TermsBox
PricingBlog
LoginGet Started
PricingBlogLogin
Get Started
  1. Home
  2. Blog
  3. GDPR Compliance Statement Example for Your Website
Privacy Policy

GDPR Compliance Statement Example for Your Website

See a GDPR compliance statement example with required clauses, legal bases, and step-by-step instructions for building your own.

TermsBox Team|April 4, 202610 min read

A GDPR compliance statement example gives you a concrete starting point for one of the most important pages on your website. If your site collects any personal data from visitors in the European Economic Area, you need a clear, legally accurate statement explaining what you do with that data and why.

This article is educational content, not legal advice. Every business has unique processing activities, so consult a qualified attorney to review your final statement before publishing.

What a GDPR Compliance Statement Must Include

A GDPR compliance statement is a transparency document required under Articles 13 and 14 of the General Data Protection Regulation. It tells visitors who controls their data, what data you collect, why you collect it, and how they can exercise their rights.

At minimum, a compliant statement must cover these elements:

  • Identity and contact details of the data controller and, where applicable, the Data Protection Officer
  • Categories of personal data you collect (names, emails, IP addresses, cookies, payment details)
  • Purposes and legal bases for each processing activity under Article 6
  • Recipients or categories of recipients who receive the data
  • Cross-border transfers and the safeguards you use (Standard Contractual Clauses, adequacy decisions)
  • Retention periods or criteria used to determine how long you keep data
  • Data subject rights including access, rectification, erasure, restriction, portability, and objection
  • Right to withdraw consent at any time, where consent is the legal basis
  • Right to lodge a complaint with a supervisory authority

Missing any of these elements can expose your organization to enforcement action. Regulators across Europe have fined companies specifically for incomplete transparency notices.

GDPR Compliance Statement Example: Full Template

Below is a structured GDPR compliance statement example you can adapt to your organization. Replace the bracketed placeholders with your actual details.

Data Controller Information

State who is responsible for personal data processing:

"[Company Name], registered at [Address], is the data controller for personal data collected through this website. You can contact us at [email] or reach our Data Protection Officer at [DPO email]."

Data We Collect

Organize data into clear categories:

  1. Data you provide directly: name, email address, phone number, and any information submitted through forms or account registration
  2. Data collected automatically: IP address, browser type, operating system, referring URL, pages visited, and timestamps
  3. Data from cookies and similar technologies: session identifiers, preference cookies, and analytics cookies (refer to your cookie policy for full details)
  4. Data from third parties: payment processors, advertising networks, or social login providers

Purposes and Legal Bases

Map each purpose to a lawful basis under Article 6(1) of the GDPR:

Purpose Legal Basis GDPR Article
Providing our service Performance of a contract Art. 6(1)(b)
Responding to inquiries Legitimate interest Art. 6(1)(f)
Sending marketing emails Consent Art. 6(1)(a)
Analytics and improvement Legitimate interest Art. 6(1)(f)
Legal obligations (tax, fraud) Legal obligation Art. 6(1)(c)
Cookie-based tracking Consent Art. 6(1)(a)

This table format makes it easy for visitors and regulators to verify that each processing activity has a documented lawful basis.

Data Sharing and Transfers

List the categories of recipients:

  • Hosting providers (infrastructure)
  • Payment processors (transaction handling)
  • Analytics services (usage measurement)
  • Email service providers (communications)

If any of these recipients are outside the EEA, state the transfer mechanism. For example: "We transfer data to processors in the United States under Standard Contractual Clauses approved by the European Commission (Decision 2021/914)."

Retention Periods

Specify how long you keep each category of data:

  • Account data: retained while the account is active, then deleted within 30 days of account closure
  • Transaction records: retained for seven years to comply with tax obligations
  • Analytics data: aggregated after 26 months, then individual records deleted
  • Marketing consent records: retained for the duration of the consent plus three years

Data Subject Rights

Under Articles 15 through 22 of the GDPR, individuals have the right to:

  1. Access their personal data and receive a copy (Article 15)
  2. Rectify inaccurate or incomplete data (Article 16)
  3. Erase their data in certain circumstances (Article 17)
  4. Restrict processing while a dispute is resolved (Article 18)
  5. Data portability to receive data in a machine-readable format (Article 20)
  6. Object to processing based on legitimate interest or direct marketing (Article 21)
  7. Not be subject to solely automated decision-making with legal effects (Article 22)

Include a clear method for exercising these rights, such as an email address or a dedicated request form. Respond within one month as required by Article 12(3).

