The ICO exists to empower you through information.

Step 2: Describe the processing

Describe the nature of the processing: how will you collect, use, store and delete data? What are the sources of the data? Will you be sharing data with anyone? You might find it useful to refer to a flow diagram or other way of describing data flows. What types of processing identified as likely high risk are involved? Does your service involve any profiling, automated decision-making, or geolocation elements? What are your plans (if any) for age-assurance? What are your plans (if any) for parental controls?


Helpful hint: You may find it helpful to consult your privacy notice or talk with your Data Protection Officer (DPO) about creating a Record of processing activities (ROPA) which may contain some of the information required for this section. You can see the ICO’s guidance on ROPAs.

How we collect data/sources of data

We collect data in the following ways:

  • Direct interactions with users eg when users create an account, purchase a product either as an account holder or guest, sign up to receive newsletters, contact us with a question or issue.
  • Using automated technologies ie cookies or similar technologies when visitors use the website.
  • From third parties ie from our third-party analytics cookie provider, and from our third-party fraud prevention service providers.

Guidance: Data minimisation helps you protect your users by collecting the minimum amount of personal data you need to provide your services. See Standard 8 of the code – Data minimisation for help in how to meet this standard and give children choices over which elements of their data they wish to activate.

How we use data

Our main use of personal data is to process and fulfil orders made on the website and to deal with customer enquiries. In addition, we carry out limited marketing activity through an email newsletter which users over 13 may sign up for. All email newsletters have an unsubscribe link and all opt-outs are actioned and respected. We do not carry out any behavioural advertising.

We use data for the following purposes:

  • To register users who choose to create an account with us.
  • For financial administration, invoicing, and to process and deliver orders.
  • To manage our relationship with customers (eg responding to questions, complaints, asking users to take a survey).
  • To enable users to participate in competitions, prize draws etc.
  • To administer and protect our business and website (eg system maintenance and support, fixing problems, hosting of data).
  • To deliver website content and contextual advertisements and measure and understand the effectiveness of these.
  • To carry out data analytics to improve our website, products, marketing and customer experience on our website.
  • To recommend products that may be of interest to users by email and contextual advertising.
  • To provide email newsletters to users who have subscribed to this service.
  • To detect and prevent fraudulent transactions (see further information below under the heading “Data sharing”).
  • To verify user identity and provide a secure platform.
  • To comply with regulatory or legal obligations.
  • To enable users to share details of purchases on social media sites.


Helpful hint: You might find it helpful to consult your cookies policy or the cookies section of your privacy notice to assist you in completing information about cookies. You can see further information in the ICO’s guidance on cookies. Attach a copy of your cookies policy with the DPIA.


Our website uses cookies for a range of functions outlined below.

We use essential cookies, which are not subject to the consent requirement, for the following purposes:

  • Account authentication.
  • Tracking user input for functions of the service (eg shopping cart).
  • Security and fraud prevention.
  • Load balancing.
  • Preference cookies for the cookie consent tool.

These are first party cookies set within individual apps and the cookies’ access is restricted by the corresponding app only.

The website also uses cookies or similar technologies for analytics and contextual advertising.

We have put in place a cookie consent tool which explains the cookies we use and requests consent to these. We also have a cookie policy which explains in more detail the types of cookies we use and the purposes we use them for. The consent tool is available at the point of website entry.

Note: Wikipedia defines load balancing as the process of distributing a set of tasks over a set of resources (computing units), with the aim of making their overall processing more efficient. Load balancing can optimize the response time and avoid unevenly overloading some compute nodes while other compute nodes are left idle. 

The website contains links to our social media pages and includes functionality which enables users who have external social media accounts to share details of purchases they make on their social media pages. Visiting the page with the relevant social media plugins on it may result in users' data being collected by the social media company (depending on the user’s browser’s configuration). This includes data such as IP address and a record of which pages users were visiting at the time. The social media features may also set third-party cookies (or other equivalent technologies such as tracking pixels). Social media providers linked to by the site are joint controllers for the processing of this personal data.

The privacy notice on our website states: “We receive information via third parties when you visit our page on social media sites or channels (eg Facebook, Twitter, YouTube, Instagram).”

When a user clicks on a social media link, a pop-up warns that they are leaving the toy shop website. It states: “Your personal data will be processed by the third-party site according to their own privacy policies.” A link to the appropriate social media privacy notice is included in the pop-up.

For information: Article 26 of the UK GDPR states: “Where two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers. They shall in a transparent manner determine their responsibilities for compliance with the obligations under this Regulation”.

This sample DPIA does not go into detail on the measures The Toy Shop should take to determine the purpose and means of processing for any joint controllers (eg social media sites, data analytics providers). If you are using third-party services that are likely to process personal data, you should talk with them about whether the processing relationship is joint controllership or a controller – processor relationship.

