Sample GDPR Privacy Policy Template

Last updated on 17 August 2022 by Robert Bateman (Privacy and Data Protection Research Writer at TermsFeed)

Sample GDPR Privacy Policy Template

The EU General Data Protection Regulation (GDPR) is all about transparency, and thus it requires a Privacy Policy. This Privacy Policy must meet GDPR requirements with its content, its display, and how consent it obtained.

In this article, we will take a look at what the GDPR requires, and how you can adapt your Privacy Policy to suit the context of your business. We've also put together a Sample GDPR Privacy Policy Template that you can use to help you write your own.

Our Privacy Policy Generator makes it easy to create a Privacy Policy for your business. Just follow these steps:

  1. At Step 1, select the Website option or App option or both.
  2. TermsFeed Privacy Policy Generator: Create Privacy Policy - Step 1

  3. Answer some questions about your website or app.
  4. TermsFeed Privacy Policy Generator: Answer questions about website - Step 2

  5. Answer some questions about your business.
  6. TermsFeed Privacy Policy Generator: Answer questions about business practices  - Step 3

  7. Enter the email address where you'd like the Privacy Policy delivered and click "Generate."

    TermsFeed Privacy Policy Generator: Enter your email address - Step 4

    You'll be able to instantly access and download your new Privacy Policy.



What is the GDPR?

The GDPR is an EU privacy law that requires businesses to disclose their policies regarding the collection, use, storage and deletion of user data while also providing privacy rights to EU consumers.

What is a GDPR Privacy Policy?

A GDPR Privacy Policy is the policy that describes your policies on user data collection and usage in accordance with the GDPR requirements.

A GDPR Privacy Policy is sometimes called a GDPR Privacy Statement or a GDPR Privacy Notice.

A Privacy Policy is mandatory under many privacy laws. And under the GDPR, it's one of the most important documents your company needs to have. It's the only way to demonstrate to your customers, and to the authorities, that you take data protection seriously.

Why is a GDPR Privacy Policy Important?

A Privacy Policy is your company's opportunity to show your customers that you can be trusted with their personal data. It's also a chance to really get to grips with how much personal data your company controls, and whether your data protection practices are legally compliant.

Personal data is big business. Companies like Google and Facebook have revenues larger than some countries. They made their fortunes by processing people's personal data.

The GDPR sets the rules about how personal data should be processed in the EU. It also provides rights to individuals regarding their personal data. Without privacy laws like the GDPR, people would lose control over the information that businesses and governments have collected about them.

Your company may have already produced a Privacy Policy to comply with one of the many other laws that require one, for example:

The GDPR is different. Its requirements are more rigorous than any of the above laws, and anything you produced to comply with these will likely not be sufficient under the GDPR.

Important Sections of a GDPR Privacy Policy

Important Sections of a GDPR Privacy Policy

The GDPR lays down specific requirements about the information you must provide in your Privacy Policy. These are mostly set out at Articles 13 and 14.

An important thing to bear in mind is that this is a public-facing document, and is not written just for your customers. It should be aimed at anyone whose personal data you might process - including potential customers and visitors to your website.

Let's take a look at what you'll need to include.

Introduction

You should start your Privacy Policy with a brief explanation of who your company is, and what your Privacy Policy is.

Include the date from which the Privacy Policy takes effect (the "effective date").

Here's how Visa Global starts its Privacy Policy by letting users know what the company does, and what the Privacy Notice seeks to accomplish:

Visa Global Privacy Notice: Introduction clause

You should include the legal name and business address of your company in the introduction.

Here's how MembersFirst does this:

MembersFirst Privacy Policy: Introduction section with business legal name and address

If you have a Data Protection Officer (DPO) and/or an EU Representative, you must also include their contact details.

You'll notice above that MembersFirst refers to itself as a "data controller." For the purposes of the GDPR, your company is probably a "data controller," too - if it makes decisions about how and why personal data is processed.

Definitions

To help make your Privacy Policy more readable and digestable by your average reader, make sure to define any terms that may be confusing or that have very specific legal meanings that might not be inherently or widely known.

Under Article 12 of the GDPR, your Privacy Policy must be written in clear and accessible language. Therefore, you should do your best to avoid using legal terminology where possible.

In some cases, however, it might be unavoidable. So you should include a section in your Privacy Policy where you give the definitions of key terms.

Some companies give their definitions directly from Article 4 of the GDPR. This is the approach of AEG:

AEG Privacy Policy: Excerpt of Definitions clause

This isn't actually all that helpful for a reader. Arguably, defining a "data subject" as "an identifiable natural person [...] who can be identified, directly or indirectly, in particular by reference to an identifier" does little to clarify what the term actually means to a layperson.

Here's another example from Edgbaston Park Hotel. Its definitions are more accessible and easy to understand.

