General Privacy Policy (Notice) – short form

What is a general privacy policy (notice) – short form – and when should you use it?

 

Under the GDPR you must keep individuals informed about your use of their personal data and about their legal rights relating to that data.

Such information is commonly provided on websites by means of Privacy Policies or Privacy Statements.

What happens, though, if you want to do business offline?

The GDPR and its information requirements apply whenever you are using personal data.

It doesn’t matter whether you’re collecting it, using it, or storing it on a website, in the cloud, on paper, or wherever.

If it’s personal data, it’s covered.

This policy is different to a website privacy policy.

It is designed for use in situations where data is being collected somewhere other than your website.

This is our short-from general privacy notice.

If you want a more detailed policy, check out our standard general privacy policy

This notice informs individuals (with whom you may do business or interact with in a business environment) about how you collect, handle, store and potentially also share, their personal data, as well as the rights that they have in relation to your activities, under Ireland’s data protection law.

Privacy notices can be referred to as lots of different things, including a fair processing notice.

The GDPR has a specific list of the information that must be given to individuals relating to the processing of their personal data.

If you want a privacy notice for your website (which should also display one), then you should use our website privacy notice template.

You should also have a privacy notice for your employees, explaining to them how you handle their personal data.

You can use our data privacy notice for employees template for these purposes.

 

What else might you need?

 

Before you draft your privacy notice, you should undertake a data mapping (or data audit) exercise in order to establish all the types of data which you hold, why you use them, the legal basis for using them and details of when that personal data is shared with other people or organisations.

For more information on data mapping/auditing, take a look at our guide what the GDPR means for your small business.

Our 14-point GDPR checklist that accompanies it, are also very useful.

If you are or will be the data controller of the personal data and you are collecting data from the individual directly, then the privacy notice (or the information contained in it) should be given to the individual at the point of collection.

This is so that they can understand how their data will be used, etc., before giving it to you.

If you are or will be the data controller of the personal data and you have obtained personal data from a third party (i.e. not directly from the individual themselves) then, subject to certain exceptions under GDPR, you should provide your privacy notice to the individual (unless you have arrangements in place for the third party to do this on your behalf) at the earliest of the following:

  1. Within a reasonable period of receiving the data (and no later than one month);
  2. If you use the data to communicate with the individual, then no later than the first communication;
  3. If you are going to disclose the personal information to someone else, then before disclosure occurs.

You don’t necessarily have to give a hard copy of the privacy notice to individuals, but you must make them aware of it and give them an easy way to access it (i.e. they can email you to be sent a copy, or they can access it from your website).

You should consider the way you collect the data from the individual and how you communicate with them in order to come up with a sensible way of providing them with a privacy notice.

For example, if your business is online, then providing that privacy notice online would be sensible.

You also need to think about the layout of your privacy notice, especially if it is online.

GDPR requires privacy notices to be transparent, easily understandable and concise.

If you have the technology available, it may be best to adopt one or more of the following techniques to make the privacy notice more friendly:

  1. ‘Layered approach’ – this is where you provide short notices with key information with the ability for the individual to click a button to get more detailed information;
  2. ‘Dashboards’ – these are usually within an online account to allow individuals to manage their personal data;
  3. ‘Just-in-time’ notices – these are focused notices that give privacy information at the time the individual pieces of information are collected;
  4. Icons – used to signify that personal information is being provided and that some data-processing will happen to that personal information onc

 

Appointing a data protection officer

 

See our guide Do I Need A Data Protection Officer (DPO)? to ascertain whether you do need to appoint one or not.

Even if you don’t appoint a data protection officer, you should provide details here about the person responsible for data protection at your company.

That person will be the first point of contact for anyone who has any questions/queries/requests in relation to data protection.

You should choose the options as appropriate.

Multiple privacy notices are quite normal

You may have different notices for different aspects of your business.

For example, you may have a privacy notice that is aimed at your employees (which will include very different information to a privacy notice that is aimed at e.g. your customers).

We have a data privacy notice for employees 

You should also consider whether it is better to provide shorter privacy notices that are tailored to the specific circumstances.

For example, if you have a sign-up option for a marketing list, then you may have a shorter privacy notice that just deals with the data privacy elements of your marketing activities.

You may also have a separate website privacy notice, which includes details about how your website will collect data e.g. by cookies, etc.

 

Dating the notice, and keeping it up to date

 

You should insert the date on which the privacy notice is finalised.

If in the future you make any amendments to the privacy notice, then the date will need to be amended.

You should keep all versions of the privacy notice in case anything arises in the future.

If you add any new purposes for which you process personal data (see below for more details) you will need to inform the individuals affected by this before you begin that purpose.

Download

Have Questions About This Template?

Book a 30-minute call with one of our experts. You’re in safe, experienced hands.

Book a call

Can’t find what you are looking for?

This service is your service.
If there is content you cannot find on our Hub simply email us your request and we’ll get you sorted.
Contact Us

Our Partners

LawPlus
Though all the content on the Plugged platform has been provided in collaboration with lawyers Plugged itself is not a law firm. We do not directly provide legal advice ourselves, but we do provide guidance and support on our Content. We are not a regulated law practice. All resources are available for you to use (according to our terms and conditions), but those resources are not legal advice to you, and neither are they a substitute for you taking legal advice from a lawyer.
Linkedin
© 2025 Plugged. All Rights Reserved. CRO Number: 721858 | Website design by: Rob&Paul.
Scroll to Top