GDPR Compliance Statement Example for Your Website
See a GDPR compliance statement example with required clauses, legal bases, and step-by-step instructions for building your own.
A GDPR compliance statement example gives you a concrete starting point for one of the most important pages on your website. If your site collects any personal data from visitors in the European Economic Area, you need a clear, legally accurate statement explaining what you do with that data and why.
This article is educational content, not legal advice. Every business has unique processing activities, so consult a qualified attorney to review your final statement before publishing.
What a GDPR Compliance Statement Must Include
A GDPR compliance statement is a transparency document required under Articles 13 and 14 of the General Data Protection Regulation. It tells visitors who controls their data, what data you collect, why you collect it, and how they can exercise their rights.
At minimum, a compliant statement must cover these elements:
- Identity and contact details of the data controller and, where applicable, the Data Protection Officer
- Categories of personal data you collect (names, emails, IP addresses, cookies, payment details)
- Purposes and legal bases for each processing activity under Article 6
- Recipients or categories of recipients who receive the data
- Cross-border transfers and the safeguards you use (Standard Contractual Clauses, adequacy decisions)
- Retention periods or criteria used to determine how long you keep data
- Data subject rights including access, rectification, erasure, restriction, portability, and objection
- Right to withdraw consent at any time, where consent is the legal basis
- Right to lodge a complaint with a supervisory authority
Missing any of these elements can expose your organization to enforcement action. Regulators across Europe have fined companies specifically for incomplete transparency notices.
GDPR Compliance Statement Example: Full Template
Below is a structured GDPR compliance statement example you can adapt to your organization. Replace the bracketed placeholders with your actual details.
Data Controller Information
State who is responsible for personal data processing:
"[Company Name], registered at [Address], is the data controller for personal data collected through this website. You can contact us at [email] or reach our Data Protection Officer at [DPO email]."
Data We Collect
Organize data into clear categories:
- Data you provide directly: name, email address, phone number, and any information submitted through forms or account registration
- Data collected automatically: IP address, browser type, operating system, referring URL, pages visited, and timestamps
- Data from cookies and similar technologies: session identifiers, preference cookies, and analytics cookies (refer to your cookie policy for full details)
- Data from third parties: payment processors, advertising networks, or social login providers
Purposes and Legal Bases
Map each purpose to a lawful basis under Article 6(1) of the GDPR:
| Purpose | Legal Basis | GDPR Article |
|---|---|---|
| Providing our service | Performance of a contract | Art. 6(1)(b) |
| Responding to inquiries | Legitimate interest | Art. 6(1)(f) |
| Sending marketing emails | Consent | Art. 6(1)(a) |
| Analytics and improvement | Legitimate interest | Art. 6(1)(f) |
| Legal obligations (tax, fraud) | Legal obligation | Art. 6(1)(c) |
| Cookie-based tracking | Consent | Art. 6(1)(a) |
This table format makes it easy for visitors and regulators to verify that each processing activity has a documented lawful basis.
Data Sharing and Transfers
List the categories of recipients:
- Hosting providers (infrastructure)
- Payment processors (transaction handling)
- Analytics services (usage measurement)
- Email service providers (communications)
If any of these recipients are outside the EEA, state the transfer mechanism. For example: "We transfer data to processors in the United States under Standard Contractual Clauses approved by the European Commission (Decision 2021/914)."
Retention Periods
Specify how long you keep each category of data:
- Account data: retained while the account is active, then deleted within 30 days of account closure
- Transaction records: retained for seven years to comply with tax obligations
- Analytics data: aggregated after 26 months, then individual records deleted
- Marketing consent records: retained for the duration of the consent plus three years
Data Subject Rights
Under Articles 15 through 22 of the GDPR, individuals have the right to:
- Access their personal data and receive a copy (Article 15)
- Rectify inaccurate or incomplete data (Article 16)
- Erase their data in certain circumstances (Article 17)
- Restrict processing while a dispute is resolved (Article 18)
- Data portability to receive data in a machine-readable format (Article 20)
- Object to processing based on legitimate interest or direct marketing (Article 21)
- Not be subject to solely automated decision-making with legal effects (Article 22)
Include a clear method for exercising these rights, such as an email address or a dedicated request form. Respond within one month as required by Article 12(3).
Complaint and Supervisory Authority
Close with the right to complain: "If you believe we have not handled your data correctly, you have the right to lodge a complaint with your local supervisory authority. A list of EEA supervisory authorities is available at edpb.europa.eu."
Step-by-Step: Building Your Own GDPR Compliance Statement
Follow these steps to create a statement tailored to your organization.
Step 1: Audit Your Data Processing
Before writing anything, document every way your website collects and uses personal data. Check contact forms, checkout flows, analytics scripts, advertising pixels, and any third-party integrations. Record the data type, purpose, legal basis, and retention period for each.
Step 2: Generate Your Baseline Document
Use a privacy policy generator to create a structured starting document. This gives you the required sections and legal language, which you then customize based on your data audit.