Edgbaston Park Hotel Privacy Policy: Excerpt of Definitions clause

You can see the differences here between writing in legalese versus writing in a common voice that is far easier to understand.

Principles for Processing Personal Data

Article 5 of the GDPR contains six principles by which all personal data must be processed.

They are:

  1. Lawfulness, fairness, and transparency: Obey the law, only process personal data in a way that people would reasonably expect, and always be open about your data protection practices.
  2. Purpose limitation: You must normally only process personal data for the specific reason you collected it and nothing else.
  3. Data minimization: don't process any more data than you need.
  4. Accuracy: Make sure that any personal data you hold is adequate and accurate.
  5. Storage limitation: Don't store personal data for longer than you need to.
  6. Integrity and confidentiality: Always process personal data securely.

Some companies choose to set these principles out in their Privacy Policy simply by listing them and declaring their compliance with them.

This is the approach taken by CRG:

CRG Privacy Policy: GDPR Principles clause

Others take a more personalized approach, listing their company's specific principles and relating these to the GDPR's principles.

Here's an example from the International Institute for Environment and Development:

IIED Privacy Policy: Principles regarding user privacy and data protection clause

Types of Personal Data You Process

In your Privacy Policy, let your users know the specific types of personal data that you process.

The GDPR's definition of "personal data" is very broad. The chances are that your company processes a lot of it.

Because everything from IP addresses to cookie data constitutes personal data, your website might process personal data from people who will never even contact your company. In your Privacy Policy, you must be absolutely clear about every type of personal data you deal with, and why you need to do this.

Many companies break this part of their Privacy Policy down into sub-sections, such as "data you provide to us," "data collected by our website," etc.

Here's an example from Clearcast:

Clearcast Privacy Policy: How Clearcast collects personal data clause

You can then further break down this information into more detailed categories.

Here's an example of how to do his:

Synthorx Privacy Policy: Excerpt of Information Collected via Technology clause

Be as detailed and specific as possible when disclosing the types of personal data you collect and process. Try to disclose this information in a way that's as easy for your users to understand as possible.

How You Process Personal Data

Under the principles of "purpose limitation" and "data minimization," you must always have a good reason for processing any of the personal data in your possession. And, you must set our your purposes for processing personal data in your Privacy Policy.

Here's an excerpt from the relevant part of The Independent's Privacy Policy:

Independent Privacy Notice: What do we use this data for clause excerpt

This can also be a clause that describes "how" and "why" the data is used, so long as users are informed about what exactly you're doing with the data you collect.

The GDPR only allows you to process personal data on one of six legal (or "lawful") bases. You aren't allowed to process personal data unless you've established a good, legal justification for doing so. Disclose what this legal basis is within your Privacy Policy.

The legal bases for processing a person's personal data are:

  1. Consent: You have earned their permission in a GDPR-compliant way
  2. Contract: You need to process their personal data to fulfill a contract
  3. Legal obligation: You'd be breaking the law if you didn't process their personal data
  4. Vital interests: Their life (or someone else's life) depends on you processing their personal data
  5. Public task: You need to process their personal data to carry out a task that's in the public interest
  6. Legitimate interests: Processing their personal data is in your interests, and you've carried out a Legitimate Interests Assessment

Your Privacy Policy must provide details of your legal bases for processing.

Some companies relate their legal bases to the types of personal data they process and their reasons for processing personal data.

Here's how Pint of Science does this:

Pint of Science Privacy Policy: Excerpt of lawful basis for processing clause

Where you're relying on "legitimate interests," you need to specify what your legitimate interests are.

Where you're using "consent" as a legal basis, you must include reference to your users' right to withdraw consent. Here's how Sharp does this:

Sharp UK Privacy Policy: Your Rights clause with Withdraw Consent section highlighted

If your legal basis is "contract," you need to let people know what will happen if they fail to provide you with the personal data you need to carry out a contract.

Here's how Budget does this:

Budget UK Privacy Policy: Clause for required personal information needed to process a contract

Make sure you know what your legal basis is (or are) and disclose this.

Retention of Personal Data

The principle of "storage limitation" requires that you don't retain personal data any longer than you need it. Your Privacy Policy needs to give details of how long you'll be keeping the different types of personal data you collect.

This won't always be a particular period (i.e. one week, two months, etc.). It may be determined by the length of time for which you need the data (e.g. until the person closes their account).

Here's part of the relevant section in Big Yellow Storage's Privacy Policy:

Big Yellow Privacy Policy: excerpt of data retention clause

If you keep different types of data for different periods of time, disclose this as specifically as possible.

Who You Share Personal Data With

You're allowed to share personal data under the GDPR so long as you're transparent about this, and you have a valid legal basis for doing so. Your Privacy Policy needs to provide details about who you share personal data with.

