Section 1 - Policy
1.1 LDA understands that if it operates a website, it may need to update its Privacy Policy to ensure that it is compliant with GDPR. LDA will use this Privacy Policy as a template for its updated version. LDA understands that this Privacy Policy only needs to be uploaded by LDA to its website if it collects personal data via its website. LDA will use the template Fair Processing Notice to inform all other Data Subjects, including Clients, about how LDA processes personal data other than personal data collected via the website.
1.2 LDA understands that the form found within the forms section of the GDPR suite of policies in the QCS management system constitutes the template Privacy Policy. LDA understands that terms in square brackets are optional (depending on whether they apply to LDA or not) or require completion by LDA. LDA will review the Privacy Policy in its entirety to determine which elements are applicable to its website, and which are not relevant.
For example:
• If the template Privacy Policy refers to personal data that is not collected by LDA via its website, LDA will delete references to such personal data
• If the website of LDA does not use cookies, LDA will delete references to cookies and the Cookie Policy at LDA
• If LDA does not transfer personal data outside of the EEA, LDA will delete the section entitled "Where we store your personal data"
• If LDA is not required to appoint a Data Protection Officer, LDA will delete references to the Data Protection Officer or will consider replacing references to the Data Protection Officer with references to the Privacy Officer at LDA or other person nominated to have day-to-day responsibility for data protection and GDPR
• If LDA uses personal data collected via its website in a way that is not described in the Privacy Policy, it will consider incorporating additional sections.
• This Privacy Policy directs users to a webpage with a contact form or contact details if they wish to contact LDA. LDA will consider whether to provide an alternative contact method instead, such as an email address and/or phone number.
• If LDA has any concerns or queries in respect of the template Privacy Policy, it will seek legal advice.
1.3 GDPR has changed the way cookies should be incorporated into websites which means that LDA must explain what cookies will be set and what the cookies will do to the users of its website. LDA must obtain consent from individuals to store certain cookies on devices. Cookies that are not strictly necessary need consent which is GDPR compliant which means that LDA can no longer rely on implied consent. LDA will ensure that it uses a cookie banner on its website to obtain consent to the use of cookies in line with this policy and that if no consent is obtained, no cookies will be set.
1.4 LDA must, therefore, update its processes for collecting consent for cookies. In practice, this means:
• Users must take a clear and positive action to consent to non-essential cookies
• The websites and apps of LDA must tell users clearly what cookies will be set and what they do, including any third-party cookies
• Pre-ticked boxes or any equivalents, such as sliders defaulted to “on”, cannot be used for non- essential cookies.
• The users at LDA must have control over any non-essential cookies
• Non-essential cookies must not be set on landing pages before you gain the user’s consent. Consent is not required for cookies that are defined as “strictly necessary” or that fall within the communication exemption. “Strictly necessary” cookies are those that are essential to providing the service requested by the user. Such cookies must be essential to fulfil their request. Those that are simply helpful or convenient, but not essential, or that are essential for the purposes of LDA, will still require consent. The communication exemption is about the transmission of a communication over an electronic communications network. For the exemption to apply, the transmission of the communication must be impossible without the use of the cookie. Simply using a cookie to assist the communication is insufficient for the exemption to apply.
LDA must note, in particular, that cookies used for analytical purposes or those used for marketing and advertising will always need consent as they are considered to be non-essential.
This guidance may change as the latest draft legislation is subject to some challenges on this point. LDA must read the ICO’s cookie guidance available at: https://ico.org.uk/for-organisations/guide-to-pecr/cookies-and-similar-technologies/ for further information on the types of cookie that require consent.
Section 2 – Procedure
2.1 LDA will consider whether or not it collects personal data via its website (for example, via enquiry forms, requests to be sent newsletters, requests for provision of services) and whether it needs a Privacy Policy. LDA acknowledges that the use of cookies constitutes processing of personal data via the website.
2.2 LDA will review the template Privacy Policy. LDA will adapt the Privacy Policy before uploading it to its website to ensure that all aspects of the Privacy Policy are relevant and reflect the ways in which LDA processes personal data collected via its website. Where LDA has any concerns or queries in relation to its own Privacy Statement, LDA will seek legal advice.
2.3 LDA will use the template Fair Processing Notice to inform all other Data Subjects, including Clients, about how LDA processes personal data other than personal data collected via the website.