If your website collects data from people in the European Union (EU), you’ll need a privacy policy that meets strict regional standards.
The legal landscape in Europe is mainly made up of the General Data Protection Regulation (GDPR), the ePrivacy Directive (sometimes referred to as the “EU Cookie Law”), and newer frameworks like the EU AI Act.
In this guide, I explain what makes an EU-compliant privacy policy, how these key laws shape it, what to include, and where to post it.
I’ll also show you how Termly’s tools make it easier to create one that checks all the right boxes.
What Is an EU-Compliant Privacy Policy?
An EU-compliant privacy policy explains how your business collects, uses, stores, and protects the personal data of individuals in the European Union.
It’s a legal requirement under the GDPR, designed to give people transparency and control over their personal information.
To meet the GDPR standards, your privacy policy must clearly include:
- Your business details, such as identity, contact information, and (if applicable) the contact information of your Data Protection Officer (DPO).
- What data you collect and the purpose for collecting it.
- The legal basis for processing personal data (e.g., consent, contractual necessity, legitimate interest), and if using legitimate interests, the specific interest(s) pursued.
- Who you share data with (recipients or categories of recipients).
- Data retention periods or the criteria used to determine how long data is stored.
- International transfers if personal data is sent outside the EU/EEA, plus safeguards in place.
- User rights under the GDPR, such as access, correction, deletion, restriction, portability, and objection.
- Automated decision-making, including profiling, if it applies to your processing and where it does, “meaningful information about the logic involved” and the consequences, plus the user’s right to “obtain human intervention”.
- If the data was not collected from the individual, you must disclose the source and categories of data.
Additionally, the policy must be written in plain, easy-to-understand language and be accessible wherever data is collected (like sign-up pages or cookie banners).
EU Laws and Regulations That Impact Privacy Policies
Several EU regulations shape how businesses handle personal data and what must appear in their privacy policies. Below are the main laws and standards you should know when creating an EU-compliant privacy policy.
GDPR
The General Data Protection Regulation (GDPR) is the foundation of EU data privacy law. It applies to any organization that processes the personal data of people in the EU, even if the business itself is based outside of Europe.
Under the GDPR, your privacy policy must clearly explain:
- What personal data you collect and why
- Your lawful basis for processing that data (for example, consent or legitimate interest)
- How long you retain it and who you share it with
- How users can exercise their rights, such as accessing, correcting, or deleting their data
- The policy must also describe the contact details of the data controller, and where applicable, of the Data Protection Officer
- Remember that GDPR transparency applies to both direct and indirect data collection – controllers must provide notice even when obtaining data from third parties.
The GDPR also requires your policy to be written in clear and plain language so that anyone can easily understand how their data is handled.
EU Cookie Law
The EU Cookie Law, formally known as the ePrivacy Directive, governs how cookies and similar tracking technologies are used on websites.
The ePrivacy Directive complements the GDPR to ensure users have meaningful control over online tracking.
It is important to note that the ePrivacy Directive is implemented through national laws (e.g. Germany’s TTDSG, Belgium’s Telecom Act etc) so enforcement details may differ from country to country.
To comply, you must:
- Inform users about the online trackers (e.g. cookies) you use and what they do
- Obtain prior and unambiguous consent before placing any non-essential cookies or trackers (like analytics or advertising trackers)
- Give users the option to accept or reject cookies or trackers at any time
- Non-essential cookies must remain inactive until consent is explicitly provided.
Your privacy policy should link to or include a cookie section that explains these details, and many websites pair it with a dedicated cookie policy or consent banner.
EU AI Act
The EU Artificial Intelligence (AI) Act is a newer regulation aimed at ensuring AI systems are developed and used responsibly. While it primarily targets high-risk AI applications, it also impacts data processing transparency.
If your business uses AI to make decisions, analyze behavior, or personalize experiences, your privacy policy should disclose:
- When and how AI systems are used
- If the AI system is used for emotion recognition or biometric categorization
- If the AI system generates “deep fake” content or manipulates text of public interest, you must disclose that content is artificially generated
- What data they rely on
- What steps you take to ensure fairness and human oversight and your mechanisms for human review.
Adding a short statement about AI use helps demonstrate accountability and aligns with the AI Act’s transparency principles.
