Home  -  Privacy

Privacy Notice and Consent template guidance

How should I use my private notice and consent template?

This document includes a series of templates your company can use to develop your own privacy statement and consent collection notice.

Will I need to update my due diligence checklist?

Yes. Your company is obligated under GDPR to display a privacy statement. You should review this checklist at least every 3 months and amend as necessary to ensure your company is complying with GDPR.

Privacy notice template

Your privacy notice is considered one of the most complex but crucial aspects of GDPR compliance. To help you to better understand your privacy notice and obligations under GDPR, we’ve broken this guidance document down into two sections:

A. General guidance

Under GDPR, your company must provide explicit privacy information to any and all data subjects. These privacy statement stipulations are more specific and contain stronger specifications than what was previously expected of UK companies under the Data Protection Act 1998.

First and foremost, it’s worth noting a privacy statement absolutely must be supplied by your company to any relevant individual at the point in time that they provide to you or submit their personal data. More important still, the statement that your company provides those individuals with must be:

Please note that additional rules are required if your privacy statement is designed for and/or directed at children.

To help you develop your privacy statement that complies with all of your GDPR obligations, we’ve compiled the following guidance sections.

Name and details of Data Controller

You must identify the name and contact details of the relevant data controller within your privacy statement. Here is an example of how your company may wish to outline these details:

[eric francois] is the designated data controller for [Psychedelic Soul Sound Limited and committed to upholding our commitments to protect the rights of individuals under legislation outlined within the Data Protection Act 2018 and the General Data Protection Regulation (GDPR).

Name and details of data protection officer

You must identify the name and contact details of the relevant data protection officer within your privacy statement. Here is an example of how your company may wish to outline these details:

[Psychedelic Soul Sound Limited] has an appointed data protection officer [eric francois] to assist us in upholding our commitment to individual rights. Our data protection officer can be contacted both through our website [], as well as by post [71-75 Shelton street Covent Garden London WC2H 9JQ].

Description of the data being collected

Your company must explicitly describe the personal data you are collecting, storing or processing.

As a reminder, GDPR defines ‘personal data’ as being any type of information that includes an individual’s:

The aforementioned data types should also be applied to include any personal data surrounding employees, students or other stakeholders and clients.

This data includes:

There are also special categories of personal data called sensitive personal data. This type of data generally includes information like:

Sensitive data

Sensitive dataIf your company collects sensitive data, your privacy statement must explicitly outline what information you are collecting, where you are going to store it and how you are going to store it.

Here is an example of how privacy statement must address this responsibility:

Psychedelic Soul Sound Limited must collect the following sensitive data about you so that we can deliver [INSERT REASON FOR PROCESSING]:
[Psychedelic Soul Sound Limited] needs your explicit consent for processing this sensitive data. We must request your signature for this consent.

If your company does not collect sensitive data, you should state this within your privacy statement instead.

The age of consent for children

GDPR defines the point at which an individual is no longer considered a child is 16 years of age. That being said, GDPR empowers all EU member states to amend this age to either 13, 14 or 15 years old at their own discretion.

Bearing this in mind, data controllers are required to be aware of the age of consent in concerned member states. They are not permitted to seek consent from any individual under the specified age of consent within that individual member state.

If your company needs to obtain consent to collect, store or process the data of a child, you are permitted only to obtain consent to collect, store or process that data from an individual who holds parental responsibility for the concerned child. Your company must subsequently make reasonable efforts to verify the individual granting consent on the behalf of a child actually does hold parental responsibilities.

Privacy statements for children

If your company is offering services directly to a child, then relevant data controllers within your company must do everything they can to ensure that your company’s privacy statements are written in a comprehensive and plain fashion that a child will be able to understand.

Online services being offered to children

The vast majority of consent requests your company will likely be required to collect, will be in relation to the provision of online services. Examples of online services could include provisions such as:

The aforementioned rules in relation to the age of consent and corresponding privacy statements apply to most online services being offered. One exception to this is if your company is processing data relating to preventative or counselling services being offered directly to a child. Under such a circumstance, you do not need to seek consent from a parental figure.

Why data is processed

Your company must outline all of the reasons for processing data. Examples of processing reasons might include:

You must state in your privacy policy any situations in which automatic decisions or actions are made within your company in relation to data.

Your company should also include a broad description of the ways in which you plan to use personal data, and the legal grounds supporting your ability to do so.

Furthermore, your privacy statement should also include a line similar to the following:

“[Psychedelic Soul Sound Limited] only uses personal data for the reasons in which we have collected. We will only ever use your personal data for another reason if we reasonably consider another purpose in which to use that data which is compatible with the original reason in which the data was collected.
If we are required to make such a decision, we will always notify you. We may also at times be required by law to process your personal data without your knowledge.
To find out more about the reasoning behind any decision [Psychedelic Soul Sound Limited] has made to process your data for a new purpose, get in touch.”