The ICO recommends that ISS consult with their Data Protection Officer, ecommerce site provider, and any joint controllers for details of how to explain joint controller processing in their DPIA.

Storage and deletion

The website is hosted in the UK and all data is stored in the UK.

The business has a retention schedule which specifies storage periods for categories of data which reflect relevant legal requirements and limitation periods applicable to contractual claims. Once retention periods have expired we securely delete data and keep a log of deletions.

Helpful hint: For further information, you can see the ICO’s guidance on storage limitation and data retention. Attach a copy of your records management policies with the DPIA.

Data sharing

Data is shared for routine data processing necessary to safely deliver the service.

Guidance: Data sharing usually means disclosing personal data to third parties outside your organisation. This DPIA outlines how children’s and parents’ data may be shared within the Toy Company, and with external third parties. Standard 9 of the code – Data sharing advises:

“Do not disclose children’s data unless you can demonstrate a compelling reason to do so, taking account of the best interests of the child.”

Data is shared for routine data processing necessary to safely deliver the service.

A third party payment services provider is used to provide the payment function on the website. This payment services provider acts as a separate data controller, and we do not store payment card data. We make clear in our privacy notice that the payment service provider operates subject to its own privacy notice and tell users to refer to this for details of its processing.

We make use of an e-commerce platform to provide our website. The provider acts as our processor and we have entered into Article 28(3) terms with them. We make use of the e-commerce platform’s fraud prevention service which provides us with risk scores to help us avoid fraudulent transactions. This service is provided by a third party which acts as an independent controller. To make use of this service, certain personal data is transferred to the provider (ie name, phone number, billing and delivery addresses, email address, IP address). This processing is explained in our privacy notice with a link to the provider’s own policy.

Note: The UK GDPR applies to “controllers” and “processors”. A controller determines the purposes and means of processing personal data, while a processor is a third-party company that a controller contracts to process their data.

This paragraph is based on a commercially available e-commerce platform. Such platforms will often list a significant number of processors, and transfers personal data to several countries worldwide. In this simplified sample, we have not included the list of potential processors and joint controllers for the personal data, nor have we included the data processing that is likely to be undertaken. You should consult with your e-commerce platform for more information on the joint controllers and processors of data that you will need to include in your DPIA.


We use a third-party analytics provider to measure user interactions with our website. This is so that we can check the quality and effectiveness of our service and ensure it meets the needs of the user. Our analytics provider uses cookies and similar technologies to collect information about user interactions when they visit the site. This includes data about the user’s device or browser, their on-site activities, and a portion of the user IP address. The provider processes this information on our behalf and uses it to prepare reports for us about how our visitors engage with our website. These reports don't identify the users - they are aggregated information about all our users.

Our analytics provider doesn't use any of this information for their own purposes - they act as our processor and only operate on our instructions. This processing is carried out in the EU.

Note: Some data analytics providers may function as processors and fall within scope of Article 28(3) of the UK GDPR. However, some analytics providers will be joint controllers as a result of the way in which personal data is processed. Where this is the case, the ISS should enter Article 26 terms with them as joint controllers. It is for the ISS to determine the nature of the relationship between it and analytics provider.


Guidance: For further information, see the ICO’s guidance on controllers and processors.

Our cookies policy provides more information about our use of cookies for analytics purposes. Users can opt-in using our cookie control (see cookies section above), and can change their mind at any time.

We use a Captcha provided by a third party which involves the transfer of data about a user’s device to/from the third-party provider. The provider acts as our processor and we have entered into Article 28(3) terms with them.

We share limited data with couriers to enable our products to be delivered to customers. All boxing and labelling of products are done by our company. The courier’s role is only to deliver packages; it does not exercise any control over the purpose for which the personal data in the packages entrusted to it is used and has no control over the personal data entrusted to it. The delivery courier does not operate as a processor.


Guidance: Profiling is defined under Art 4 UK GDPR as: “any form of automated processing of personal data consisting of the use of personal data to evaluate certain aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour location or movements”

The Guidelines on automated individual decision-making and profiling for the purposes of Regulation 2016/679 state:

“Broadly speaking, profiling means gathering information about an individual (or group of individuals) and evaluating their characteristics or behaviour patterns in order to place them into a certain category or group, in particular to analyse and/or make predictions about, for example, their:

  • ability to perform a task;
  • interests; or
  • likely behaviour.”

See Standard 12 of the Code – Profiling for guidance on what you should do if you include profiling of children as part of your service:

“Switch options which use profiling ‘off’ by default (unless you can demonstrate a compelling reason for profiling to be on by default, taking account of the best interests of the child). Only allow profiling if you have appropriate measures in place to protect the child from any harmful effects (in particular, being fed content that is detrimental to their health or wellbeing).”

