Web design for business and holiday property websites in the UK and Europe

GDPR privacy policy template

The laws concerning data protection changed significantly in Europe when the GDPR (General Data Protection Regulation) came into force on 25 May 2018. For an overview and details of the UK GDPR see here: The official ico.org.uk. For the full 288 pages see the offical Guide to the General Data Protection Regulation (GDPR).

The Information Commissioner's Office in the UK underlines the seriousness of the issues here by saying the following: "Article 83(5)(a) states that infringements of the basic principles for processing personal data are subject to the highest tier of administrative fines. This could mean a fine of up to £17.5 million, or 4% of your total worldwide annual turnover, whichever is higher." !!!!!!!! (Source)

Points worth highlighting seem to be these:

1. The privacy policy must be easy to find.

2. All privacy information must be clearly written and easy to understand (no legalese).

3. The policy must be very clear about what data is being collected, how and why, and what the legal bases for that data collection are.

N.B. The policy displayed on your website needs to cover ALL the personal data-gathering that occurs in your business. It does not just refer to what happens on the website. Do you use CCTV around your properties? If so, you need to mention that.

4. Data collection must be minimal (i.e. only collecting the bare minimum to pursue your legally valid purposes), and that should be stated in the privacy policy.

5. If data is being obtained somewhere for non-obvious purposes, people must be notified then and there, and positive consent must be sought (e.g. instead of automatically adding the details of mere enquirers to a mailing list, consent for that must be sought on the contact form with a clear indication of what exactly the person is consenting to).

This includes the ubiquitous Google Analytics and its notorious tracking cookies. The law requires you to have a banner/popup asking visitors if they want to be tracked before you start tracking them by loading the Analytics code, and they must have the option to reject tracking.

6. Someone must be responsible for data handling, and that person must be clearly identified in the privacy policy as the Data Protection Officer.

7. Any sharing of data with third parties must be described and it must be clear that these third parties are contractually obliged to ensure the security of the data shared.

8. There must be information about the person's rights (especially the rights to access - free of charge - and to rectification, the right to withdraw consent, the right to erasure - the "right to be forgotten" - and the right to be notified of any data breach within 72 hours).

9. You are supposed to have procedures in place to maximise the security of data stored on your system.

10. You must also have procedures in place to delete data when there is no longer a good reason for retaining it.

Disclaimer: Handcrafted Websites claims no expertise in the area, but we have read what seems to be enough of the official information and advice to compile the following template for an updated privacy policy which we believe to be compliant with the requirements of the GDPR legislation. The privacy policy template is intended for UK businesses, such as holiday accommodation providers, that primarily collect data via contact forms, online bookings, mailing list sign-up forms, and via cookies. However, do consult the official guidance yourself and only take what follows as a non-authoritative suggestion based on research that may or may not be sufficient.

You are free to copy this policy and complete it with your business details, but you need to read it carefully and add to the sections that list what data is collected and what is done with it, or delete items. If, for instance, you use CCTV, you must list that and then say what you do with the recorded material and say it will be deleted in a timely fashion. You must ensure that the policy accurately reflects what information you collect and what you do with it.

A note about cookies: Current regulations continue to require you to provide information about what cookies are being used on your website and what you are using them for. If you want to check for yourself what cookies are being used on your site, one easy way to do that is to install a browser extension. The Firefox browser, for instance, has an extension called Cookie Editor. That puts an icon in your toolbar, and if you click that when viewing your site, you see a list of the cookies being used.

To save a copy of the template that has HTML tags (so it is ready to be pasted into a web page) click the download button below. After saving the file, open it in the simplest possible text editor - something like the Bluefish Editor for Windows. You can either edit the text there or select it all, copy it, and paste it into the content area of the resource for your privacy page in your website's content management system (CMS). Before you paste it in, make sure you untick the Toggle Editor box shown below.

CMS toggle editor

Once the text with the HTML tags has been pasted in, click the Toggle Editor box again to put the tick in it and re-activate the rich text editor, which will hide the tags and enable you to edit the text without worrying about them.

Click the button below to download the template.

GDPR Template Download

Website privacy policy template

Last updated [date].

This privacy notice for [business name] describes how and why we might collect, store, use, and/or share your information when you use our services, such as when you: visit our website, contact us, book with us and stay here.


We do not collect sensitive information, and we do not knowingly collect information from people less than 18 years old. The information that we do collect is as follows:

Identity data: first name, last name, marital status, date of birth, gender and images.

Contact data: postal and billing addresses, email addresses and telephone numbers.

CCTV data; data gathered by closed circuit television, automatic number plate recognition and other surveillance technologies installed at the property and operated purely for security purposes.

Transaction data: details about services you have purchased from us or your visits to our premises.

Financial data: includes bank account and payment card details.

Technical data: includes internet protocol (IP) address, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access this website.

Profile data: includes purchases or orders made by you, your interests, preferences (including details about your personal likes and dislikes as identified during your visits to our premises), feedback and survey responses.

Marketing data: includes your preferences in receiving marketing from us.

In all cases, the data collected is only the minimum required to conduct our business in a way that has a valid legal basis (see below).


We process your information to provide, improve, and administer our services, communicate with you, to arrange payment for our services, for security and fraud prevention, and to comply with law. We may also process your information for other purposes with your consent.

Technical data that is automatically collected may be used by us to analyse how the website is being found and used, and to evaluate the effectiveness of our marketing campaigns. It is not used by us to build a personal profile.


Although we do not use automatically collected visitor data to build a personal profile on you or identify you personally, Google, which provides the analytics service that collects the data, will do this. If you are logged into a Google account on your device, it will associate your data with the identity details that you have given to Google. What is done with that data will depend on the preferences you have expressed in the privacy settings of your Google account. If you are not logged into a Google account, the data will be associated with a unique identifier given to your browser or device.