If your company plans on using personal data for marketing purposes, you must explicitly say so. An example of how you may wish to convey this within your privacy statement could include:

“You may receive marketing communications from [Psychedelic Soul Sound Limited] if you have

  • • Requested information from us
  • • Purchased goods or services from us
  • • Provided us with explicit consent for us to send you marketing communications
  • • Not opted out of receiving marketing communications

We will always ask for your consent before we share your personal data with any third-parties. You can ask us or any relevant third-parties to cease sending you marketing communications at any time, by emailing us. You should send relevant requests to []
Please note that if you opt out of receiving marketing communications from [Psychedelic Soul Sound Limited], your personal data may still be retained as it relates to the provision or purchase of a product and/or service, warranty registration or other transactions.

Legal basis for processing personal data

To comply with your legal responsibilities under GDPR, your company must identify the lawful basis upon which you are processing an individual’s personal data.

You must satisfy at least one condition under Article 6 of GDPR if you are processing personal data. If you are processing special category data, you must satisfy at least one condition under both Article 6 and Article 9.

Relevant conditions of these articles are outlined below:

Article 6: Personal Data Article 9: Special Categories
Individual has given consent Individual given explicit consent
Processing is required for delivery of contract Processing is required to carry out obligations of controller or employment
Processing is required for legal compliance Processing is required to protect vital interests of individual unable to provide consent
Processing is required to protect vital interests of the individual Processing is required for legitimate activities by a foundation, association or any other non-profit with a political, philosophical, religious or trade union aim
Processing is required for a task that is in the public interest Processing relates to personal data that has already been made publicly available by the individual
Processing is required for legitimate interests by controller or third party Processing required to establish, exercise or defend against legal claims
Processing is required for reasons of substantial public interest
Processing is required for occupational medicine, the assessment of the working capacity of the employee, medical diagnosis, the provision of treatment or the management of health or social care systems
Processing is required for reasons of public interest in public health
Processing is required for achieving aims that are in the public interest or for scientific, historical or statistical purposes

If your company would like to utilise the legitimate interest’s basis, you must satisfy the following requirements:

Your company cannot rely on the legitimate interest’s basis in situations where the processing is unwarranted or has a prejudicial effect on an individual’s rights or freedoms, as well as the legitimate interests of the individual. If your company’s legitimate interests clash with those of the data subject, it is the legitimate interests of the data subject that will ordinarily be given precedence.

For every type of personal data you process, you should provide a description of the ways you intend to use this data, and the legal grounds for doing so. You should also explain the legitimate interests you have to process this data, where relevant. An example of holding this information is as follows:

Action Data/Information type Legal grounds for processing
Processing the delivery of products or services ordered, and actively managing the payments and debt recovery processes
  • (1) Personal identifiable information
  • (2) Contact information
  • (3) Financial information
  • (1) To complete the contractual agreement
  • (2) Required for our legitimate interest of recovering any funds owed to us after the delivery of products or provision of services
Updating customers on any amendments to our terms and conditions or privacy policy
  • (1) Personal identifiable information
  • (2) Contact information
  • (1) To complete the contractual agreement
  • (2) Required to satisfy legal requirements
Registering a new customer
  • (1) Personal identifiable information
  • (2) Contact information
  • (1) To complete the contractual agreement
Protecting our business and websites by performing website tests, applying security updates, assessing any cybersecurity threats and analysing our databases
  • (1) Personal identifiable information
  • (2) Contact information
  • (3) Website and Technical information
  • (1) Required to satisfy legal requirements
  • (2) Required for our legitimate interest of protecting our websites and business from malicious usage, to prevent cybercrime, complete technical website audits and increase our network security
Emailing customers to request feedback or participation in a prize draw
  • (1) Personal identifiable information
  • (2) Contact information
  • (3) Product usage information
  • (4) Marketing information
  • (1) To complete the contractual agreement
  • (2) Required to satisfy legal requirements
  • (3) Required for our legitimate interest of studying how customers interact with our products and services offered, and how these can be further enhanced

The Data Recipients

Your company needs to explicitly state all of the recipients of data, as well as all of the recipients of categories of data. For the purposes of your company’s privacy statement, a recipient can be actively defined as a natural or legal individual, public authority, agency or any other organisation to which personal data is submitted. This includes organisations that are third-parties, as well as subservient organisations within your company.