Profiling is switched off by default for all users. For users consenting to receive our enewsletters, we carry out limited profiling activities to email recommendations of similar products to users based on their order history and browsing activities. We only carry out profiling on users who have consented to the relevant cookies. We only send these emails to users who have opted-in to marketing, or who have not opted-out of marketing when making a previous purchase.

Children under 13 years of age are not given the option to opt into marketing emails, so profiling remains switched off for under 13 users.

No external advertising is offered to users of the service.

Age assurance

Guidance: The Children’s code offers guidance to ISS on how to offer age appropriate online services to children. See Standard 3 of the AADC – Age appropriate application for further information:

“Take a risk-based approach to recognising the age of individual users and ensure you effectively apply the standards in this code to child users. Either establish age with a level of certainty that is appropriate to the risks to the rights and freedoms of children that arise from your data processing, or apply the standards in this code to all your users instead.”

You might also find it helpful to review Annex B of the AADC - Age and developmental stages.

We ask users for their year of birth to verify age where we process personal data based on consent. If it is not clear from year of birth if a user is 12 or 13, they are asked for their date of birth. A user cannot make changes to their initial response to the year of birth question from the same IP address. This is relevant to our use of non-strictly necessary cookies and our email newsletter sign up. To sign up to the newsletter, users are first asked to enter their year or birth (and if required, date of birth) as described above, then only able to proceed to signing up if the response to these questions shows they are over 13. Our privacy notice and terms and conditions documents are written in a transparent and easy to understand form so that children can easily understand our age assurance policies. This includes brief pop-up messages at the point when the child answers the age questions and shows that they are under 13 years of age.

All cookies, apart from strictly necessary cookies, are set to off when a user first arrives at the website. On entering the website all users are presented with a cookies consent tool banner written in easy to understand, plain English set at a reading age of 13. When users enter this, they are asked for their year of birth (and if required, date of birth) as explained above.

  • If they are 13 or over, they are presented with the full list of cookies used, grouped by category (strictly necessary, functional, analytical, and marketing) and can consent to the functional, analytical and marketing cookies. Users who are under 13 are presented with the information about the strictly necessary cookies (which are always set to “on”) with a message saying that the other cookies are not used.
  • For these users the sliders for the analytical, functional and marketing cookies are fixed in the “off position” and cannot be changed. Our privacy notice contains details of an email address parents can contact if they become aware that their child has given consent under the age of 13 and we will delete this child’s data.

We have analysed the processing we carry out and do not think that any of our processing presents a risk which would require us to offer parental controls. Online tools such as icons and help buttons enable children to exercise their data protection rights and report concerns. However, as we anticipate young children will use our site, we also allow parents or guardians to contact us with any queries they have about our processing of their child’s personal data, ask us to delete the personal data we have collected in connection with their child’s account from our records, and exercise rights on behalf of their child. We confirm the identity of the adult as the parent or guardian of the child before carrying out any of the above. Our online tools support older children to exercise their rights and contact us independently of their parents.

Helpful hint: You might find it helpful to consult your information/data security policy to assist you in providing information about security measures. For further information, see the ICO’s guidance on security.

Security measures

We use the following security measures on our website:

  • We keep our e-commerce software subscription up to date.
  • We require users who create an account to use a strong password with numbers, capital letters and other characters, and which must be at least 10 characters long.
  • We use SSL protection on our login pages.
  • We use a Captcha function on our “contact us” page.
  • We use a market-leading, reputable web hosting company.
  • We have a policy of regularly deleting any files, databases, or applications from our website that are no longer in use.
  • All data is regularly backed up.
  • We run regular web security scans to check for website and server vulnerabilities.
  • We use a fraud prevention service for purchases made on our site. 


Describe the scope of the processing: what is the nature of the data, and does it include special category or criminal offence data? How much data will you be collecting and using? How often? How long will you keep it? How many individuals are affected? What geographical area does it cover? 


Data processed

  • Identity data: name, username, title, date of birth.
  • Contact data: billing and delivery address, email address, phone number.
  • Financial data: payment card details (processed by a third-party payment services provider and not stored by us/ our website).
  • Transaction data: details of products purchased, amounts, dates etc.
  • Technical data: IP address, login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform.
  • Profile data: username and password, purchases or orders made by users, and their preferences, interests, feedback, and questions as collected through survey responses.
  • Usage data: information about how users use our website, products and services.
  • Marketing and communications data: record of users’ preferences in receiving marketing from us about the products we sell.

Special categories of personal data

We do not process any special category personal data.