For further details about how Google uses your data please see Google's privacy policy and this statement about Google Analytics Privacy.


The General Data Protection Regulation (GDPR) and UK GDPR require us to explain the valid legal bases we rely on in order to process your personal information. As such, we will always rely on one of the following legal bases to collect and process your personal information:

Consent. We may process your information if you have given us permission (i.e. consent) to use your personal information for a specific purpose. You can withdraw your consent at any time.

Performance of a contract. We may process your personal information when we believe it is necessary to fulfil our contractual obligations to you, including providing our services or at your request prior to entering into a contract with you.

Legitimate interests. We may process your information when we believe it is reasonably necessary to achieve our legitimate business interests and those interests do not outweigh your interests and fundamental rights and freedoms. For example, we may process your personal information for some of the purposes described in order to:
Analyse how our services are used so we can improve them to engage and retain users
Evaluate our marketing activities

Legal obligations. We may process your information where we believe it is necessary for compliance with our legal obligations, such as to cooperate with a law enforcement body or regulatory agency, exercise or defend our legal rights, or disclose your information as evidence in litigation in which we are involved.

Vital interests. We may process your information where we believe it is necessary to protect your vital interests or the vital interests of a third party, such as situations involving potential threats to the safety of any person.


We may share your data with third-party vendors, service providers, contractors, or agents ('third parties') who perform services for us or on our behalf and require access to such information to do that work. We have contracts in place with our third parties, which are designed to help safeguard your personal information. They commit to protect the data they hold on our behalf. The categories of third parties we may share personal information with are as follows:
Data Analytics Services
Payment Processors.

We do not sell your data to third parties or allow third parties to contact you without your permission.

We may also need to share your personal information in the following situations:
Business Transfers. We may share or transfer your information in connection with, or during negotiations of, any merger, sale of company assets, financing, or acquisition of all or a portion of our business to another company.


A cookie is a small file that might be placed on a computer or similar device when you visit or interact with a website. We may use cookies and similar tracking technologies (like web beacons and pixels) to access or store information about visitors to our website.

The following table indicates which cookies we are using and what they do.

Google Analytics_utma
These cookies are used to collect information about how visitors find and use our site, which we use to help improve it.
Cookie warningcc_cookie_acceptThis simply stores your acceptance of the warning about cookies on the website home page.

Most web browsers are set to accept cookies by default. If you prefer, you can usually choose to set your browser to reject cookies or install a browser extension to reject cookies. Your browser will also have a tool to remove cookies that have already been set. If you choose to remove cookies or reject cookies, this could affect the functionality of parts of our website. To opt out of interest-based advertising by Google, see the privacy preferences in the settings of your Google account.


We will only keep your personal information for as long as it is necessary for the purposes set out in this privacy notice, unless a longer retention period is required or permitted by law (such as tax, accounting, or other legal requirements).

When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymise such information, or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.


We are legally obliged to ensure that the information we have on record is accurate and up to date. If your details have changed since we were last in touch with you, you are kindly requested to notify us of the new details so we can update our records.


We have implemented appropriate and reasonable technical and organisational security measures to protect the security of any personal information we process. However, despite our safeguards and efforts to secure your information, no electronic transmission over the Internet or information storage technology can be guaranteed to be 100% secure, so we cannot promise or guarantee that hackers, cybercriminals, or other unauthorised third parties will not be able to defeat our security and improperly collect, access, steal, or modify your information. Although we will do our best to protect your personal information, transmission of personal information to and from our services is at your own risk. You should only access the services within a secure environment.


If we hold records of your personal data and we become aware of a data breach, we will endeavour to inform you of this within 72 hours.


In the European Economic Area (EEA) and the United Kingdom (UK), you have certain rights under applicable data protection laws. These may include the right (i) to request access and obtain a copy of your personal information, (ii) to request rectification or erasure; (iii) to restrict the processing of your personal information; and (iv) if applicable, to data portability. In certain circumstances, you may also have the right to object to the processing of your personal information. You can make such a request by using the contact details provided below to contact us. We will consider and act upon any request in accordance with applicable data protection laws.

If you are located in the UK and you believe we are unlawfully processing your personal information, you also have the right to complain to the Information Commissioner's Office. You can find their contact details here: https://ico.org.uk/make-a-complaint/.

If you are located in the EU and want to make a complaint, see this list of European Data Protection Supervisors.

If you are located in Switzerland, here are the contact details of the Data Protection Commissioner.

Withdrawing your consent: If we are relying on your consent to process your personal information, you have the right to withdraw your consent at any time. You can withdraw your consent at any time by contacting us using the contact details provided below.

However, please note that this will not affect the lawfulness of the processing before its withdrawal, nor will it affect the processing of your personal information where there are lawful grounds other than consent.


If you have questions or comments about this notice, you may contact our Data Protection Officer (DPO), [name of person responsible for data practices - note you are legally obliged to name who is responsible], by email at [your business email address], or by post to:

[postal address]


Professional service at a fair price. What you see is what you get - no hidden extras and lots of flexibility.

Penywaun House

Professional, affordable and fast, with exceptional support and impressive knowledge. Any queries are answered and dealt with quickly and solutions always found. Our website was up and running within days - it looks great and generates lots of enquiries! We are so pleased we found them and highly recommend them.

Teal Cottage

Need web design advice or a quote? Email us or use our contact form.

Contact form


Follow Handcrafted Websites

Follow Handcrafted Websites Follow Handcrafted Websites

© 2023  Handcrafted Websites, Hall Hills, Raughtonhead, Dalston, Cumbria, CA5 7AN, UK ― | ― Web design for business and holiday property (cottage, villa, guest house, holiday home) websites in the UK and Europe
Privacy & Cookie Policy

To top