How to write a meaningful privacy notice. Part Two

By Tony Marshall

part two of three

Please pay attention and be responsible with data.

By using US based companies such as Shopify, Facebook, Google, Microsoft, Klaviyo etc. you will essentially be transferring data to the US or allowing their US parent companies access to the data, even if stored within the UK/EEA. So please do pay attention.

This has become an extremely important point, certainly all the more so recently. I won’t go into too much detail, but you can read more HERE and HERE if you choose to do so. Suffice to say, you need to be careful when transferring data to the US or a country outside of the UK/EEA.

Most of the big players will automatically update their terms and include the new contract clauses to allow the transfer but it is worth checking in with any third parties you use and confirm if data is transferred outside of the UK/EEA. If so, they have they adopted the new standard contractual clauses?

In the spirit of keeping things simple you could choose to add something like this:

Where is your data stored?

Like most companies vvast utilises 3rd parties to provide services to our brand and their consumers and to store data. A list of the 3rd parties who process personal data is listed below.
These 3rd parties will be based in the UK, EEA and in some cases outside of both the UK and EEA.
vvast conducts thorough reviews of all its 3rd parties including data protection agreements, where possible to ensure that every possible safeguard is in place and that the data is secure. Should there be a possibility that data would be exposed to a high level of risk of a Data Protection Impact Assessment will be completed and will be available upon request.

Third Parties

It is crucial that you inform your customers who their data is being shared with. I see lots of notices that claim something like ‘we never share your data unless required to by law’. This statement is simply nonsense for 99.9% of worldwide companies because in the digital age, data is shared with and, or stored on, multiple platforms.

If your website is built on Shopify, Shopify gathers the data of every one of your customers when they provide their data to you as part of a transaction.

You only need to include the third parties who you share personal data with in this section, no need to share every contact detail. The name of third party and a brief description are sufficient. 

How long do you keep the data?

Tell people how long you will keep their data for and, or when you schedule data reviews. Really simple, if you keep data for three years, no problem, just make sure you have a rationale and that you can justify it. 

There are some legal requirements to store certain pieces of data longer than others but if we are talking about website customers who have purchased a product then a review every one to three years will be sufficient.


Include the details of what cookies are present on your website. If you don’t know then there are loads of free cookie trackers you can use to tell you, just Google them.


Inform people what you would do in the event of a breach of their data.

Something like this:


Should a breach of your data occur that is likely to result in the harm to the rights and freedoms on an individual or group of individuals vvast will notify those involved within 72 hours along with the ICO, where applicable.