Volume of personal data

We anticipate that the website will have around 100,000 users, of which 45% will be children (under 18), and 55% adults using this service.

Retention of data

We have a retention schedule which specifies storage periods for categories of data which reflect relevant legal requirements and limitation periods applicable to contractual claims. Once retention periods have expired we securely delete data and log deletions.

Helpful hint: You might find it helpful to consult your data retention policy or schedule to assist you in describing how you retain data.


Geographical area

The data subjects whose data we process are located in the UK. The website and all personal data is hosted in the UK. The website does not use location services such as IP address geolocation to alter currency for the shopping cart. The site language is UK English and there are no options to change language for visitors from outside the UK.


Describe the context of the processing: what is the nature of your service? Are you designing it for children? If not, are children under 18 likely to access it anyway? What is the likely age range of your users? How much control will they have? Would they understand and expect you to use their data in this way? Does your service use any nudge techniques? Are there prior concerns over similar services or particular security flaws? Is your service novel in any way? What is the current state of technology in this area? Are there any current issues of public concern that you should factor in, particularly over online risks to children? Are there any relevant industry standards, codes of practice or public guidance in this area? What responsibilities do you have under the applicable equality legislation for England, Scotland, Wales and Northern Ireland? Is there any relevant guidance or research on the development needs, wellbeing or capacity of children in the relevant age range? Are you signed up to any approved code of conduct or certification scheme (once any have been approved)? 

The Toy Shop is a new online website selling products for children normally six years and above, supporting children’s rights to play and development. Our website is currently active. It uses a commercially available e-commerce platform.

Nature of service and users

On the website users can search for and learn about our range of products. All users have access to the toy information pages.

The website enables adults and children over 13 with debit cards in their own name to order products. Users aged 13 and above can sign up for newsletters with their email address via an age self-declaration tick box. We use the “soft opt-in” exception to send newsletters to existing customers with user accounts. Users have the option of creating an account or purchasing without registration as a guest.

The website includes a “contact us” function which includes a contact form where users provide name, email, subject and message. This aspect of the service is protected by a third-party’s Captcha service, which involves the use of cookies or similar technologies. Further details of security measures applied to our processing are provided in Step 2 above.

The website retains order history and we undertake limited profiling activities of users based on activity they undertake when logged in to customer accounts. We use this data and data from analytics cookies, to recommend similar products to these users. The website does not feature external advertisements – all adverts are contextual and feature products within our catalogue.

The website contains links to our social media pages and includes functionality which enables users who have external social media accounts to share details of purchases they make on their social media pages. Social media providers linked to by the site are joint controllers for the processing of this personal data.

Helpful hint: You might find it helpful to consult our guidance on Marketing and consent for more information on when soft opt-ins are allowed under data protection.

Users’ expectations

We consider that the above processing will be in-line with users’ expectations. It is clearly explained in our privacy notice, which is written in basic, easy to understand language, and available as an audio file. We carried out readability testing of our privacy notice to confirm that it should be understood by most people over the age of nine.

Most processing outside the core activity of selling products is optional. For example, processing for marketing purposes, processing for the purposes of responding to enquiries, sharing purchases on social media. We do not use data in any unusual ways which we would consider to be outside the expectations of users.

Helpful hint: You should attach copies of all relevant privacy notices and terms and conditions documents for your website with the DPIA. For further information, you can see the ICO’s guidance on privacy notices and access templates.


Describe the purposes of the processing: what do you want to achieve with your service? What is the intended effect on individuals? What are the benefits of the processing – for you, and more broadly? What are the specific intended benefits for children?


Guidance: The ICO is required to reflect the UK’s obligations under the UNCRC in drafting this code. All the standards of the code relate to the best interest standard See Standard 1 Best interest of the child, which states:

“The best interests of the child should be a primary consideration when you design and develop online services likely to be accessed by a child.”
In order to implement this standard you need to consider the needs of child users and work out how you can best support those needs in the design of your online service, when you process their personal data.

Aim of our service

Our aim is to offer an online toyshop which enables us to sell, and customers to buy, toys in an online environment, and to grow our business and customer base. We believe that toys help support children’s right to freedom of association and play. Through providing access to safe and educational toys, we also help protect and support their physical, psychological and emotional development

The specific purposes for which we process personal data are set out in Step 2 under the heading “How we use data”.

Intended effect on individuals

The intended effect on individuals is that they trust our brand and shop in our online store.

Benefits of the processing

The benefits to us of the processing are that it enables us to run our business, market our products and increase our sales. The processing benefits customers, including children, because it enables them to shop for products online, often at cheaper prices that in a physical shop, and be informed via contextual advertising and enewsletter (subject to consent or soft opt-in) about products that they may be interested in.