Sample GDPR Privacy Policy Template

Sample GDPR Privacy Policy Template

One of the most important concepts in the EU General Data Protection Regulation (GDPR) is transparency. Individuals own their personal data. As a company that's involved in processing that personal data, you must disclose everything that you do with it. This is why having a Privacy Policy is so important.

A Privacy Policy is mandatory under many privacy laws. And under the GDPR, it's one of the most important documents your company has. It's the only way to demonstrate to your customers, and to the authorities, that you take data protection seriously.

A GDPR Privacy Policy is sometimes called a GDPR Privacy Statement or a GDPR Privacy Notice.

Let's take a look at what the law requires, and how you can adapt your Privacy Policy to suit the context of your business.

Why is a GDPR Privacy Policy Important?

Personal data is big business. Companies like Google and Facebook have revenues larger than some countries. They made their fortunes by processing people's personal data.

The GDPR sets the rules about how personal data should be processed in the EU. It also provides rights to individuals regarding their personal data. Without privacy laws like the GDPR, people would lose control over the information that businesses and governments have collected about them.

A Privacy Policy is your company's opportunity to show your customers that you can be trusted with their personal data. It's also a chance to really get to grips with how much personal data your company controls, and whether your data protection practices are legally compliant.

Your company may have already produced a Privacy Policy to comply with one of the many other laws that require one, for example:

The GDPR is different. Its requirements are more rigorous than any of the above laws, and anything you produced to comply with these will likely not be sufficient under the GDPR.

Important Sections of a GDPR Privacy Policy

Important Sections of a GDPR Privacy Policy

The GDPR lays down specific requirements about the information you must provide in your Privacy Policy. These are mostly set out at Articles 13 and 14.

An important thing to bear in mind is that this is a public-facing document, and is not written just for your customers. It should be aimed at anyone whose personal data you might process - including potential customers and visitors to your website.

There are two main reasons why you need a Privacy Policy:

✓ They're legally required: Privacy Policies are legally required by global privacy laws if you collect or use personal information.

✓ Consumers expect to see them: Place your Privacy Policy link in your website footer, and anywhere else where you request personal information.

Excerpt from TermsFeed Testimonials:

"I needed an updated Privacy Policy for my website with GDPR coming up. I didn't want to try and write one myself, so TermsFeed was really helpful. I figured it was worth the cost for me, even though I'm a small fry and don't have a big business. Thanks for making it easy."

Stephanie P.
Generated a Privacy Policy

Generate a Privacy Policy, 2020 up-to-date, for your business (web, mobile and others) with the Privacy Policy Generator from TermsFeed.

Let's take a look at what you'll need to include.

Introduction

You should start your Privacy Policy with a brief explanation of who your company is, and what your Privacy Policy is.

Include the date from which the Privacy Policy takes effect (the "effective date").

Here's how Visa Global starts its Privacy Policy:

Visa Global Privacy Policy: Introduction section with effective date

You should include the legal name and business address of your company.

Here's how MembersFirst does this:

MembersFirst Privacy Policy: Introduction section with business legal name and address

If you have a Data Protection Officer (DPO) and/or an EU Representative, you must also include their contact details.

You'll notice above that MembersFirst refers to itself as a "data controller." For the purposes of the GDPR, your company is probably a "data controller," too - if it makes decisions about how and why personal data is processed.

Definitions

Under Article 12 of the GDPR, your Privacy Policy must be written in clear and accessible language. Therefore, you should do your best to avoid using legal terminology where possible.

In some cases, however, it might be unavoidable. So you should include a section in your Privacy Policy where you give the definitions of key terms.

Some companies give their definitions directly from Article 4 of the GDPR. This is the approach of AEG:

AEG Privacy Policy: Excerpt of Definitions clause

This isn't actually all that helpful for a reader. Arguably, defining a "data subject" as "an identifiable natural person [...] who can be identified, directly or indirectly, in particular by reference to an identifier" does little to clarify what the term actually means to a layperson.

Here's another example from Edgbaston Park Hotel. Its definitions are more accessible and easy to understand.

Edgbaston Park Hotel Privacy Policy: Excerpt of Definitions clause

You can see the differences here between writing in legalese versus writing in a common voice that is far easier to understand.

Principles for Processing Personal Data

Article 5 of the GDPR contains six principles by which all personal data must be processed.

