| Data subject access: data controller seeking fee, identification or clarification A letter to be sent by a data controller to a data subject, following receipt of a data subject access request under section 7 of the Data Protection Act 1998, where further information is required (fee, identification, clarification) to enable a data controller to deal with a request. |
| Data protection memorandum to board of directors An example of a high-level memorandum to a board of directors, outlining the key issues in privacy and data protection laws, the need for a company-wide program addressing these issues and what such a program needs to include. |
| Data subject access: data subject access request form A data subject access request form for a data controller to provide to a data subject, who is requesting their own personal data under section 7 of the Data Protection Act 1998 |
| Data VAR agreement (personal data, transfer outside EEA) An agreement between a database provider and a value-added reseller of that provider's products, drafted from the database provider's point of view. Personal data will be transferred to the VAR and the end-users, all of whom are located outside the EEA. |
| Privacy policy A standard policy for use by an online business in relation to the collection, storage and use of non-sensitive personal data, for use on a website which collects such data in an online application form for the purpose of supplying goods or services to users of the site, or for contacting users with direct marketing information. |
| Information and communications systems policy A policy dealing with the use and monitoring of electronic communications systems and equipment. Integrated drafting notes. This document has integrated drafting notes embedded within the text. Click on a heading to read the note. See the Actions box on the right for additional viewing options. |
| Database sale agreement (personal data: transfer outside EEA) A specimen database sale agreement, drafted from the perspective of the buyer, for use where the buyer is acquiring a customer database and an employee database which contain personal data and which may or may not form part of a larger asset purchase transaction. Personal data will be transferred to a destination outside the EEA. |
| Data subject access: data controller's acknowledgement letter A letter to be sent by a data controller acknowledging receipt of a data subject access request under section 7 of the Data Protection Act 1998. |
| Binding corporate rules: complaints handling procedure A document setting out a complaints handling procedure to be used in connection with binding corporate rules (BCRs) agreed between members of a multinational group of companies. |
| Data licence agreement (general, personal data, transfer outside EEA) A specimen data licence, drafted from the perspective of the supplier, for use where a supplier is supplying personal and non-personal data to a customer who will be using the data for its internal business use. Personal data will be transferred to a destination outside the EEA. |
| Safe harbor policy A document for US companies receiving personal data from the EU for the purpose of qualifying for the US-EU safe harbor framework. |
| Database sale agreement (personal data, transfer within EEA) A specimen database sale agreement, drafted from the perspective of the buyer, for use where the buyer is acquiring a customer database and an employee database which contain personal data and which may or may not form part of a larger asset purchase transaction. Personal data will be transferred within the EEA only. |
| Data protection dos and don'ts for employees (UK) A standard document outlining key messages to target at relevant employees as part of an enterprise-wide UK data protection compliance programme. |
| Data subject access: data controller's detailed response A letter to be sent by a data controller providing a detailed response to a data subject's access request under section 7 of the Data Protection Act 1998. |
| Binding corporate rules: main principles document A document for businesses that want to transfer personal data from the UK to other group companies in countries outside the European Economic Area. |
| Data security breach notification: letter notifying a personal data breach to the Information Commissioner (non-PECR) A letter to be sent by a data controller to notify the Information Commissioner of a serious breach of personal data security. Note: Providers of publicly available electronic communications services that are subject to the notification requirement in regulation 5A of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (as amended by the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 should use Standard document, Data security breach notification: letter notifying a personal data breach to the Information Commissioner (PECR). |
| Privacy and data protection dos and don'ts for employees This note outlines key messages to target at relevant employees as part of an enterprise-wide privacy and data protection compliance program. |
| Mobile application privacy policy A policy for use by a business that offers a mobile app on a website, offers services through the app, collects non-sensitive personal data in connection with an individual’s use of the app and those services and stores and uses the data for the purpose of supplying those services and for contacting users with direct marketing information. |
| Image release This is a form of release to authorise the use of photographs featuring a member of the public. |
| Social media policy (UK) A policy for UK employers on the appropriate use of social media. It can be incorporated into an employee handbook or used as a stand-alone policy document. Integrated drafting notes. This document has integrated notes embedded within the text. Click on a heading to read the note. See the Actions box on the right for additional viewing options. |
| UK data protection memorandum to board of directors A high-level memorandum to a board of directors of a UK company, outlining the key issues concerning the Data Protection Act 1998, the need for a company-wide programme addressing these issues and what this programme needs to include. |
| Data subject access: general letter making a request A letter making a data subject access request under section 7 of the Data Protection Act 1998. |
| Fair processing notice: asset purchases Specimen form of fair processing notice to be issued to data subjects on an asset purchase for data protection compliance purposes. |
| Data security breach notification: letter notifying a personal data breach to affected data subjects A letter to be sent by a data controller to notify affected data subjects of a personal data security breach. |
| Data security breach notification: letter notifying a personal data breach to the Information Commissioner (PECR) A letter to be sent by a provider of a public electronic communications service to notify a personal data breach under regulation 5A of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2426/2003), as amended by the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 (SI 1208/2011). |
| Data protection policy A policy setting out the principles and legal requirements in relation to the processing of personal data of staff and third parties in the operation of a business.Integrated drafting notes. This document has integrated drafting notes embedded within the text. Click on a heading to read the note. See the Actions box on the right for additional viewing options. |
| Data licence agreement (financial services, personal data, transfer outside EEA) A specimen data licence, drafted from the perspective of the licensor, for use where a supplier in the financial services sector is supplying data to a customer and granting it a licence to redistribute the data to the customer's subscribers. Personal data will be transferred to the customer and its subscribers, all of whom are located outside the EEA. |
| Short-form privacy notice A short-form privacy notice intended to be used by website operators and providers of mobile communications services and applications in conjunction with the Standard document, Privacy policy. |
| Bring your own device to work (BYOD) policy A policy for employers that wish to allow their employees to use their own smartphones, tablets or other mobile devices for work either while at the office or during non-working hours. This policy applies only to private workplaces in the UK. Among other things, it deals with acceptable use, information security, expectations of privacy, the employer's right of access, and issues surrounding technical support and responsibility for running costs. Drafting notes for this standard document will be available in due course. |