When the EU’s General Data Protection Regulation (GDPR) was passed in 2016, it created several rules that businesses and website owners must comply with.
One of these rules was having a comprehensive and GDPR-compliant privacy policy to outline how they handle user data.
Below we’ll provide you with a free GDPR privacy policy template and go over what it includes and where you should post it on your site.
Standardize data protection across all member countries
Create greater transparency for EU citizens to understand how their data is used
Allow users to easily opt out of data collection and file complaints when necessary
Develop strong protective measures for EU citizens regardless of where a business is located
The inclusion of a privacy policy on a business’s website is one of the many provisions covered by the GDPR.
Privacy policies are far from a new concept. They have been a part of business practices for decades, but the GDPR has specific requirements that have altered or expanded upon the policies that many organizations previously had in place.
While a GDPR-centric privacy policy should be customized for your business, there are certain standards it should meet, such as:
Written in clear and plain language that is easy for all users to understand
Concise and intelligible, leaving out unessential or distracting information
Transparent so that users know exactly how their data is being used and collected
Cost-free so that there are no impediments to access
Easily accessible so that users do not have to search in order to read it
Does Your Business Need a GDPR-compliant Privacy Policy?
The need for a privacy policy that complies with the GDPR is dependent on two factors: whether you collect personal data and whether you offer goods or services to any citizen within the EU.
While there are exceptions, a significant number of websites satisfy both of these requirements and, thus, need to have a GDPR-compliant privacy policy.
Even if you don’t realize that your business’s website collects data, it is your responsibility to comply, and you will be penalized if you fail to do so. Ignorance does not equate to a lack of accountability.
Never assume that your website does not collect customer information, and keep in mind that almost all websites collect at least some data through cookies. In general, your website collects data if it:
Is hosted by an outside company
Has plugins
Includes social media buttons
Utilizes analytics tools
If any of these attributes apply to your website, it is likely that you are collecting and processing customer data.
In addition to analyzing your website’s data collection, you will also need to consider your customer base.
There is sometimes a misconception that only businesses with headquarters within the EU need to comply with the GDPR. In reality, it is not the location of the business but rather the location of the customers that matters.
Businesses face severe penalties for failing to comply with the GDPR.
The maximum fine for a violation is 4% of a company’s annual global revenues or $22.8 million, whichever is greater. Initially, companies were fined at a relatively slow pace, but regulators have become more strict as time has passed. In fact, the year 2021 saw $1.2 billion in GDPR fines.
What’s Inside a Privacy Policy That Complies With the GDPR?
Fortunately, your business can avoid the costly penalties that result from a missing or insufficient privacy policy. The key to compliance is ensuring that you have included all the necessary information for your business or organization.
Contact Information
First, your policy must identify who is processing the customer’s data.
However, simply stating your name or the name of your business is not enough. You must also give a physical address or phone number and identify the data protection officer responsible for ensuring that all data is securely processed and stored.
Legal Basis
Your policy needs to include a legal justification for why your business is collecting data from consumers.
Consent: The user has provided clear consent for data collection.
Contract: The collection of data is a necessary component of a contract between your business and the user.
Legal obligation: Your business is legally obligated to collect user data.
Vital interests: Data collection is necessary to protect human life.
Public task: Your business must collect data so that you can perform a task in the public interest.
Legitimate interests: Data is necessary for your business’s legitimate interests.
Although consent and legitimate interest are the most frequently used legal bases, you should base your selection on the structure and services provided by your business. Your privacy policy must clearly identify which basis or bases you have chosen.
You should use the official terminology laid out by the GDPR so that there is no mistaking your intention.
Purpose
In addition to the legal basis for processing data, your business must also articulate its purpose for collecting this specific information.
For example, you might use the data you collect to customize the user experience on your website. Or, you might use the data to verify a user’s identity, send messages or updates, or improve the website’s design.
The explanation of why your business needs data from consumers should be specific and detailed. Saying that you use data for personalization is much too broad. Instead, your policy should identify what is involved in this personalization.
At times, it’s prudent to include multiple purposes for different kinds of data. After all, you may collect home addresses for a different reason than the one for which you collect email addresses.
Data Collection, Use, and Transfer
Your business is obligated to explain not only why you are processing data but also how it will be collected, used, and transferred. As you outline your privacy policy, follow these steps:
Identify the method you use for collecting data, such as cookies.
