GDPR Compliant Privacy Policy Must-Haves

We’ve all got through the phase when you got dozens of emails every day with another “We’ve updated our privacy policy”. And recently there was one more wave of emails you may have gotten into your inbox (or not if you got very strict filters). 


However, during our recent work with our customers, we’ve noticed that not all of them have pretty everyone-must-have-things in their privacy policies. That is why we’ve decided to give you a brief understanding of things you MUST specify in your privacy policy (notice) to be GDPR compliant:


  1. Intro
    The identity and contact details of the organization, its representative (in some cases companies are obliged to designate Data Protection Representative within the EU if such companies are not incorporated in the EU), and its Data Protection Officer (some companies are obliged to assign internal or external DPO).

  2. Definitions
    Under Article 12 of the GDPR, your Privacy Policy must be written in clear and accessible language. Therefore, you should do your best to avoid using legal terminology and also specify every non-clear or some type of vague term you may use further in your privacy notice (like “measures were taken to protect personal data”, “data subject”, etc.).

  3. Types of Personal Data You Process
    You should be absolutely transparent about what types of personal data to collect and process, what is the source of these data (user, free source, third party), and whom these data belong to (visitors/users/customers/clients/etc.).

    Many companies break this section of their Privacy Notice down into sub-sections, such as “data you provide to us”, “data collected automatically”, etc. That helps to avoid many details and at the same time give any type of data subject that interacts with your website sense of what data do you have about them like it was with our cookies consent collection lifehack


  1. How You Process Personal Data & Legal Basis
    This section describes “how” and “why” every particular data is used and also what kind of legal basis you use to process this data. There are usually 5 types of legal basis predefined by GDPR itself: 

    1. Consent - you have earned their permission in a GDPR-compliant way. 

    2. Contract - you need to process their personal data to fulfill a contract.

    3. Legal obligation - you would break the law if you didn’t process their personal data.

    4. Vital interests - their life (or someone else’s life) depends on you processing their personal data.

    5. Public task - you are a public body (authority) and you need to process their personal data to carry out a task that’s in the public interest.

    6. Legitimate interest - processing their personal data is in your interests.

      Carefully with the last one! You have to carry out the right Legitimate Interests Assessment to prove that you really have such a legal basis. Otherwise, you can be fined along with other companies that had an insufficient legal basis for data processing.

  2. Retention of Personal Data
    The principle of “storage limitation” requires that you don’t retain personal data any longer than you need it. Your Privacy Policy needs to give at least some details of the retention period or criteria used to determine the retention period of the data.

  3. Who You Share Personal Data With
    Note that the GDPR doesn’t require you to list the names of every company with whom you share data, only the broad types of company (e.g. payment processors, mail carriers, etc.). However, a lot of companies do not specify that in their privacy notices and may have some issues with that.

  4. International Transfers of Personal Data
    If you transfer personal data from the EU to a non-EU country, you need to describe this in your Privacy Policy.
    There are some “adequate” countries that ensure an adequate level of data protection. The United States is also included, but only if the US company is part of the Privacy Shield framework.

  5. Data Subject Rights
    In your privacy notice, you should make sure that your visitors/users/customers are fully aware of all of your data subject rights. Every user is entitled to the following:

    1. The right to access

    2. The right to rectification

    3. The right to erasure (“right to be forgotten”)

    4. The right to restrict processing

    5. The right to object to processing

    6. The right to data portability

    7. The right not to be subject to a decision based solely on automated processing

      Also, you should provide information about these individual rights, as well as a method by which people can exercise them. This might be a web form, email address or something else.

  6. Cookies
    In this section, you should provide some information regarding your cookies usage as it is described above. Generally, this section answers the questions: What are cookies? How do we use cookies? What types of cookies do we use? How to manage your cookies?

  7. Changes to the privacy policy
    You should let people know that you might need to make changes to your Privacy Policy, and tell them how you’ll inform them about that.

  8. How to contact the appropriate authority
    In this section, you should specify the name and the contact details of the appropriate Data Protection Authority your visitors/users/customers can address their compliant in case if you are incorporated in the EU or your company has appointed a data protection representative (DPR).

    Usually, it is the Data Protection Authority of the country where your company or your Data Protection Representative is incorporated. 

All the above mentioned are general best practices that apply to most of the companies. However, there are still a lot of specific situations like processing specific categories of data, obtaining personal data indirectly (not from a data subject), public authorities, processing of personal data on a large scale, etc. that require some specific things to be added into privacy policy and were not covered here.



Disclaimer: Nothing contained on this page is intended to provide legal advice, or to create a contractual or attorney-client relationship.