the Electronic Commerce (EC Directive) Regulations 2002 must provide a geographic address (not a PO Box number) and an email address. All website operators covered by the Provision of Services Regulations 2009 must also provide a telephone number.
Some data controllers and data processors will have an obligation to appoint a data protection officer (DPO). The basic obligation is set out in Article 37(1) of the GDPR:
"The controller and the processor shall designate a data protection officer in any case where: (a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity; (b) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or (c) the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10."
Article 13(1) of the GDPR provides that:
"Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with all of the following information ... (b) the contact details of the data protection officer, where applicable".
See also Article 14(1)(b).
Insert contact details of the appointed data protection officer (if any).