GDPR Privacy Policy: The Complete Guide

The introduction of the EU’s GDPR has brought about a significant evolution in the privacy-legal landscape. The shift from the “digital era” to the “digital privacy era” has given individuals greater control over their personal data. GDPR emphasizes the importance of data transparency and requires businesses to provide clear information regarding their data practices to individuals. Therefore, having a comprehensive privacy policy is not only a legal requirement but also a strategic asset for businesses.

A privacy policy is a public document that elaborates on how controllers process personal data, the categories of personal data collected, the purpose for processing, data subject rights, and related information to individuals. In simple terms, it serves as a guide for the data subjects to understand how an organization processes their personal data and what they can do about it.

Privacy laws across the world including GDPR emphasize the need to provide a privacy policy to users. It ensures fair and transparent data processing.

A privacy policy is also known as a privacy notice, privacy statement, data protection notice, etc.

Data controllers in the European Union or overseas, who process the personal data of EU residents should provide a privacy policy. A data controller is any entity that decides the purpose and nature of processing personal data—for example, businesses. 

Articles 13 and 14 of the GDPR enumerate the information to be included in a privacy policy. The regulation also prescribes the guidelines to be followed in Article 12. 

If you collect the personal data of Europeans, you must provide a privacy policy regardless of where your location is.

Penalties for violation of GDPR can be up to €20 Million or 4% of the global annual turnover. 

GDPR imposes strict requirements for privacy notices. Following are the guidelines/requirements to be observed while drafting a privacy policy under GDPR: 

• Do not charge a fee to access the privacy policy.
• It should be concise and provided conspicuously.
• Always use plain language and avoid jargon.
• Privacy policies must be in writing. 
• If required, privacy policies can also be provided in other forms (Eg: by electronic means).
• Privacy policy can also be orally provided if there is a verifiable request from the data subject (user).
• If possible, combine the information provided with a standard and meaningful icon for easy understanding. The icon must be machine-readable.
• If personal data is collected from the data subject, the privacy policy should be provided at the time of collection.
• If the personal data is collected from other sources, the privacy policy should be provided within a reasonable time not exceeding 30 days.

It is best to avoid using vague words like may, might, often, etc to ensure clarity in the privacy policy. Additionally,  if you want to use the personal data for a new purpose, inform the data subject about it before further processing.

A privacy policy is the key to fair and transparent data handling. Therefore, it is pertinent to include accurate and relevant information in it. The following are the key ingredients of an ideal privacy policy for your organization. 

Identity and contact information

Provide the legal/business name of the controller and the contact details in the privacy policy. It could be an email ID, contact number, address, etc. In addition, include the contact details of your data protection officer and representatives of your business, if applicable. Let us take a look at how Meta shares their contact information.

Categories of personal data

The privacy policy must contain all the categories of personal data you collect from the data subjects including cookies and IP addresses. 

Some examples of categories of personal information are location information, contact information, payment and transaction information, usage information, etc. These categories will mostly depend upon your business. Here is how CookieYes fulfills the requirement.

Data processing

A privacy policy must also contain why the personal data is processed, where it is processed, etc. This will depend upon many factors such as your business type, the information you collect, the purpose of collection, etc. For instance, here is how KFC describes it in their privacy policy.

Cookies and tracking technologies

Almost all online platforms use cookies and other tracking technologies to improve their functionality. It is pertinent to inform your customers about how and why you use it. Look at this example from the Volkswagen’s website.

Specific purposes and legitimate interests

It is important to include the specific purpose for processing the personal data and its lawful basis. The lawful basis for processing can be a contract, consent, legitimate interest, etc. A specific purpose may be to verify the identity, send the latest updates, etc.

If there is a legitimate interest in the processing, you must mention it specifically.

CookieYes has a dedicated table in our privacy policy for the list of purposes and legitimate interests.

Data sharing

GDPR requires businesses to inform data subjects about who has access to their personal data. Therefore include the recipients and the categories of recipients in the privacy policy. Volkswagen’s privacy policy accommodates the requirement like this.

Cross-border transfer

If the personal data collected from your users are transferred internationally, it should be specified in the privacy policy along with the implemented safeguards.

The law also requires businesses to mention how a copy can be obtained or how the information relating to the transfer can be accessed. For example, Forbes describes the cross-border transfer in their privacy policy this way.

Data retention period

If you have already decided for how long the personal data will be retained, it must be provided in the privacy policy. If not, mention the criteria used to decide that period. Here is an illustration from Decathlon’s website.

Rights of data subjects

GDPR gives the control of personal data to the data subjects by giving them various rights. However, if they are unaware of the guaranteed rights, it would be of no use. That is why, businesses should provide the rights to request access, erasure, correction, and restriction in addition to the right to portability and right to object in the privacy policy. 

The privacy policy must also contain information regarding the right to complain to the supervisory authority. Below is an illustration from the iapp’s privacy policy.

Data requirements and consequences

Incorporate the reason for requiring personal data in the privacy policy. It can be a contractual or a statutory requirement. This is usually provided under the heading ”uses of personal data”.

Furthermore, inform the data subjects whether the personal data is necessary and the consequences if they refuse to provide it.

Consent withdrawal

Inform the data subjects that they have the right to withdraw consent from the processing of their sensitive data or if the lawful basis of processing is consent. Also, mention the process for withdrawal of consent.

Automated decision making

GDPR requires businesses to inform the data subjects whether they would use personal data for automated decision-making including profiling. Also, include its consequences as well as its significance. This can be commonly found under the heading “uses of personal data” on online platforms related to marketing, insurance, etc. For instance, Target’s website provides an example of how you can present this information in a privacy policy.

Information collected from other sources

There is a provision under GDPR that applies to personal data not collected directly from the data subjects. You must specify the source and indicate whether it is publicly available if you collect personal data from sources other than the individual. Here is an example from CookieYes.

Other components

In addition to all the above requirements, you may also provide the date of publication of the privacy policy. Avoid any jargon or include a dedicated section for the definitions of jargon.

Your privacy policy should be written in a way that is easy to understand, even for children.

You can create a privacy policy using any of the following methods:

Online tools

This is the easiest and most convenient way to create a privacy policy. You can resort to CMPs like CookieYes to publish a GDPR-compliant privacy policy. The free privacy policy generator of CookieYes is reliable, no-cost, hassle-free, and easily customizable.

Privacy policy templates

Another method to create a privacy policy for your business is by using templates. They already contain the required format and basic information and are customizable. The GDPR privacy policy template and guide to GDPR are some of the templates available online. You may also read our privacy policy guide for more details.

Legal consultant

Drafting a privacy policy can be a complex process. It requires careful attention, especially the legal aspects. Therefore, you can consult a legal expert to create your privacy policy.

Create one yourself

You may also create a privacy policy from square one. Go through the reference materials, gather enough information, organize it, and draft one yourself.

A privacy policy must be posted conspicuously on your website. Though no hard and fast rule exists, here are some of the common ways that you might be familiar with:

• The header of the homepage
• Footer of webpages
• Sign-up forms, or any other forms collecting information. 
• Consent banners or cookie pop-ups.
• Settings menu