IAB TCF v2.2
The Interactive Advertising Bureau’s Transparency and Consent Framework (IAB TCF v2.2) is a voluntary framework designed to help publishers and advertisers manage user consent in compliance with the GDPR and ePrivacy Directive.
Participation in the TCF can simplify ad-tech compliance workflows but does not itself guarantee compliance with data-protection laws.
Businesses that use online ads or work with ad tech partners can use the TCF to standardize how consent is collected and shared.
Termly supports this framework, helping websites display cookie banners and record valid consent in line with IAB standards.
SOC2
SOC 2 (Service Organization Control 2) is another voluntary U.S. attestation standard and not a legal requirement in the EU.
However, such a framework can enhance trust and demonstrate how companies manage customer data based on five “trust principles”:
- Security
- Availability
- Processing integrity
- Confidentiality
- Privacy
Though not legally required in the EU, SOC 2 certification shows strong data management practices. Including SOC 2 or similar security measures in your privacy policy can boost user trust, especially for SaaS and data-driven companies.
What Goes into an EU-Compliant Privacy Policy
Below are the key elements every EU privacy policy should include.
Introduction
The introduction of your privacy policy sets the tone for transparency and helps users understand who you are, what the policy covers, and how to contact you about their data.
At minimum, it should:
- Identify your organization’s name and business address
- Explain the purpose and scope of the policy
- Include the effective date
- Name the data controller and provide a contact email for privacy questions
- For non-EU controllers subject to GDPR (i.e. Article 3(2) of the GDPR), include the contact details of your EU representative in accordance with Article 27 of the GDPR.
Below is Termly’s own Privacy Notice, which demonstrates how to communicate this information clearly and accessibly.
This type of introduction gives users essential context right away. Keeping it straightforward and written in plain language helps meet GDPR transparency standards and builds trust from the very first line.
Legal Basis for Collecting and Processing Data
Under the GDPR, every organization that collects or processes personal data from EU residents must identify a lawful basis for doing so.
The six lawful bases under the GDPR are:
- Consent: The individual has given clear permission for you to process their data for a specific purpose, such as signing up for a newsletter.
- Contract: Data processing is necessary to fulfill a contract, such as providing a purchased product or service
- Legal obligation: You’re required by law to process the data (like keeping tax or employment records).
- Legitimate interests: You have a valid business reason to process data that doesn’t override the user’s rights (for instance, preventing fraud or improving website functionality). It must be “clearly and precisely articulated” and “real and present, not speculative”.
- Vital interests: The processing is necessary to protect someone’s life (rare in most business contexts).
- Public task: The processing is needed to perform a task in the public interest (usually applies to government organizations).
When writing your privacy policy, specify which of these bases apply to each type of data you collect and why.
The best practice is to link each processing purpose to a specific lawful basis (e.g. newsletter sign up to consent, purchases to contract etc.).
For example, Spotify’s Privacy Policy clearly lists the legal bases it relies on for data processing. Below is an excerpt.
This example shows how you can group your processing activities under different lawful bases while keeping the language concise and easy to understand.
What Data You Collect
A cornerstone of GDPR-compliance is transparency regarding the types of data you collect.
Your privacy policy should clearly list the categories of personal data you process and briefly explain how you collect them, whether directly from users, through automated technologies, or from third parties.
Be specific. Avoid generic phrasing like “we may collect information”.
Common types of data include:
- Personal identifiers: Names, email addresses, phone numbers, postal addresses
- Account information: Login credentials, profile details, and preferences
- Payment details: Billing addresses, payment method information, or transaction records
- Technical data: IP addresses, browser type, operating system, and device identifiers
- Usage data: How users interact with your website, app, or emails
- Cookies and tracking data: Information collected through analytics, advertising, or social media integrations
If you handle sensitive data, such as biometric, health, or political information, you must explicitly state this and explain the additional safeguards you apply.
Your goal is to give users a clear picture of what data you collect and why. Avoid vague phrasing like “we may collect information.” Instead, be as specific as possible.
Below, you’ll see Airbnb’s Privacy Policy, which breaks down the types of data it collects in simple, organized sections.