Complaint and Supervisory Authority

Close with the right to complain: "If you believe we have not handled your data correctly, you have the right to lodge a complaint with your local supervisory authority. A list of EEA supervisory authorities is available at edpb.europa.eu."

Step-by-Step: Building Your Own GDPR Compliance Statement

Follow these steps to create a statement tailored to your organization.

Step 1: Audit Your Data Processing

Before writing anything, document every way your website collects and uses personal data. Check contact forms, checkout flows, analytics scripts, advertising pixels, and any third-party integrations. Record the data type, purpose, legal basis, and retention period for each.

Step 2: Generate Your Baseline Document

Use a privacy policy generator to create a structured starting document. This gives you the required sections and legal language, which you then customize based on your data audit.

Step 3: Add GDPR-Specific Sections

Ensure you include all Article 13 and 14 requirements. Pay special attention to:

  • Lawful basis for each purpose (the table format shown above works well)
  • Transfer mechanisms for any non-EEA data flows
  • DPO contact details if you are required to appoint one under Article 37
  • Automated decision-making disclosures if applicable

Step 4: Write in Plain Language

Recital 58 of the GDPR requires that information be provided in "concise, transparent, intelligible and easily accessible form, using clear and plain language." Avoid legal jargon where possible. Use short sentences and explain technical terms.

Privacy Policy Generator

Create a comprehensive privacy policy for your website or app. Create yours in minutes with TermsBox.

Generate Now

Step 5: Publish and Link Prominently

Place your statement where visitors can find it before providing their data:

  • Footer link on every page
  • Directly below or adjacent to data collection forms
  • Within your cookie consent banner
  • In your account registration flow

Step 6: Set Up a Review Cycle

GDPR compliance is not a one-time task. Review your statement whenever you add new data processing activities, change vendors, or enter new markets. At minimum, conduct a formal review every 12 months.

Common Mistakes in GDPR Compliance Statements

Many websites publish statements that look complete but fail on closer inspection. Avoid these frequent errors:

  • Vague purposes: writing "to improve our services" without specifying what data is used and how. Be concrete.
  • Missing legal bases: listing purposes without mapping each one to a specific Article 6 basis.
  • Outdated vendor lists: adding a new analytics tool or advertising network without updating the statement.
  • No retention periods: stating "we keep data as long as necessary" without defining what "necessary" means for each data type.
  • Inaccessible language: burying the statement in legal jargon that ordinary visitors cannot understand.
  • No contact method: failing to provide a clear way for individuals to exercise their rights or reach the data controller.

GDPR Compliance Statement vs. Other Privacy Documents

Your GDPR compliance statement is one piece of a broader privacy documentation stack. Understanding how these documents relate helps you avoid duplication and gaps.

A privacy policy is the broader document covering all privacy laws your organization must comply with, including CCPA, PIPEDA, and others. Your GDPR compliance statement can be a section within your privacy policy or a standalone document.

A cookie policy specifically addresses cookies and similar tracking technologies. It details what cookies you set, their purposes, and how visitors can manage preferences. Link to it from your GDPR compliance statement rather than duplicating the information.

Your terms of service govern the contractual relationship with users. They reference the privacy policy but serve a different legal function. Use a terms of service generator to create these separately.

A cookie consent banner is the interactive element that captures consent before setting non-essential cookies. It works alongside your compliance statement but is a user interface component, not a document.

Enforcement Examples That Show Why This Matters

Regulators have taken action against organizations with inadequate transparency notices:

  • The French CNIL fined Google 50 million EUR in 2019 for failing to provide transparent and easily accessible information about data processing purposes and legal bases.
  • The Irish DPC fined Meta 1.2 billion EUR in 2023 for transferring personal data to the United States without adequate safeguards, partly because its privacy documentation did not accurately reflect the transfer mechanisms in use.
  • The Italian Garante fined Clearview AI 20 million EUR in 2022 for multiple GDPR violations including failure to provide adequate information to data subjects.

These cases reinforce that transparency obligations under Articles 13 and 14 are actively enforced, and the financial consequences can be severe.