Note that the GDPR doesn't require you to list the names of every company with whom you share data, only the broad types of company (e.g. payment processors, mail carriers, etc.).

However, make sure you check the Terms and Conditions of companies with whom you have a Data Processing Agreement. Some of them, like Google, require you to name them specifically.

Here's an example of a clause that fulfills Google's disclosure requirements:

Discover France Privacy Policy: Information we collect through Google Analytics clause

The clause explicitly states that "Google Analytics data is shared with Google" which lets users know that a third party (Google) is receiving some of their personal data.

International Transfers of Personal Data

If you transfer personal data from the EU a non-EU country (for example, if your web server is located in the U.S., or you use a data processor based in Australia), you need to explain this in your Privacy Policy.

Under the GDPR, there are only certain reasons that you can transfer personal data out of the EU. This section of your Privacy Policy must explain which mechanisms you use for international transfers.

Belmond takes a different approach, covering all bases in its Privacy Policy:

Belmond Privacy Policy: Data Transfers clause updated

Data Rights

The GDPR grants individuals eight rights over their personal data. Subject to certain conditions, you're required to facilitate these rights when requested to do so, and should describe how users can exercise their rights within your Privacy Policy.

These rights are:

  1. The right to be informed
  2. The right of access
  3. The right to rectification
  4. The right to erasure (known as "the right to be forgotten")
  5. The right to restrict processing
  6. The right to data portability
  7. The to object
  8. Rights in relation to automated decision-making

Not all the rights are likely to apply to your company, but you need to be familiar with them regardless.

Your Privacy Policy needs to provide information about these individual rights, and also provide a method by which people can exercise them. This might be a web form, or simply an email address.

Here's how the University of Oxford provides information about some of these rights:

University of Oxford Privacy Policy: Excerpt of GDPR legal rights clause

And here's how people can contact the University in connection with these rights:

University of Oxford Privacy Policy: Excerpt of how to exercise GDPR legal rights clause

The University of Cambridge, on the other hand, facilitates the right of access via an online form:

University of Cambridge: Subject access requests clause

Requests relating to the other rights can be fulfilled via email:

University of Cambridge: Exercising other data protection rights clause

You must also inform your users of their right to make a complaint to a Data Protection Authority, such as the Information Commissioner's Office (ICO) in the UK, or the Data Protection Commission (DPC) in Ireland.

Here's how charity Make-A-Wish does this:

Make-a-Wish Privacy Policy: Complaints clause

Changes to Your Privacy Policy

You should let people know that you might need to make changes to your Privacy Policy, and tell them how you'll inform them about this.

Here's an example from Power to Change:

Power to Change UK Privacy Policy: Changes to this policy clause

It's a good idea to let users know they should regularly review your Privacy Policy to stay up to date with any changes that aren't material and to see the current ways their information is being processed.

Displaying Your GDPR Privacy Policy

Displaying Your GDPR Privacy Policy

Your Privacy Policy must be conspicuous and accessible to anyone who interacts with your business.

A Privacy Policy isn't a contract. You might carry out some data processing under a contract, or subject to your users' consent. But they don't really have any choice as to whether they agree to the Privacy Policy itself.

So whilst you may not need your customers to "agree" to your Privacy Policy in the same way they might agree to your Terms and Conditions or Returns and Refunds Policy, you should try to make sure that they've read it. You can also ask them to confirm that they have done so.

Here are some ways you can make sure it gets noticed

On Your Website

You should place a link to your Privacy Policy on a footer that persists across each page of your website. You can place it alongside other policies, such as your Terms and Conditions or Acceptable Use Policy.

Here's how The Times does this:

The Times UK website footer with Privacy and Cookie Policy link highlighted

If you run an ecommerce store, you should make sure your customers are able to read your Privacy Policy at the point where they make a purchase. Here's an example from Amazon UK:

Amazon UK checkout screen showing Privacy Policy link

Whenever you ask your users for consent, you should also draw their attention to your Privacy Policy.

Here's how Profile Editions does this when requesting direct marketing consent:

Profile Editions email newsletter sign-up form with Privacy Policy highlighted

Make sure your Privacy Policy is consistently available so your users can view it any time. Include it at points where you're collecting personal information (like email addresses or payment information) as a reminder that your users can check to see how you'll be using that personal information.

On Your Mobile App

If your company has a mobile app, it's important that your users can access your Privacy Policy from inside the app.

For example, the Just Eat app provides a link to its Privacy Policy in the Help menu:

Screenshot of Just Eat app Help menu

The Settings menu or Legal menu are other areas users know to look for a Privacy Policy.

If your users can create an account in your app, it's important to present your Privacy Policy at the moment you collect their information.