Make clear whether you transfer the data internationally.
Indicate whether you will send the data to any third parties, no matter where they are located.
Disclose any automated decision-making, such as credit scoring, that involves customers’ data.
You might give each of these details a separate section within your business’s privacy policy. You can also incorporate them into a single section as long as they are well-defined and distinguishable.
Remember that addressing one of these points does not mean that you have achieved full compliance. In other words, if you reveal that you transfer information to third parties but do not divulge that those third parties are international, you have failed to comply with the GDPR.
Data Types
Consumers deserve to know not only that you are collecting their data but also exactly what information is being used. The GDPR’s definition of personal data is quite broad, so you may be processing more types than you realize.
Personal data essentially boils down to any information that clearly references a specific person. Depending on the context and the amount of data processed, this might include a user’s:
Date of birth
Social Security number
Phone number
Physical or email address
Personal description, such as eye color and weight
Workplace and education details
Religion
Political affiliation
Medical history
Genetic data
IP address
Much of this information on its own would not be enough to identify a particular individual. For instance, knowing a person’s religious beliefs does little to narrow down a pool of possible individuals. However, if you collect several types of data at once, such as the person’s religion, physical address, and date of birth, this may be enough for definitive identification.
Ultimately, it is your business’s responsibility to protect all personal data.
If you’re unsure of whether a certain piece of information falls into this category, it is best to be cautious. Include it in your privacy policy so that you avoid an accidental GDPR violation.
Data Storage and Security
The GDPR does not provide a specific limit on the amount of time for which your business can store a user’s data. However, that doesn’t mean you can keep your users’ data indefinitely.
The regulation states that businesses should store data for the shortest amount of time possible. Businesses may translate this as a set time span, such as three months or a year, or they may choose to keep the information as long as is necessary for tasks to be completed.
After that point, the data should be removed and the retention period that your business establishes must be included in your privacy policy.
In addition to explaining how long you will be storing personal data, it is also wise to identify the security measures that you have taken to protect it. This reassures your customers that you have their best interests at heart and prioritize their privacy.
Data Rights
The GDPR defines the eight rights of users. They must be listed in some form within your privacy policy so that customers are fully aware of what actions they can take with regard to their data:
The right to be informed of how their data is collected and processed
The right of access to any of their data that has been collected
The right of rectification to any inaccurate or incomplete data
The right to erasure of any and all data
The right to restrict processing to only certain types
The right to data portability so that data can be retained and reused for other purposes
The right to object to the use of their data for specific processing activities
Rights in relation to automation so that decisions are not made about the user based exclusively on automated processing
While listing these rights fulfills one aspect of the GDPR’s requirements, there is an additional step. Your privacy policy should also indicate the method by which these rights can be enacted.
You might provide a business phone number or a web form that can be used to make a specific data request.
Policy Changes
There will likely be times when you need to update your business’s privacy policy to accommodate changes in the company structure, the data you process, or how you use this data. One of the many possibilities is that, over time, you may incorporate a new feature into your site that requires information that you did not previously collect.
When you make changes to your privacy policy, it is important to promptly inform your website users.
You should be up front about the potential for changes and articulate the possibility within your privacy policy. Likewise, you should explain how users will be notified about policy changes, such as by email.
Where To Post Your GDPR Privacy Policy
The most important thing to consider when deciding where to include your privacy policy is whether it is easily accessible, which is a core requirement of the GDPR.
Inside Current Legal Policies
You should add a link to your privacy policy from your current legal policies or terms and conditions. If you choose to link to your privacy policy from these documents, make sure that it is clearly labeled.
Informational Menus or Sections
Another logical place to include a link to your business’s privacy policy is in the website’s informational menu or sections, particularly those that relate to the history or background of your organization. In many cases, a business has an “About Us” section that includes a reference and a link to the privacy policy.
Website Footer
Website footers are the most common location for privacy policies, and they’re often the first place a customer looks when seeking such policies.
Including a clearly labeled privacy policy link at the bottom of the webpage helps it stand out and makes it easier for customers to locate and identify the policy. However, scrolling to the bottom of certain websites is impractical, in which case it may be better to include the link elsewhere.
