At Step 1, select the Website option or App option or both.
Answer some questions about your website or app.
Answer some questions about your business.
- 2.1. Introduction
- 2.2. Identity of the Data Controller
- 2.3. Categories of Personal Data Processed
- 2.4. Your Purposes and Legal Basis
- 2.5. Storage Period
- 2.6. Recipients of Personal Data
- 2.7. Sources of Personal Data
- 2.8. International Data Transfers
- 2.9. Data Subject Rights
- 3. Do I Need a Separate Cookies Policy?
- 5. Summary
The GDPR states that any information provided to data subjects (living individuals) must be:
- Easily accessible
You must use "clear and plain language,"particularly if you believe children may use your services.
Note that there are slightly different rules depending on whether you obtain personal data directly or indirectly from the data subject. The guidance below covers both scenarios.
Identity of the Data Controller
For most purposes, your company is likely to be "the controller," so you should provide your company's name and contact details. You should also mention if you act as a "joint controller" in some circumstances.
Here's how The Access Group meets all these requirements:
Categories of Personal Data Processed
You should explain the categories (types) of personal data you process.
Keep in mind that both "personal data" and "processing" are very broad terms under the GDPR. Read more in What Activities Count as Processing Under the GDPR?
Your Purposes and Legal Basis
You must explain your purposes for processing each category of personal data, plus your legal basis for processing each category of personal data.
You could present this information in a table, listing the categories of personal data in one column, followed by your legal basis for processing, and finally, your purposes for processing.
Here's how Bactobio does this:
If you rely on the legal basis of "legitimate interests," you must provide further information about the legitimate interests that you or a third party are pursuing.
Here's how Experian does this:
If you're relying on "contract" or "legal obligation," you must explain what will happen if the data subject fails to provide the personal data.
Here's how Design Integration does this:
You must explain how long you will store personal data. This can be a specific duration (e.g., two years) or linked to a particular action (e.g., "until you delete your account").
Here's how Snap does this:
Recipients of Personal Data
You must list any processors, other controllers, or third parties that will receive the personal data you control.
You can list the "categories" of recipients if you don't yet know the names of some recipients (for example, if you are planning to launch an email marketing campaign but have not yet selected a vendor).
Here's how Zeidler lists its third-party recipients of personal data:
Sources of Personal Data
If you obtain personal data indirectly from the data subject (including from third parties, public sources, or third-party cookies), you must list your sources of personal data. Many Privacy Policies also list the types of personal data they receive directly from data subjects.
Here's how Lajna UK does this:
International Data Transfers
If you transfer personal data outside of the EU (or any other jurisdiction where the GDPR directly applies, such as the UK), you must explain which international data transfer safeguards you use for this.
Here's how The Guardian does this:
Data Subject Rights
Here's how Air Quality News lists the rights of data subjects under the GDPR:
If you rely on consent for any processing of personal data, you should also notify people of their right to withdraw consent.
Here's how Advocacy Matters does this:
You must also disclose that people have the right to lodge a complaint with a data protection authority about how you have processed their personal data.
Here's an example from Experian:
If you engage in "automated individual decision-making with legal or similarly significant effects" (for example, AI-driven recruiting or credit checks), you must notify people about their rights in this area.
Here's an example from Chubb:
Check out our article Privacy Laws By Country for more detailed information.
Do I Need a Separate Cookies Policy?
Cookies that collect personal data (which includes most marketing and analytics cookies) are also covered by the GDPR. All the above transparency rules apply to your use of these cookies.
- What cookies are
- Which cookies you use
- Your purposes for using each cookie
- Which third parties might have access to your users' data via these cookies
- How long cookies will remain on a user's device
- How users can control cookies
You can display some of this information in a table. Here's how the European Commission does this:
- On your website's homepage
- On your cookie banner or within your cookie consent notice
- On any webpage on which you collect personal data (for example, via cookies)
- Alongside forms that collect personal data
- At checkout
- Within the "settings" menu (or other relevant menu) of your mobile app
- In any other location where you collect personal information
The identity and contact details of the data controller, including (if applicable):
- Contact details for your EU representative
- Contact details for your data protection officer (DPO)
The categories of personal data you process
Your purposes for processing personal data
Your legal bases for processing personal data
- If you rely on "legitimate interests," details about the legitimate interests you're pursuing
- If you rely on "contract" or "legal obligation," information about what will happen if the data subject fails to provide personal data
Information about how long you will store personal data
Details of any recipients of personal data
Information about your sources of personal data
Information about the safeguards you rely on for any international transfers of personal data
Information about the GDPR's data subject rights, including:
- An explanation of each data subject right
- Instructions on how to exercise each right
- If you rely on consent, instruction on how to withdraw consent
- If you engage in certain types of automated processing, information on the rights of data subjects in this area
- Details of the relevant data protection authority (DPA) if people wish to make a complaint