How to Keep Your GDPR Compliance Statement Current

A compliant statement today can become non-compliant tomorrow if your processing changes and the document does not. Build maintenance into your workflow.

  • Track vendor changes: every time you add, remove, or replace a third-party service that processes personal data, update your statement.
  • Monitor regulatory guidance: supervisory authorities regularly publish new guidance on transparency requirements. Subscribe to updates from your lead authority.
  • Version your documents: date each version and maintain an archive. If a complaint arises, you need to show what the statement said at the time of processing.
  • Automate where possible: tools like TermsBox can scan your website for cookies and trackers, then flag when your published documents need updating.

Keeping your GDPR compliance statement accurate is as important as creating it in the first place. Outdated statements create the same legal risk as missing ones.

Frequently Asked Questions

What is a GDPR compliance statement?

A GDPR compliance statement is a public notice explaining how your organization collects, processes, and protects personal data under the General Data Protection Regulation. It covers legal bases for processing, data subject rights, retention periods, and contact details for your data controller or Data Protection Officer.

Is a GDPR compliance statement the same as a privacy policy?

They overlap significantly, but a GDPR compliance statement specifically addresses GDPR requirements such as lawful bases under Article 6, data subject rights under Articles 15 through 22, and cross-border transfer safeguards. Many organizations combine both into a single document that satisfies GDPR and broader privacy law obligations.

Do small businesses need a GDPR compliance statement?

Yes. The GDPR applies to any organization that processes personal data of individuals in the European Economic Area, regardless of company size or location. A small business that collects email addresses through a contact form or runs analytics on EU visitors must publish a compliant statement.

What are the penalties for not having a GDPR compliance statement?

Supervisory authorities can impose fines of up to 20 million EUR or 4% of annual global turnover, whichever is higher, under Article 83 of the GDPR. Even without a fine, a missing or inadequate statement can trigger formal warnings, processing bans, and reputational damage.

Related Tools

Privacy Policy Generator

Create a comprehensive privacy policy for your website or app

Related Articles

Privacy Policy

Android Privacy Policy: What to Include and How to Add One

Learn how to create an Android privacy policy that meets Google Play requirements and privacy laws. Step-by-step guide for app developers.

April 4, 202611 min read
Privacy Policy

Cookies Notice: What It Is, Why You Need One, and How to Comply

Learn what a cookies notice is, which laws require one, and how to create a compliant notice for your website. Covers GDPR, ePrivacy, and CCPA.

April 4, 202613 min read
Privacy Policy

Data Protection Policy Template: Free Guide for 2026

Get a data protection policy template with GDPR-compliant sections, practical guidance, and step-by-step instructions to build your own policy.

April 4, 202612 min read

Ready to Create Your Legal Documents?

Generate professional privacy policies, terms of service, and more in minutes. Free to start, no credit card required.

View All Generators

On This Page

  • What a GDPR Compliance Statement Must Include
  • GDPR Compliance Statement Example: Full Template
  • Data Controller Information
  • Data We Collect
  • Purposes and Legal Bases
  • Data Sharing and Transfers
  • Retention Periods
  • Data Subject Rights
  • Complaint and Supervisory Authority
  • Step-by-Step: Building Your Own GDPR Compliance Statement
  • Step 1: Audit Your Data Processing
  • Step 2: Generate Your Baseline Document
  • Step 3: Add GDPR-Specific Sections
  • Step 4: Write in Plain Language
  • Step 5: Publish and Link Prominently
  • Step 6: Set Up a Review Cycle
  • Common Mistakes in GDPR Compliance Statements
  • GDPR Compliance Statement vs. Other Privacy Documents
  • Enforcement Examples That Show Why This Matters
  • How to Keep Your GDPR Compliance Statement Current
  • Frequently Asked Questions
TermsBox

Scan your website, auto-generate legal documents, add a consent banner, and stay compliant. One platform for everything.

Product

  • Cookie Scanner
  • Consent Banner
  • Cookie Policy Generator
  • Pricing

Generators

  • Privacy Policy Generator
  • Terms and Conditions Generator
  • EULA Generator
  • Disclaimer Generator
  • Return and Refund Policy Generator

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service
  • Cookie Policy
GDPR
ePrivacy
CCPA
LGPD
Google Consent Mode v2
IAB TCF 2.2
© 2026 TermsBox. All rights reserved.