GDPR Privacy Policy: What to Include and How to Write One
Learn what a GDPR privacy policy must contain, how to write one that meets legal requirements, and avoid common mistakes.
A GDPR privacy policy is a legal requirement for any organization that collects or processes the personal data of individuals in the European Economic Area. Whether you call it a privacy policy, privacy notice, or privacy statement, the GDPR mandates that you tell people exactly what you do with their data.
This guide covers what your GDPR privacy policy must include, how to structure it, and the mistakes that lead to enforcement action. This is educational content and not legal advice. Consult a qualified attorney for guidance specific to your organization.
What Is a GDPR Privacy Policy?
A GDPR privacy policy is a public-facing document that explains how your organization collects, uses, stores, shares, and protects personal data. Under the GDPR, this disclosure is not optional. Articles 13 and 14 set out the specific information you must provide to data subjects, and Article 12 requires that you deliver it in a "concise, transparent, intelligible and easily accessible form, using clear and plain language."
The regulation uses the term "privacy notice" rather than "privacy policy," but the two terms are widely treated as synonymous in practice. What matters is not the label but whether the document contains everything the law requires and whether real people can understand it.
A privacy notice under GDPR serves three purposes:
- Transparency: Data subjects know what happens to their data before it is collected.
- Legal compliance: The document demonstrates your organization meets its disclosure obligations.
- Trust: Clear, honest communication about data practices builds confidence with users and customers.
Mandatory Contents of a GDPR Privacy Policy
Articles 13 and 14 of the GDPR list the specific information you must include. Missing any of these elements can trigger enforcement action from supervisory authorities.
Identity and contact details
Provide the full name and contact details of the data controller. If you have a Data Protection Officer (required under Article 37 for public authorities, organizations conducting large-scale monitoring, or those processing special category data at scale), include their contact information as well.
Categories of personal data
List the types of personal data you collect. Be specific rather than vague. Instead of writing "we collect your information," state the actual categories:
- Contact details (name, email address, phone number)
- Account credentials (username, hashed password)
- Payment information (processed by your payment provider)
- Technical data (IP address, browser type, device identifiers)
- Usage data (pages visited, features used, session duration)
- Communication data (support tickets, chat transcripts)
Purposes and lawful bases
For each category of personal data, explain why you process it and which of the six lawful bases under Article 6 applies. The six bases are consent, contract performance, legal obligation, vital interests, public task, and legitimate interests.
When relying on legitimate interests, you must describe what those interests are. A GDPR privacy statement that simply lists "legitimate interests" without explanation does not meet the transparency standard.
Recipients and third parties
Name the categories of recipients who receive personal data. This includes:
- Payment processors
- Hosting and infrastructure providers
- Analytics services
- Advertising networks
- Customer support tools
- Email marketing platforms
Where possible, name specific providers. At minimum, describe the type of service and the purpose of sharing.
International transfers
If you transfer personal data outside the EEA, disclose the countries involved and the safeguards in place. Acceptable mechanisms include adequacy decisions (Article 45), Standard Contractual Clauses (Article 46), and Binding Corporate Rules (Article 47).
Retention periods
State how long you retain each category of data, or explain the criteria you use to determine retention. Indefinite retention without justification violates the storage limitation principle in Article 5(1)(e).
Data subject rights
List all rights available under the GDPR and explain how individuals can exercise them:
- Right of access (Article 15)
- Right to rectification (Article 16)
- Right to erasure (Article 17)
- Right to restriction of processing (Article 18)
- Right to data portability (Article 20)
- Right to object (Article 21)
- Right not to be subject to automated decision-making (Article 22)
- Right to lodge a complaint with a supervisory authority
Automated decision-making
If you use profiling or automated decision-making that produces legal or similarly significant effects, Article 22 requires you to disclose this, explain the logic involved, and describe the significance and consequences for the data subject.
How to Structure a GDPR Privacy Policy
The best privacy policies are scannable. Users rarely read them start to finish. Structure your document so people can find what they need quickly.