An example of the type of messaging you may wish to include in your privacy statement could run along the following lines:

“[Psychedelic Soul Sound Limited] may be required to share your personal data with carefully selected third-parties for the identified processing purposes. These third parties may include:

  • A. IT or system administration services providers
  • B. Professionals providing banking, legal, accounting, consultancy and/or insurance services.
  • C. Government regulators based in the United Kingdom and other relevant jurisdictions
  • D. HM Revenue & Customs
  • F. Any existing or future third parties to which [Psychedelic Soul Sound Limited] may sell, transfer or merge aspects of our business or assets

All third parties to which we transfer data are required to respect your personal data, keep it secure and process it only for the specified purposes for which it has been collected. Third parties will only ever receive or process your data with our explicit permission.

Data transfers to countries outside the EU

If your company plans to transfer personal data to outside the EU, you must specify why that transfer is necessary, where the data will be transferred and to whom it will be transferred.

Data Retention Periods

Your company must state a specific retention period for which personal data will be stored. If it is not possible to share an explicit retention period, you must share the criteria that will be used to determine any retention period.

Automated decision-making processes

If your company will use data as part of an automated decision-making process, you must state the existence of those processes, the logic involved, and any consequences associated with those processes as they relate to personal data.

Where/how data is collected

In instances in which your company has not obtained personal data from the data subject directly, you must cite who this data was obtained from.

Individual rights

Your company has an obligation to inform individuals about their rights under GDPR. This includes their right to access and port data, their right to rectify incorrect data, restrict use, object to processing or withdraw consent.

An example of how your company may wish to explain this within your own privacy statement could run as follows:

“[Psychedelic Soul Sound Limited] respects your rights. We fully observe your right to access your personal data, to object to the processing of personal data, or to erase, restrict, rectify or port your personal data. Relevant requests can be made to [Eric Francois].”

“Visit us online at [] for further details relating to your individual rights.”

Information security

If you collect, store or process personal data, you must explain the security measures your company has in place to protect that data.

An example of how your company may wish to explain this within your own privacy statement could run as follows:

“[Psychedelic Soul Sound Limited] has implemented a series of security measures to make sure that your personal data is protected from accidental loss, unauthorised access, alteration or disclosure. [Psychedelic Soul Sound Limited] limits access to your data only to those employees, agents, contractors or other third parties with a legitimate reason to access that information. Those individuals or organisations will only ever process or access your personal data upon our explicit instructions. They are subject to a duty of confidentiality.”


You must provide individuals with a complaints procedure if they are not content with the way in which their personal data has been collected, stored or processed.

An example of how your company may wish to explain this within your own privacy statement could run as follows:

If you are not happy with how your personal data has been processed, you should contact [Psychedelic Soul Sound Limited] in the first instance by using the contact details listed above. If [eric francois] is unable to satisfy your concerns, you have the right to apply to the Information Commissioner’s Office for a resolution

You can contact the Information Commissioner’s Office at the following address:

B. Privacy notice template

Please note the following privacy notice is a template only. Particular sections of this template may or may not apply to your business, and you may be required to add new sections, statements or information based upon your own unique company needs or data requirements.

Frequently asked questions

Who is using my data? [COMPANY NAME]
What is my data being used for? [Psychedelic Soul Sound Limited] stores and processes data to help us maintain your account, process and store transaction details, offer customer support, send system updates and send offer details.
What will happen to my data? [Psychedelic Soul Sound Limited] may use your data to send you information, updates and offers we think you’ll be interested in.
What data will be kept and stored? [Psychedelic Soul Sound Limited] stores registration details, transaction details, usage information and any information about your web preferences on our website.
What data will be shared with others? We only share your data with regulators or government bodies if requested.
How long will my data be kept for? [Psychedelic Soul Sound Limited] will store your data for a period of [RETENTION PERIOD] after your last attempted login. After this period, your account will be deleted. You can request your account to be delete at any time.
Who will be able to access my data? [Psychedelic Soul Sound Limited] will never sell or share your data to any third-party, unless you grant us your explicit permission to do so.
How will my data be kept and made secure? [Psychedelic Soul Sound Limited] stores your data on secure servers that are based in the UK. Data is processed in the UK, and we use standard industry security protocols.

Privacy Notice

[Psychedelic Soul Sound Limited] takes your privacy seriously. That is why we will only use your personal information to provide you with the products and services you have requested, as well as to administer your account. We will not sell or share your information with third-parties you grant us explicit permission to do so, and we will never use your personal data for any reason other than the reasons described within this policy.

About our privacy policy

Our privacy policy outlines your relationship with our company and explains in detail how we use the information that you provide us with.


[Psychedelic Soul Sound Limited] is the trading name of [Psychedelic Soul Sound Limited], which is registered in [UNITED KINGDOM] and registered with the UK’s Information Commissioner’s Office under the Data Protection Act 2018. Our data controller is [Eric Francois], and we encourage you to get in touch with any questions you may have about [Psychedelic Soul Sound Limited].