Step 3: Add GDPR-Specific Sections
Ensure you include all Article 13 and 14 requirements. Pay special attention to:
- Lawful basis for each purpose (the table format shown above works well)
- Transfer mechanisms for any non-EEA data flows
- DPO contact details if you are required to appoint one under Article 37
- Automated decision-making disclosures if applicable
Step 4: Write in Plain Language
Recital 58 of the GDPR requires that information be provided in "concise, transparent, intelligible and easily accessible form, using clear and plain language." Avoid legal jargon where possible. Use short sentences and explain technical terms.
Privacy Policy Generator
Create a comprehensive privacy policy for your website or app. Create yours in minutes with TermsBox.
Generate NowStep 5: Publish and Link Prominently
Place your statement where visitors can find it before providing their data:
- Footer link on every page
- Directly below or adjacent to data collection forms
- Within your cookie consent banner
- In your account registration flow
Step 6: Set Up a Review Cycle
GDPR compliance is not a one-time task. Review your statement whenever you add new data processing activities, change vendors, or enter new markets. At minimum, conduct a formal review every 12 months.
Common Mistakes in GDPR Compliance Statements
Many websites publish statements that look complete but fail on closer inspection. Avoid these frequent errors:
- Vague purposes: writing "to improve our services" without specifying what data is used and how. Be concrete.
- Missing legal bases: listing purposes without mapping each one to a specific Article 6 basis.
- Outdated vendor lists: adding a new analytics tool or advertising network without updating the statement.
- No retention periods: stating "we keep data as long as necessary" without defining what "necessary" means for each data type.
- Inaccessible language: burying the statement in legal jargon that ordinary visitors cannot understand.
- No contact method: failing to provide a clear way for individuals to exercise their rights or reach the data controller.
GDPR Compliance Statement vs. Other Privacy Documents
Your GDPR compliance statement is one piece of a broader privacy documentation stack. Understanding how these documents relate helps you avoid duplication and gaps.
A privacy policy is the broader document covering all privacy laws your organization must comply with, including CCPA, PIPEDA, and others. Your GDPR compliance statement can be a section within your privacy policy or a standalone document.
A cookie policy specifically addresses cookies and similar tracking technologies. It details what cookies you set, their purposes, and how visitors can manage preferences. Link to it from your GDPR compliance statement rather than duplicating the information.
Your terms of service govern the contractual relationship with users. They reference the privacy policy but serve a different legal function. Use a terms of service generator to create these separately.
A cookie consent banner is the interactive element that captures consent before setting non-essential cookies. It works alongside your compliance statement but is a user interface component, not a document.
Enforcement Examples That Show Why This Matters
Regulators have taken action against organizations with inadequate transparency notices:
- The French CNIL fined Google 50 million EUR in 2019 for failing to provide transparent and easily accessible information about data processing purposes and legal bases.
- The Irish DPC fined Meta 1.2 billion EUR in 2023 for transferring personal data to the United States without adequate safeguards, partly because its privacy documentation did not accurately reflect the transfer mechanisms in use.
- The Italian Garante fined Clearview AI 20 million EUR in 2022 for multiple GDPR violations including failure to provide adequate information to data subjects.
These cases reinforce that transparency obligations under Articles 13 and 14 are actively enforced, and the financial consequences can be severe.
How to Keep Your GDPR Compliance Statement Current
A compliant statement today can become non-compliant tomorrow if your processing changes and the document does not. Build maintenance into your workflow.
- Track vendor changes: every time you add, remove, or replace a third-party service that processes personal data, update your statement.
- Monitor regulatory guidance: supervisory authorities regularly publish new guidance on transparency requirements. Subscribe to updates from your lead authority.
- Version your documents: date each version and maintain an archive. If a complaint arises, you need to show what the statement said at the time of processing.
- Automate where possible: tools like TermsBox can scan your website for cookies and trackers, then flag when your published documents need updating.
Keeping your GDPR compliance statement accurate is as important as creating it in the first place. Outdated statements create the same legal risk as missing ones.
Frequently Asked Questions
What is a GDPR compliance statement?
A GDPR compliance statement is a public notice explaining how your organization collects, processes, and protects personal data under the General Data Protection Regulation. It covers legal bases for processing, data subject rights, retention periods, and contact details for your data controller or Data Protection Officer.
Is a GDPR compliance statement the same as a privacy policy?
They overlap significantly, but a GDPR compliance statement specifically addresses GDPR requirements such as lawful bases under Article 6, data subject rights under Articles 15 through 22, and cross-border transfer safeguards. Many organizations combine both into a single document that satisfies GDPR and broader privacy law obligations.
Do small businesses need a GDPR compliance statement?
Yes. The GDPR applies to any organization that processes personal data of individuals in the European Economic Area, regardless of company size or location. A small business that collects email addresses through a contact form or runs analytics on EU visitors must publish a compliant statement.
What are the penalties for not having a GDPR compliance statement?
Supervisory authorities can impose fines of up to 20 million EUR or 4% of annual global turnover, whichever is higher, under Article 83 of the GDPR. Even without a fine, a missing or inadequate statement can trigger formal warnings, processing bans, and reputational damage.