Layered approach
The Article 29 Working Party (now the European Data Protection Board) recommends a layered approach. Present a short summary with key points upfront, then link to the full detailed notice. This satisfies both the "concise" and "transparent" requirements of Article 12.
A practical layered structure looks like this:
- Short notice (one paragraph): Who you are, what data you collect, why, and how to contact you
- Full policy (detailed sections): All mandatory disclosures organized under clear headings
- Just-in-time notices: Brief explanations at the point of data collection (forms, checkout, cookie banners)
Recommended heading structure
Organize your full GDPR privacy policy with these sections:
- Who we are (controller identity and contact)
- What data we collect
- How we use your data (purposes and lawful bases)
- Who we share your data with
- International transfers
- How long we keep your data
- Your rights
- Cookies and tracking technologies
- Children's data
- Changes to this policy
- How to contact us
A privacy policy generator can produce this structure automatically based on your specific processing activities, saving time and reducing the risk of missing required sections.
GDPR Privacy Policy and Cookies
Cookies deserve special attention in any privacy policy for GDPR compliance. The ePrivacy Directive (Directive 2002/58/EC), which works alongside the GDPR, requires consent before placing non-essential cookies on a user's device.
Your GDPR privacy statement should explain:
- What cookies you use and their purposes
- Which are strictly necessary (exempt from consent) and which require opt-in
- How users can manage or withdraw cookie consent
- What happens if cookies are rejected
Many organizations maintain a separate cookie policy that provides detailed information about each cookie, its provider, purpose, and expiry. Your privacy policy should then link to this document.
A consent management platform (CMP) handles the technical side: blocking non-essential cookies until consent is given, recording consent decisions, and providing a preferences center where users can change their choices. Your privacy notice should reference how your CMP works so users understand the connection between the banner they see and the policy they read.
Common GDPR Privacy Policy Mistakes
Supervisory authorities across Europe have published enforcement guidance highlighting recurring deficiencies. Avoid these:
Vague or generic language
Stating "we may use your data for various purposes" does not satisfy GDPR transparency requirements. Each purpose must be specified alongside its lawful basis. The Irish Data Protection Commission has repeatedly cited insufficient specificity as a ground for enforcement.
Missing or incorrect lawful bases
Every processing activity needs a lawful basis, and it must be the correct one. Organizations that cite "consent" but then cannot demonstrate how consent was obtained, or that make the service conditional on consent for non-essential processing, create compliance gaps. If consent is not freely given, it is not valid consent.
Privacy Policy Generator
Create a comprehensive privacy policy for your website or app. Create yours in minutes with TermsBox.
Generate NowNo mention of international transfers
If you use cloud services hosted in the United States, content delivery networks with global infrastructure, or analytics tools that process data outside the EEA, your privacy policy must disclose this. The Schrems II ruling (C-311/18) invalidated the Privacy Shield and raised the bar for transfer mechanisms. Document your safeguards clearly.
Outdated information
A privacy policy that references services you no longer use, or omits new processing activities, fails the accuracy requirement. Treat your privacy policy as a living document. Review it at least quarterly and update it whenever your data processing changes.
Buried or inaccessible placement
Your privacy notice must be easy to find. Best practice is a persistent footer link on every page, links at every data collection point, and a reference during account registration and checkout. Hiding the policy behind multiple clicks or login walls violates Article 12's accessibility requirement.
How to Write a GDPR Privacy Policy Step by Step
Follow this process to create a privacy policy that meets GDPR requirements and genuinely informs your users.
Step 1: Map your data processing
Before writing a word, audit every data collection point on your website, app, and internal systems. Document:
- What personal data is collected at each point
- Why it is collected (the business purpose)
- Which lawful basis applies
- Where the data is stored and for how long
- Who has access, including third-party processors
Step 2: Identify your lawful bases
For each processing activity, select and document the most appropriate lawful basis under Article 6. If you process special category data (Article 9), identify the additional condition that applies. Record your reasoning so you can demonstrate compliance if questioned.