This example demonstrates how to present data categories clearly and group related information, making the section easy to navigate and understand.
Data Storage and Retention Policy
Under the GDPR, businesses are required to explain how long they keep personal data and what determines that time frame. This helps users understand how their data lifecycle is managed, from collection to deletion.
Your policy should include:
- How and where data is stored (for example, on secure servers, in the cloud, or through third-party providers)
- How long different categories of data are retained
- The criteria used to decide retention periods (i.e., legal requirements, operational needs)
- What happens when data is no longer needed (for example, anonymization or deletion)
Remember to give concrete examples, such as “billing data is retained 7 years for tax compliance, marketing data deleted 12 months in case of no opt-out.
Avoid saying data is kept “for as long as necessary” without further context.
Instead, you must state the specific retention period (e.g. “6 months”) or, if that is not possible, the “criteria used to determine that period” (e.g. “the duration of the user’s subscription plus a 1-year period to resolve legal claims”).
For example, Microsoft’s Privacy Statement gives a clear overview of its retention practices. Below you’ll see how they specify the retention periods depending on the use case.
This example shows how to go beyond vague statements and give users a transparent look at retention practices.
By clearly outlining how long data is kept and the reasoning behind it, your policy demonstrates accountability and helps build trust with your audience.
Data Transfers Clause
A Data Transfers Clause explains how and when personal data may be shared or transmitted between parties, whether within your organization or service providers, but especially when transferred across geographic borders, i.e. outside the European Economic Area (EEA).
Under the GDPR, transfers to a third country are restricted by Chapter V of the GDPR and this section helps demonstrate that your business maintains strict control over how data moves, ensuring it’s always handled securely and lawfully.
If the data leaves the EEA, you must specify the mechanism you are using, such as adequacy decision, Standard Contractual Clauses (SCCs) or Binding Corporate Rules. Also, note that supplementary safeguards may apply in accordance with Article 46 of the GDPR.
In addition, your policy should describe:
- When and why personal data may be transferred
- Who data may be shared with (such as affiliates or third-party vendors)
- The safeguards in place to protect that data during transfer (for example, encryption, contractual agreements, or approved legal mechanisms)
- How users can contact you for more information about these transfers
This clause helps mitigate risks like data breaches and noncompliance, while assuring users that their personal information remains protected no matter where it’s processed or stored.
Morgan Lewis provides a strong example of how to communicate this clearly in its Privacy Policy below.
This example shows how to balance transparency with reassurance by providing a link to their list of locations and explaining the reasons for data transfers.
Cookies and Other Trackers
Cookies and similar tracking technologies play a major role in how websites collect and analyze user data.
You must make a clear distinction between essential and non-essential cookies and provide a link to your separate Cookie Policy and/or cookie-preference center.
Under the EU Cookie Law and GDPR, you’re required to clearly explain how these tools are used and give users meaningful control over them.
Your privacy policy (or linked cookie policy) should include:
- What types of cookies or trackers you use (e.g., essential, analytics, marketing)
- Why you use them (for example, to remember preferences or improve site performance)
- Whether any third parties place cookies through your site
- How users can manage or withdraw their consent, which must be obtained before any non-essential trackers are placed.
It’s also good practice to create and include a link to your Cookie Policy, so users can easily access detailed information or adjust their settings.
Shopify serves as an example of how to introduce cookie use clearly and link users to more information in its Privacy Policy, which is shown below.
This example shows how to be transparent without overwhelming readers. By briefly summarizing cookie practices and directing users to a detailed Cookie Policy, Shopify balances compliance with clarity, a best practice for any EU-facing website.
Rights of the Data Subject
Under the GDPR, individuals, known as data subjects, have several rights that give them control over their personal information. Your privacy policy should clearly list these rights and explain how users can exercise them.
The main rights include:
- Right of access: Users can request a copy of the personal data you hold about them.
- Right to rectification: Users can request to correct inaccurate or incomplete information.
- Right to erasure (right to be forgotten): Users can request deletion of their personal data in certain circumstances.
- Right to restrict processing: Users can limit how their data is used.
- Right to data portability: Users can obtain a copy of their personal data to use across different services.
- Right to object: Users can object to certain types of processing, such as direct marketing.