You can reach us by:

Changing your preferences

If you’d like to change your web, contact or marketing preferences, you can do so at any time. Simply contact us at [] to request the necessary amendments.

How we do business

[Psychedelic Soul Sound Limited] is committed to upholding and maintaining your personal rights. We operate our business in-line with the European Union’s General Data Protection Regulation and observe your rights to change or withdraw your opt-in options at any time. As part of our ongoing commitment to uphold your rights, [Psychedelic Soul Sound Limited] will also extend advice on how you can issue formal complaints to relevant authorities, such as the Information Commissioner’s Office.

Sensitive data

[Psychedelic Soul Sound Limited] does not collect any sensitive data about you. Sensitive data refers to (but is not limited to) information about your race or ethnic background, religious or political affiliations, trade union affiliations, sexual orientation, criminal background or health background.

Who our privacy policy applies to

This privacy policy has been developed to inform users of [Psychedelic Soul Sound Limited] how we use their data. [Psychedelic Soul Sound Limited] is a [Radio Music Djs], and we need to process the data of individuals to offer our products and/or services. Bearing that in mind, our privacy policy applies to any and all individuals registered with us as a user, customer, administrator or in any other capacity.

What information this policy applies to

There is a lawful basis for processing your data, and this section of our privacy policy outlines how this applies to the personal information you provide us with or allow us to collect.

The information this policy applies to includes information that you:

This policy also applies to information that we:


Please note that when you submit personal data on our website, you are giving [Psychedelic Soul Sound Limited] your explicit consent that we can use that data in line with our privacy policy.


After giving [Psychedelic Soul Sound Limited] your consent, you are free to amend your consent or withdraw your consent at any time. You have the right to object to the processing of your data. To opt-out, change your preferences or revoke your consent, simply contact us by emailing [].

Data processing and storage

[Psychedelic Soul Sound Limited] collects and stores data in the UK. We will store your data for a period of [RETENTION PERIOD] after your last recorded login attempt unless otherwise noted and explicitly stated.

Psychedelic Soul Sound Limited [] stores data relating to transactions, payments and orders for a period of up to seven years. This period may be extended under certain circumstances as part of our ongoing commitment to comply with UK and international law.

We use carefully selected and recognised third-parties to help us take payments, provide commerce services and manage company accounts. Some of these third-parties may operate outside the European Union.

[Psychedelic Soul Sound Limited] may process your data based on more than one legal ground.

Circumstances under which we may be required to process your data under more than one legal ground may include:

Reason Data type Legal basis
Customer registration Identity and contact information To carry out a contract we’ve made with you
Processing and/or delivering your order/td> Identity, contact information, financial information, financial and transactional data To carry out a contract we’ve made with you and to exercise our legitimate interests to recover debts owed
To manage our customer relationship with you Identity, contact information, marketing and communications preferences To carry out a contract we’ve made with you, to comply with legal obligations and to exercise our legitimate interests to keep our records updated

Marketing and communications

[Psychedelic Soul Sound Limited] may send you marketing communications if you have given us your contact details and opted-in to marketing communications.

You can opt-out of these marketing communications and manage your preferences at any time.

Our company obligations

As a data controller, Psychedelic Soul Sound Limited [] is legally responsible for the data you provide us with. In honouring that responsibility, we pledge to uphold our commitments under GDPR and the Data Protection Act 2018.

We will only ever use your data:

In addition, [Psychedelic Soul Sound Limited] processes the personal data you submit to us or we collect as a data processor. As part of this role, [Psychedelic Soul Sound Limited] takes all necessary precautions to secure the personal data we collect, process and store.

We may occasionally use the data you provide us with for marketing, relationship management or account management activities. These activities are designed to ensure you have adequate information about other products and/or services we offer, that we have reason to believe you may be interested in. You have the right to opt-out of these activities at any time.


[Psychedelic Soul Sound Limited] never shares your personal data with third-parties unless those parties have been explicitly mentioned within our privacy statement.

Our security

As part of our ongoing commitment to GDPR, [Psychedelic Soul Sound Limited] will report any security breaches or attempted breaches to the relevant authorities within 24 hours. We will subsequently contact all those affected by the breach within 72 hours of its occurrence.

Legitimate interests

As part of the Data Protection Act 2018, [Psychedelic Soul Sound Limited] observes the right to share selected information with third-parties that use data for non-marketing purposes. This could include (but is not limited to) organisations that provide credit assessments, identification services and fraud prevention activities.

Contact us

[Psychedelic Soul Sound Limited] is committed to upholding your rights. If you have any questions, comments or concerns about this privacy policy or wish to exercise your rights in relation to your personal data, please contact [eric francois] at [Psychedelic Soul Sound Limited].

We will process any request within 20 days. Subject Access Requests are normally performed free of charge, but we may need to charge individuals for excessive or unreasonable data requests.