Privacy policy template for businesses outside of the European Union

We created this template because templates intended for use within the EU are insufficient in addressing GDPR requirements unique to businesses outside of the EU.

You are required to publish a privacy policy if you collect information from your users or customers. If you have users or customers in the EU, you’re also required to comply with the GDPR. Most templates don’t address the GDPR requirements specific to businesses outside of the EU, so we created one based on available regulatory guidance.

This privacy policy template is based on the privacy policy template provided by the UK Information Commissioner's Office (ICO). It includes language for three additional components that businesses outside of the European Union (EU) should take into account when drafting a privacy policy in line with the General Data Protection Regulation (GDPR).

The three components for businesses outside of the EU and their bases in GDPR requirements are as follows:

  1. EU representative (Articles 13 & 27): Businesses outside of the EU that offer goods or services to or monitor the behavior of data subjects in the EU are required by the GDPR to appoint a representative in the EU. The original ICO template, intended for UK businesses, does not address this requirement.

  2. EU-U.S. Privacy Shield (Articles 13 & 46): Data controllers and processors in the United States and participating in EU-U.S. Privacy Shield Framework are required to include certain disclosures as part of their participation. While the EU considers these businesses to have adequate data protection measures, the ICO template does not address it.

    The EU-U.S. Privacy Shield section is only applicable if you are a participant of that program. We, as blucheq, are certified under the EU-U.S. Privacy Shield Framework, and our clients benefit from our status of being allowed to transfer data to us from the European Union freely.

  3. List of supervisory authorities (Articles 13, 56 & 57): The ICO template only lists itself as an authority for complaints. In the case of a business outside of the EU, the competent supervisory authority can be any one of the national data protection authorities based on the residence of the data subject filing the complaint.

As with any template, you should only use this one with an understanding of its limitations. While this template should be suitable for most apps, websites, e-commerce stores, and B2B processors, you will need additional information in your privacy policy under certain circumstances. Please review the additional considerations section carefully if your organization requires a data protection officer, if individuals are legally required to provide you certain information, or if you use automated decision-making processes such as profiling.


Privacy policy template

Our contact details

Name: [insert your company's name]

Address: [insert your company's address]

Phone number: [insert your company's phone number]

Email address: [insert your company's email address]

The type of personal information we collect

We currently collect and process the following information:

  • Personal identifiers, contacts, and characteristics (for example, name and contact details)

  • [Add to this list as appropriate]

How we get the personal information and why we have it

Most of the personal information we process is provided to us directly by you for one of the following reasons:

  • [Add the reasons you collected personal information]

[If applicable] We also receive personal information indirectly, from the following sources in the following scenarios:

  • [Add the source of any data collected indirectly and why you collected the personal information]

We use the information that you have given us in order to [list how you use the personal information].

We may share this information with [enter organizations or individuals].

Under the General Data Protection Regulation (GDPR), the lawful bases we rely on processing this information are: [delete as appropriate]

  • Your consent. You are able to remove your consent at any time. You can do this by contacting [contact details].

  • We have a contractual obligation.

  • We have a legal obligation.

  • We have a vital interest.

  • We need it to perform a public task.

  • We have a legitimate interest.

How we store your personal information

Your information is securely stored [enter location].

We keep [type of personal information] for [time period]. We will then dispose of your information by [explain how you will delete their data].

Your data protection rights

Under data protection law, you have rights including:

  • Your right of access: you have the right to ask us for copies of your personal information.

  • Your right to rectification: you have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.

  • Your right to erasure: you have the right to ask us to erase your personal information in certain circumstances.

  • Your right to restriction of processing: you have the right to ask us to restrict the processing of your personal information in certain circumstances.

  • Your right to object to processing: you have the right to object to the processing of your personal information in certain circumstances.

  • Your right to data portability: you have the right to ask that we transfer the personal information you gave us to another organization, or to you, in certain circumstances.

You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you.

Please contact us at [insert email address, phone number, and/or postal address] if you wish to make a request. If you are a national data protection authority in the EU or a resident of the European Economic Area, in addition to the ability to contact us directly, you may contact our EU representative at [insert email address, phone number, and/or postal address]. [Visit blucheq.com to appoint an EU representative]

How to complain

If you have any concerns about our use of your personal information, you can make a complaint to us at [contact details for data protection inquiries].

If you are a resident of the European Economic Area, you can also complain to your national data protection authority if you are unhappy with how we have used your data. You can locate the contact information for your national data protection authority by visiting https://edpb.europa.eu/about-edpb/board/members_en.