- Right to withdraw consent: Users can withdraw their consent at any time when processing is based on consent.
Your privacy policy should explain how users can submit a Data Subject Access Request (DSAR), a formal request to access, change, or delete their data.
Under the GDPR, businesses must respond without undue delay and at the latest within one month with clear, complete, and secure answers.
Managing DSARs manually can be complex and slow. A DSAR solution helps centralize requests, confirm user identity, and track responses, so businesses stay organized and meet GDPR deadlines.
Apple outlines its data subjects’ rights clearly and provides a practical way for users to exercise them in its Privacy Policy below.
This example shows how to combine clarity and accessibility. Apple lists the main rights in plain language and immediately provides a contact point for users to act.
Your Company Contact Information
Every EU privacy policy should end with a clear and accessible contact section. This part of your policy tells users exactly how to reach you if they have questions, concerns, or want to exercise their data rights.
At minimum, include:
- Your company’s full legal name
- Your business address
- A contact email for privacy-related questions
- The Data Protection Officer’s (DPO) contact information, if applicable
You can also link to your DSAR form to make it even easier for users to contact you securely.
A good example come from Canva’s privacy policy, which includes a straightforward, well-organized contact section, as shown in the screenshot below.
This example illustrates best practices for international organizations.
Canva not only provides a direct email and physical address but also names its EU and UK representatives and includes links to data request forms, making it easy for users in any region to contact the right party.
Where To Post Your EU Privacy Policy
Even the most thorough privacy policy won’t help your business if users can’t find it. Under the GDPR, privacy policies must be easily accessible anywhere personal data is collected. This ensures users can review how their information will be used before they share it.
Your privacy policy should be available in key locations across your website or app, including:
- Website footer: The most common and expected placement. Users should be able to find your privacy policy link at the bottom of every page.
- Payment or checkout screens: Add a link near any form where customers enter payment or billing details.
- Sign-up or contact forms: Display a short privacy notice and link to your full policy wherever users provide personal information.
- Cookie banners or pop-ups: Include a link so users can easily access your privacy policy and cookie details before giving consent.
- Account creation or login pages: Ensure users can review your policy before registering or signing in.
- Privacy or compliance center: If your company handles large volumes of data or operates in multiple regions, consider a dedicated page where users can access your privacy policy, cookie policy, and DSAR forms all in one place.
- Mobile apps: Add a privacy policy link within the app menu or settings page to meet app store and GDPR transparency requirements. A “layered” notice is best practice. Provide a short, simple summary of the key points (e.g. purposes, rights, controller’s identity) with a clear link or drop-down to access the full detailed policy.
Making your privacy policy accessible in these locations not only supports compliance; it also shows users that your business values openness and accountability.
EU Privacy Policy vs. Cookie Policy: Why You Need Both
A privacy policy and a cookie policy may sound similar, but both serve distinct purposes and play a key role in transparency.
Your privacy policy provides a broad overview of how your business collects, uses, shares, and protects personal data. It covers all types of information you process, from account details to payment data.
A cookie policy, on the other hand, focuses specifically on the tracking technologies used on your website. It explains what cookies are active, what they do, who sets them, and how users can manage their preferences.
Having both documents makes it easier for users to find the information they need without wading through dense sections of text. It also shows that your business values clarity and user control, two essentials for building trust online.
How Termly Helps Businesses Make an EU-Compliant Privacy Policy
Creating a privacy policy that meets EU standards can feel complicated, especially when your business collects data across multiple touchpoints.
Termly’s Privacy Policy Generator helps by walking you through a short series of questions about your business, industry, and data practices. It then makes a tailored policy that aligns with your region and legal requirements.
It also allows you to easily make updates as laws change to keep your policy accurate.
With Termly, businesses can save time, minimize manual compliance work, and confidently provide policies that foster trust and transparency.
More about the author
Written by Hanna De La Garza
Hanna is a Content Writer at Termly, where she creates engaging resources on data privacy, consent management, regulatory updates, and more. She focuses on making complex topics accessible for business owners and contributes to both new content initiatives and updates to existing materials to ensure accuracy and clarity.
More about the author
Reviewed by Teodor Stanciu, CIPP/E, CIPM Legal Coordinator & DPO