They are:

  1. Lawfulness, fairness, and transparency: obey the law; only process personal data in a way that people would reasonably expect; always be open about your data protection practices.
  2. Purpose limitation: you must normally only process personal data for the specific reason you collected it and nothing else.
  3. Data minimization: don't process any more data than you need.
  4. Accuracy: make sure that any personal data you hold is adequate and accurate.
  5. Storage limitation: don't store personal data for longer than you need to.
  6. Integrity and confidentiality: always process personal data securely.

Some companies choose to set these principles out in their Privacy Policy simply by listing them and declaring their compliance with them. This is the approach taken by CRG:

CRG Privacy Policy: GDPR Principles clause

Others take a more personalized approach, listing their company's specific principles and relating these to the GDPR's principles. Here's an example from the International Institute for Environment and Development:

IIED Privacy Policy: Principles regarding user privacy and data protection clause

Types of Personal Data You Process

The GDPR's definition of "personal data" is very broad. The chances are that your company processes a lot of it.

Because everything from IP addresses to cookie data constitutes personal data, your website might process personal data from people who will never even contact your company. In your Privacy Policy, you must be absolutely clear about every type of personal data you deal with, and why you need to do this.

Many companies break this part of their Privacy Policy down into sub-sections, such as "data you provide to us," "data collected by our website," etc.

Here's an example from Clearcast:

Clearcast Privacy Policy: How Clearcast collects personal data clause

You can then further break down this information into more detailed categories. Here's how Synthorx does this:

Synthorx Privacy Policy: Excerpt of Information Collected via Technology clause

Be as detailed and specific as possible when disclosing the types of personal data you collect and process. Try to disclose this information in a way that's as easy for your users to understand as possible.

How You Process Personal Data

Under the principles of "purpose limitation" and "data minimization," you must always have a good reason for processing any of the personal data in your possession.

You must set our your purposes for processing personal data in your Privacy Policy.

Here's an excerpt from the relevant part of The Independent's Privacy Policy:

Independent Privacy Policy: Excerpt of For what purposes do we use this data clause

This can also be a clause that describes "how" and "why" the data is used, so long as users are informed about what exactly you're doing with the data you collect.

The GDPR only allows you to process personal data on one of six legal (or "lawful") bases. You aren't allowed to process personal data unless you've established a good, legal justification for doing so.

The legal bases for processing a person's personal data are:

  1. Consent: you have earned their permission in a GDPR-compliant way
  2. Contract: you need to process their personal data to fulfill a contract
  3. Legal obligation: you'd be breaking the law if you didn't process their personal data
  4. Vital interests: their life (or someone else's life) depends on you processing their personal data
  5. Public task: you need to process their personal data to carry out a task that's in the public interest
  6. Legitimate interests: processing their personal data is in your interests, and you've carried out a Legitimate Interests Assessment

Your Privacy Policy must provide details of your legal bases for processing.

Some companies relate their legal bases to the types of personal data they process and their reasons for processing personal data. Here's how Pint of Science does this:

Pint of Science Privacy Policy: Excerpt of lawful basis for processing clause

Where you're relying on "legitimate interests," you need to specify what your legitimate interests are.

Where you're using "consent" as a legal basis, you must include reference to your users' right to withdraw consent. Here's how Sharp does this:

Sharp UK Privacy Policy: Your Consent clause

If your legal basis is "contract," you need to let people know what will happen if they fail to provide you with the personal data you need to carry out a contract. Here's how Budget does this:

Budget UK Privacy Policy: Clause for required personal information needed to process a contract

Make sure you know what your legal basis is (or are) and disclose this.

Retention of Personal Data

The principle of "storage limitation" requires that you don't retain personal data any longer than you need it. Your Privacy Policy needs to give details of how long you'll be keeping the different types of personal data you collect.

This won't always be a particular period (i.e. one week, two months, etc.). It may be determined by the length of time for which you need the data (e.g. until the person closes their account).

Here's part of the relevant section in Big Yellow Storage's Privacy Policy:

Big Yellow Privacy Policy: excerpt of data retention clause

If you keep different types of data for different periods of time, disclose this as specifically as possible.

Who You Share Personal Data With

You're allowed to share personal data under the GDPR so long as you're transparent about this, and you have a valid legal basis for doing so. Your Privacy Policy needs to provide details about this.

Here's part of the relevant section of First Table's Privacy Policy:

First Table Privacy Policy: Excerpt of clause about sharing personal data with third party processors

Note that the GDPR doesn't require you to list the names of every company with whom you share data, only the broad types of company (e.g. payment processors, mail carriers, etc.).