EU-U.S. Privacy Shield [if applicable]

We are subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC) and we comply with the EU-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union to the United States. We have certified to the Department of Commerce that we adhere to the Privacy Shield Principles.  If there is any conflict between the terms in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov/

In compliance with the Privacy Shield Principles, we commit to resolve complaints about our collection or use of your personal information. EU individuals with inquiries or complaints regarding our Privacy Shield policy should first contact us at [insert email address, phone number, and/or postal address]. We have further committed to refer unresolved Privacy Shield complaints to [insert alternative dispute resolution provider's name], an alternative dispute resolution provider located in [insert location of the alternative dispute resolution provider]. If you do not receive timely acknowledgment of your complaint from us, or if we have not addressed your complaint to your satisfaction, please visit [insert website address for filing a complaint with your alternative dispute resolution provider] for more information or to file a complaint. The services of [insert alternative dispute resolution provider's name] are provided at no cost to you. If your complaint remains unresolved, you have the right to invoke binding arbitration under certain conditions.


Additional considerations

One-size-does-not-fit-all with templates. The template above should serve the needs of most online businesses outside of the European Union. In this section, we'll share additional considerations to take into account when drafting your privacy policy based on guidance issued by the ICO.

The template we provide addresses the following pieces of information included in the regulatory guidance as part of the data subjects' right to be informed:

  • The name and contact details of your organization

  • The name and contact details of your EU representative

  • The purposes of the processing

  • The lawful bases for the processing

  • The source of personal data obtained from other parties

  • The recipients or categories of recipients of the personal data

  • The details of transfers of the personal data to any third countries or international organizations

  • The retention periods for the personal data

  • The rights available to individuals in respect of the processing

  • The right to withdraw consent

  • The right to lodge a complaint with a supervisory authority

Additional information that is not included in the template, but may still apply to your business are the following:

  • Data protection officer: The contact details of your data protection officer (DPO)

  • Automated decision-making: The aspects of automated decision-making, including profiling, if used

  • Legal obligations: The details of whether individuals are under a statutory or contractual obligation to provide their personal data

Data protection officer

Some organizations are required to appoint a data protection officer (DPO), and others may voluntarily choose to appoint one. If your organization has a data protection officer, you should include their contact information in your privacy policy.

Data protection officer vs. EU representative

You should be aware that the EU representative is an entirely separate role from that of the data protection officer (DPO) as mandated by Article 37. They are required to be separate entities due to the potential for a conflict of interest in their duties: your DPO cannot serve as your EU representative and vice versa. The EDPB guidance on this point is clear:

The EDPB does not consider the function of representative in the Union as compatible with the role of an external data protection officer (“DPO”) which would be established in the Union.

Although we won't address the DPO requirements in detail here, in general, you are required to appoint a DPO if you:

  • are a public authority other than a judicial court,

  • regularly and systematically monitor the behavior of data subjects as part of your core activities, or

  • process special categories of data or criminal conviction data on a large scale.

A comparison that is useful here is the difference between a single physician's office and a hospital. While the former would not be considered a large scale processing operation, the latter certainly is, and a hospital would be required to appoint a DPO.

Automated decision-making

The two most common forms of automated decision-making we encounter with online businesses are behavioral advertising and fraud protection used by payment processors.

If you rely on either of these technologies or any other method to make automated decisions, you should include a section in your privacy policy that uses simple, understandable terms to explain the rationale behind your choices and how it can impact individuals.

For example, Shopify recommends that stores on their platform include a section in their privacy policy to mention that Shopify's risk and fraud screening might use customers' personal information for automated decision-making.

Legal obligations

In some cases, you may be required to collect certain personal information either due to statutory laws or terms of your contracts with customers. In these cases, since it's unlikely that this obligation will apply to all collected data, you should be specific about the personal data collected due to a legal obligation.


Disclaimer

While I've written this article to be as helpful as possible, it cannot and does not contain legal advice. The legal information is provided for general informational and educational purposes only and is not a substitute for professional advice. Accordingly, before taking any actions based upon such information, I encourage you to consult with the appropriate professionals. We do not provide any kind of legal advice. The use or reliance of any information contained on this site is solely at your own risk.

If you require legal assistance, I am happy to refer you to an attorney specializing in privacy laws and regulations. You can write to me or schedule time to discuss your specific situation in more detail.