Step 3: Draft clear, specific disclosures
Write each section in plain language. The GDPR explicitly requires that privacy notices avoid legal jargon. A business owner with no legal training should be able to understand your policy.
Use the privacy policy generator as a starting point. It produces a structured document covering all mandatory GDPR disclosures. Customize it with your specific data categories, processors, and retention periods.
Step 4: Address cookies and tracking
List all cookies and tracking technologies. Categorize them as strictly necessary, functional, analytics, or advertising. Explain the consent mechanism and link to your cookie policy for the full disclosure.
Step 5: Include rights and contact information
Explain each data subject right in straightforward terms. Provide a clear method for exercising rights, whether that is an email address, a web form, or an account settings page. Include your supervisory authority's contact details so users know where to complain.
Step 6: Publish and maintain
Place the policy in your website footer. Link to it from registration forms, checkout flows, and anywhere you collect data. Set a calendar reminder to review it quarterly. When you make changes, notify users through your website, email, or in-app notification, depending on the significance of the update.
GDPR Privacy Policy Requirements by Business Type
Different business models create different privacy policy obligations. Here are the key considerations for common scenarios.
E-commerce websites
Online stores process payment data, shipping addresses, purchase history, and often behavioral data for recommendations. Your privacy policy must cover transaction processing, fraud prevention (often legitimate interests), marketing communications (consent or legitimate interests for existing customers), and any third-party marketplace or fulfillment partners. Link to your terms of service to clarify the contractual basis for order processing.
SaaS applications
Software providers collect account data, usage analytics, support communications, and potentially sensitive business data uploaded by customers. Distinguish between data you process as a controller (account management, billing) and data you process as a processor on behalf of your customers (their end users' data). The latter requires a Data Processing Agreement under Article 28.
Mobile apps
Apps often access device sensors, contacts, photos, or location data. Your privacy policy must disclose each permission you request and the purpose behind it. App store requirements from Apple and Google add additional disclosure obligations on top of GDPR.
Blogs and content websites
Even a simple blog collects personal data through analytics, comment forms, newsletter signups, and advertising. If you use Google Analytics, embedded social media widgets, or any advertising network, your privacy policy must disclose these and your cookie consent mechanism must gate them appropriately.
Enforcement Actions Related to Privacy Notices
Regulators have imposed significant fines specifically for privacy notice failures:
- Google (2019): The French CNIL fined Google 50 million EUR for lack of transparency and valid consent in its privacy notice and ad personalization settings.
- Meta/WhatsApp (2021): The Irish DPC fined WhatsApp 225 million EUR for failing to provide adequate transparency in its privacy notice, particularly regarding data sharing with other Meta companies.
- Clearview AI (2022): Multiple European authorities fined Clearview AI a combined total exceeding 50 million EUR for processing biometric data without a lawful basis and failing to inform data subjects.
These cases demonstrate that supervisory authorities treat privacy notice deficiencies as serious infringements, not minor administrative oversights. Fines under Article 83 can reach 20 million EUR or 4% of annual global turnover, whichever is higher.
Frequently Asked Questions
Is a privacy policy required under GDPR?
Yes. Articles 13 and 14 of the GDPR require every organization that processes personal data to provide a clear, accessible privacy notice. Failing to do so can result in fines of up to 20 million EUR or 4% of annual global turnover.
What is the difference between a privacy policy and a privacy notice under GDPR?
The terms are often used interchangeably. A privacy notice is the external document you present to data subjects explaining how you handle their data. A privacy policy can also refer to internal procedures. Under GDPR, what matters is that you provide a transparent, accessible disclosure to individuals.
How often should I update my GDPR privacy policy?
Review your privacy policy at least quarterly and update it whenever you add new data processing activities, integrate new third-party services, change your lawful basis, or expand into new jurisdictions. Always notify users of material changes.
Can I copy another company's GDPR privacy policy?
No. Your privacy policy must accurately reflect your own data processing activities, lawful bases, retention periods, and third-party relationships. A generic or copied policy will not satisfy GDPR transparency requirements and could expose you to enforcement action.