However, make sure you check the Terms and Conditions of companies with whom you have a Data Processing Agreement. Some of them, like Google, require you to name them specifically.

Here's how Discover France fulfills Google's disclosure requirements:

Discover France Privacy Policy: Information we collect through Google Analytics clause

The clause explicitly states that "Google Analytics data is shared with Google" which lets Discover France users know that a third party (Google) is receiving some of their personal data.

International Transfers of Personal Data

If you transfer personal data from the EU a non-EU country (for example, if your web server is located in the US, or you use a data processor based in Australia), you need to explain this in your Privacy Policy.

There are only certain reasons that you can transfer personal data out of the EU. These include:

  • The non-EU country to which you're transferring personal data has been deemed to have "adequate" data protection by the European Commission;
    • "Adequate" countries include Canada and New Zealand. The United States is included, but only if the US company is part of the Privacy Shield framework.
  • You have a contract with the recipient that contains standard data protection clauses;
  • You're transferring personal data within a multinational company (or a group of companies working together) subject to binding corporate rules;
  • As a last resort, and with certain other conditions in place, you have the person's consent to transfer their data.

This section of your Privacy Policy must explain which of these mechanisms you use for international transfers.

VIDA Diagnostics uses standard contractual clauses to facilitate its international transfers. Here's how VIDA explains this in its Privacy Policy:

VIDA EU Privacy Policy: Model Clauses clause

Belmond takes a different approach, covering all bases in its Privacy Policy:

Belmond Privacy Policy: Data transfers clause

Data Rights

The GDPR grants individuals eight rights over their personal data. Subject to certain conditions, you're required to facilitate these rights when requested to do so.

These rights are:

  1. The right to be informed
  2. The right of access
  3. The right to rectification
  4. The right to erasure (known as "the right to be forgotten")
  5. The right to restrict processing
  6. The right to data portability
  7. The to object
  8. Rights in relation to automated decision-making

Not all the rights are likely to apply to your company, but you need to be familiar with them regardless.

Your Privacy Policy needs to provide information about these individual rights, and also provide a method by which people can exercise them. This might be a web form, or simply an email address.

Here's how the University of Oxford provides information about some of these rights:

University of Oxford Privacy Policy: Excerpt of GDPR legal rights clause

And here's how people can contact the University in connection with these rights:

University of Oxford Privacy Policy: Excerpt of how to exercise GDPR legal rights clause

The University of Cambridge, on the other hand, facilitates the right of access via an online form:

University of Cambridge: Subject access requests clause

Requests relating to the other rights can be fulfilled via email:

University of Cambridge: Exercising other data protection rights clause

You must also inform your users of their right to make a complaint to a Data Protection Authority, such as the Information Commissioner's Office (ICO) in the UK, or the Data Protection Commission (DPC) in Ireland.

Here's how charity Make-A-Wish does this:

Make-a-Wish Privacy Policy: Complaints clause

Changes to Your Privacy Policy

You should let people know that you might need to make changes to your Privacy Policy, and tell them how you'll inform them about this.

Here's an example from Power to Change:

Power to Change Privacy Policy: Changes to this policy clause

It's a good idea to let users know they should regularly review your Privacy Policy to stay up to date with any changes that aren't material and to see the current ways their information is being processed.

FAQ: GDPR Privacy Policy

Here is a list of frequently asked questions that you may find useful.

If you fall under the jurisdiction of the GDPR, you must have a GDPR-compliant Privacy Policy.

The GDPR applies to you if you:

  • Are located in the EU, or
  • Offer goods and services to individuals located in the EU, or
  • Monitor the behavior of individuals located in the EU

Even if you don't fall under the GDPR's scope, making your Privacy Policy be GDPR-compliant is a smart idea. The GDPR is currently the strictest privacy law in the world and other laws are starting to mirror it.

As new privacy laws are legislated and existing laws get stricter, you'll be ahead of the curve with compliance if you make your Privacy Policy compliant with the GDPR now.

Aside from standard Privacy Policy clauses, the GDPR has some specific requirements including the following:

  • Your Privacy Policy must be written in clear, easy to understand language
  • You must include your legal basis for processing personal information
  • You must disclose the GDPR-granted user rights
  • You must let users know how long you retain their personal information for
  • International data transfers must be addressed in detail, with safeguards listed

Typical Privacy Policy updates to satisfy GDPR requirements include the following:

  • Simplifying the language and formatting of your Privacy Policy to make it easier to read and understand
  • Getting GDPR-compliant consent for your Privacy Policy if you haven't been doing so
  • Including additional clauses and information such as the GDPR user rights, your legal basis for processing personal information, how you safeguard any international transfers of data you engage in, and contact information for your Data Protection Officer and EU Representative, if applicable

Add a link to your GDPR Privacy Policy in your website footer. This satisfies the GDPR's requirement that your Privacy Policy be easily and freely accessible.

