Without this policy, you’re at risk of noncompliance fines that could put you out of business.
- Small businesses
- Websites (including WordPress)
- Ecommerce platforms (e.g., Shopify, Woocommerce)
For more template options, check out our full library of privacy policies and GDPR templates.
What is the GDPR?
Here’s a brief GDPR overview:
The GDPR is a global data privacy law in effect since May 25, 2018. Passed by the EU, it gives users more rights over the personal information they share with businesses, and penalizes companies that are negligent with this data.
Fines for noncompliance are huge — up to $23 million, or 4% of your annual global turnover.
Increased digital transparency is at the heart of the GDPR, so companies must clearly explain how they process user data. Three articles within the law address this requirement:
- Article 12 — Information about data collection, storage, and transfer must be presented to users in writing.
- Article 13 — If you collect users’ data, you need to provide them with certain information, such as your contact details and data-processing purposes.
- Article 14 — When data is not directly collected from the user, you need to provide details about relevant partners, affiliates, or third parties.
According to Article 12 of the GDPR, information about data processing must be presented:
…in a concise, transparent, intelligible and easily accessible form, using clear and plain language.
Your policy should be written to help users make informed choices about sharing their personal data — not deceive or confuse them.
Users must be able to:
“…determine in advance what the scope and consequences of the processing entails and that they should not be taken by surprise at a later point about the ways in which their personal data has been used.”
To appreciate the importance of transparency, look at the recent Google GDPR fine. The tech giant was penalized for excessively spreading vital information across many of its policy documents, and misleading users.
Appropriate contact details
- Data controllers
- Data processors
- EU representatives (if applicable)
- Data protection officers (if applicable)
If you collect user data, then your company is the data controller. A data processor is any company you hire to process data on your behalf. Large organizations may hire a data protection officer to monitor their compliance, and an EU representative if they are not based in the EU.
The basis on which data is being processed
Article 6 of the GDPR establishes the following six legal bases on which data can be lawfully processed:
- With consent of the data subject
- For GDPR legitimate interest
- For the performance of a contract
- To comply with a legal obligation
- To protect the vital interests of the data subject
- In public interest
Our free template includes the section above, which introduces a data policy based on a variety of business purposes.
Automated decision-making and/or auto-profiling
Article 22 of the GDPR explains that individuals have the right not to be subject to a decision made solely by automated processing (without any human involvement). This is a unique requirement of the GDPR, as specifying such decision-making activity was not previously mandated by any privacy law.
To whom data may be transferred
The GDPR requires companies to say who is involved in data processing. You need to list all categories of third-parties, partners, and affiliates with whom data may be shared.
As seen above, if such data sharing could occur as part of a merger or acquisition, you need to state this too.
To which countries data may be transferred
If cookies and other tracking technologies are used
Under the GDPR, information collected from cookies and other tracking technologies (such as pixel tags) is considered personal data.
Therefore, cookies should be listed as a data-collection method, and treated with the same considerations as other methods.
How long data may be stored
The GDPR requires you to state how long data will be stored, and advises you to include the reasoning behind these time periods.
What rights users have under the GDPR
GDPR Articles 12–22 establish the eight fundamental rights of data subjects:
- The right to be informed
- The right to access
- The right to rectification (correction)
- The right to erasure (to be forgotten)
- The right to restriction of processing
- The right to data portability
- The right to object
- The right to not be subject to automated decision making
How users can act on those rights
The list of data subject rights needs to include directions on how users can act upon those rights. GDPR privacy policies should give directions, information, and appropriate links to assist users who wish to act upon any of the rights listed above.
These are all good examples of GDPR privacy policies, but remember that although it’s useful to draw inspiration from such policies, they aren’t templates for GDPR compliance. Copying another company’s clauses without modification will confuse users, and lead to legal trouble.
Contact information for Etsy’s data protection officer is displayed prominently, as are details for its data protection authority.
If users are skeptical about Etsy’s data collection practices — or if they have a complaints — they know exactly who to reach.
You should now have a good idea of what a privacy statement is, and all the key clauses and characteristics it must include to be compliant under the GDPR.
- Your policy should maximize transparency by using clear language