Banners and Pop-Ups
If you want to ensure that your site’s visitors do not miss the privacy policy, you can create a pop-up or banner that appears at a specific point during a customer’s interaction with the site.
During Sign-Up
Many business websites include an opportunity to sign up for a mailing list, a newsletter, or a free download like an e-book. Your organization’s privacy policy should be included in the process of signing up because this is a point at which many users are asked to provide personal data.
During Checkout
Similarly, you might include your privacy policy during the checkout process. Checkout, by nature, requires the disclosure of personal information like a person’s name, address, email address, and phone number. It is, therefore, highly appropriate to provide a direct reference to your privacy policy on your site’s checkout screen.
Good Examples of GDPR-compliant Privacy Policies
One of the best ways to know how to create a strong privacy policy is to look at examples from other businesses. However, do not be tempted to simply copy and paste a policy for your own business. The details in your privacy policy will differ from those of other companies, and copying could lead to a compliance failure.
Meta
Facebook Inc. was recently converted to Meta Platforms, which owns some of the world’s biggest companies, including Instagram, Messenger, and WhatsApp. As a result, Meta has created an extensive new privacy policy.
Meta’s policy is especially effective because the information is clearly organized, with a table of contents on the left for quick access. It also offers the information in multiple formats, with much of the policy described in short videos as well as text.
Many sections of the policy include direct links to the corresponding pages within Meta’s products, particularly Facebook.
For example, the section of the policy devoted to how information is shared offers a link to the specific locations on Facebook and Instagram where users can change the information that they have shared with third-party apps and websites.
Finally, Meta’s policy complies with the GDPR by including all of the necessary sections, creating a transparent experience for users.
Instacart
While Instacart’s privacy policy is less aesthetically pleasing than Meta’s, it is clearly organized. In particular, Instacart is specific when describing how information is used and shared.
The policy also includes direct links so that users can exercise their rights to have information changed, deleted, or corrected, which is a critical component of the GDPR.
Target
The privacy policy for Target has convenient links at the top of the page so that customers can jump to specific topics. This is an important feature because the policy is incredibly detailed, which could otherwise present challenges in locating specific information and, thus, violate the GDPR’s requirement for clarity.
Target’s policy is also an excellent example of a policy with distinctions under each section. For example, there are separate subheaders for each method of data collection, such as social media widgets, mobile location information, and cameras.
Stripe
The privacy policy on Stripe’s website satisfies the GDPR’s requirement for using clear, direct, and intelligible language that can be easily understood by all users. The first section of the policy includes definitions for many of the terms used, which prevents confusion from arising later on.
To clearly align with GDPR requirements, Stripe specifically labels sections for legal bases, rights, security and retention, and international data transfers.
Download Our Free GDPR Privacy Policy Template
Expand the box below to view our sample GDPR privacy policy template in its entirety, or click the button to download the sample in Microsoft Word and PDF formats.
Both template formats can be easily added to the HTML of your site.
Thank you for choosing to be part of our community at [business name] (“company”, “we”, “us”, or “our”). We are committed to protecting your personal information and your right to privacy. If you have any questions or concerns about our policy, or our practices with regards to your personal information, please contact us at [contact email].
When you visit our website [website] (“Site”) and use our services, you trust us with your personal information. We take your privacy very seriously. In this privacy notice, we describe our privacy policy. We seek to explain
Creating a privacy policy with all of the necessary information is an important step toward ensuring that your business is complying with the GDPR and other privacy laws.
If your business offers any services or goods to EU citizens, it is essential that you comply with the GDPR. Using our GDPR privacy policy template is free and helps you verify that you have addressed all of the required points to achieve full compliance.
Remember that your privacy policy must be clear and easy for users to understand. Even a policy that addresses every point of the GDPR could lead to violations if it is too general, vague, or complex.
More about the author
Written by Masha Komnenic CIPP/E, CIPM, CIPT, FIP
Masha is an Information Security and Data Privacy Specialist and a Certified Data Protection Officer. She has been a Data Protection Officer for the past six years, helping small and medium-sized enterprises achieve legal compliance. She has also been a privacy compliance mentor to many international business accelerators. She specializes... More about the author
Build Your Privacy Policy
Answer a few simple questions to have your fully compliant policy generated in MINUTES!