You'll also need to add a link to your GDPR Privacy Policy wherever you collect personal information. For example:

  • Account sign-up forms
  • Email newsletter sign-up forms
  • Email communications
  • Contact forms
  • Ecommerce payment/checkout screens
  • App store listings for mobile apps
  • Within mobile apps in a menu, such as an "About" or "Legal" menu

Get users to consent to your GDPR Privacy Policy by using an unticked checkbox next to a statement that says something similar to "By checking this box, you confirm you have read and are agreeing to the terms of the Privacy Policy."

When a user clicks the box and proceeds with your website or mobile app, you will have obtained GDPR-compliant consent to your Privacy Policy.


Displaying Your GDPR Privacy Policy

Displaying Your GDPR Privacy Policy

Your Privacy Policy isn't a contract. You might carry out some data processing under a contract, or subject to your users' consent. But they don't really have any choice as to whether they agree to the Privacy Policy itself.

So whilst you may not need your customers to "agree" to your Privacy Policy in the same way they might agree to your Terms and Conditions or Returns and Refunds Policy, you should try to make sure that they've read it. You can also ask them to confirm that they have done so.

So, your Privacy Policy must be conspicuous and accessible to anyone who interacts with your business.

Here are some ways you can make sure it gets noticed

On Your Website

You should place a link to your Privacy Policy on a footer that persists across each page of your website. You can place it alongside other policies, such as your Terms and Conditions or Acceptable Use Policy.

Here's how The Times does this:

The Times UK website footer with links

If you run an ecommerce store, you should make sure your customers are able to read your Privacy Policy at the point where they make a purchase. Here's an example from Amazon UK:

Amazon UK checkout screen showing Privacy Policy link

Whenever you ask your users for consent, you should also draw their attention to your Privacy Policy. Here's how Profile Editions does this when requesting direct marketing consent:

Profile Editions email newsletter sign-up form with Privacy Policy highlighted

Make sure your Privacy Policy is consistently available so your users can view it any time. Include it at points where you're collecting personal information (like email addresses or payment information) as a reminder that your users can check to see how you'll be using that personal information.

On Your Mobile App

If your company has a mobile app, it's important that your users can access your Privacy Policy from inside the app.

For example, the Just Eat app provides a link to its Privacy Policy in the Help menu:

Screenshot of Just Eat app Help menu

The Settings menu or Legal menu are other areas users know to look for a Privacy Policy.

If your users can create an account in your app, it's important to present your Privacy Policy at the moment you collect their information. Here's how Facebook does this (note that Facebook calls its Privacy Policy its "Data Policy"):

Facebook app sign-up screen with Data Policy link

In Your Communications

Whenever you send an automated email, you should link to your Privacy Policy in the footer. This is particularly important where you're sending direct marketing communications.

Here's an example from Waitrose:

Waitrose email footer with Privacy Policy link highlighted

Summary of Your GDPR Privacy Policy

Writing a Privacy Policy is one of the most important legal obligations under the GDPR. To ensure it's up to the EU's strict standards, make sure you include:

  • An introduction that explains the purpose of the document
  • The date that the Privacy Policy takes effect (or the date of its last update)
  • Your company's name and contact details
  • Name and contact details for important roles (DPO, EU Rep, etc.)
  • Your data protection principles
  • The types of personal data you process
  • How and why you process personal data
  • Your legal bases for each act of processing
  • How long you retain personal data
  • The types of third parties with whom you share personal data
  • Details of any transfers to non-EU countries
  • Notification of how changes to the Privacy Policy will be communicated

Download GDPR Privacy Policy Template

Download our GDPR Privacy Policy Template as a PDF file, DOCX file or Google Document.

This free, downloadable template includes the following sections:

  • Definitions
  • Principles for processing personal data
  • What personal data we collect and process
  • How we use the personal data
  • Legal basis for collecting and processing personal data
  • Retention of personal data
  • Data protection rights

Sample: GDPR Privacy Policy Template

Robert B.

Robert B.

Legal writer.

This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.