Here's how Facebook does this (note that Facebook calls its Privacy Policy its "Data Policy"):

Facebook app sign-up screen with Data Policy link

In Your Communications

Whenever you send an automated email, you should link to your Privacy Policy in the footer. This is particularly important where you're sending direct marketing communications.

Here's an example from Waitrose:

Waitrose email footer with Privacy Policy link highlighted

FAQs about GDPR Privacy Policies

Here is a list of frequently asked questions that you may find useful.

If you fall under the jurisdiction of the GDPR, you must have a GDPR-compliant Privacy Policy.

The GDPR applies to you if you:

  • Are located in the EU, or
  • Offer goods and services to individuals located in the EU, or
  • Monitor the behavior of individuals located in the EU

Even if you don't fall under the GDPR's scope, making your Privacy Policy be GDPR-compliant is a smart idea. The GDPR is currently the strictest privacy law in the world and other laws are starting to mirror it.

As new privacy laws are legislated and existing laws get stricter, you'll be ahead of the curve with compliance if you make your Privacy Policy compliant with the GDPR now.


Summary of Your GDPR Privacy Policy

Writing a Privacy Policy is one of the most important legal obligations under the GDPR. To ensure it's up to the EU's strict standards, make sure you include:

  • An introduction that explains the purpose of the document
  • The date that the Privacy Policy takes effect (or the date of its last update)
  • Your company's name and contact details
  • Name and contact details for important roles (DPO, EU Rep, etc.)
  • Your data protection principles
  • The types of personal data you process
  • How and why you process personal data
  • Your legal bases for each act of processing
  • How long you retain personal data
  • The types of third parties with whom you share personal data
  • Details of any transfers to non-EU countries
  • Notification of how changes to the Privacy Policy will be communicated

Download Sample GDPR Privacy Policy Template

Generate a Privacy Policy in just a few minutes

Our free GDPR Privacy Policy downloadable template includes the following sections:

  • Definitions
  • Collecting and Using Personal Information
  • Usage Data
  • Use of Personal Information
  • Transfer of Personal Information
  • Disclosure of Personal Information
  • Security of Personal Information
  • GDPR Privacy
  • Links to Other Websites
  • Changes to Privacy Policy
  • Contact Information

Sample GDPR Privacy Policy Template (HTML Text Download)

You can download the Sample GDPR Privacy Policy Template as HTML code below. Copy it from the box field below (right-click > Select All and then Copy-paste) and then paste it on your website pages.

Sample GDPR Privacy Policy Template (PDF Download)

Download the Sample GDPR Privacy Policy Template as a PDF file

Sample GDPR Privacy Policy Template (DOCX Download)

Download the Sample GDPR Privacy Policy Template as a DOCX file

Sample GDPR Privacy Policy Template (Google Docs Download)

Download the Sample GDPR Privacy Policy Template as a Google Docs document

Screenshot of the Sample GDPR Privacy Policy Template

More Privacy Policy Templates

More specific Privacy Templates are available on our blog.

Sample Privacy Policy Template A Privacy Policy for all sorts of businesses.
Sample Mobile App Privacy Policy Template A Privacy Policy for mobile apps on Apple App Store or Google Play Store.
Sample CCPA Privacy Policy Template A Privacy Policy for businesses that need to comply with CCPA.
Sample California Privacy Policy Template A Privacy Policy for businesses that need to comply with California's privacy requirements (CalOPPA & CCPA).
Sample Virginia CDPA Privacy Policy Template A Privacy Policy for businesses that need to comply with Virginia's CDPA.
Sample PIPEDA Privacy Policy Template A Privacy Policy for businesses that need to comply with Canada's PIPEDA.
Sample Ecommerce Privacy Policy Template A Privacy Policy for ecommerce businesses.
Small Business Privacy Policy Template A Privacy Policy for small businesses.
Privacy Policy for Google Analytics (Sample) A Privacy Policy for businesses that use Google Analytics.
Sample CalOPPA Privacy Policy Template A Privacy Policy for businesses that need to comply with California's CalOPPA.
Sample SaaS Privacy Policy Template A Privacy Policy for SaaS businesses.
Sample COPPA Privacy Policy Template A Privacy Policy for businesses that need to comply with California's COPPA.
Sample CPRA Privacy Policy Template A Privacy Policy for businesses that need to comply with California's CPRA.
Blog Privacy Policy Sample A Privacy Policy for blogs.
Sample Email Marketing Privacy Policy Template A Privacy Policy for businesses that use email marketing.

Create Privacy Policy, Terms & Conditions and other legal agreements in a few minutes. Free to use, free to download.

Get started today ⇢

Robert Bateman

Robert Bateman

Privacy and Data Protection Research Writer at TermsFeed

This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.