How to Write a Privacy Policy That’s GDPR Compliant


In the digital era, when more people entrust their personal data to the internet and cloud services, there is a need like never before to inform them how their data is being used. In 2016, the EU legislation introduced a new privacy law, the General Data Protection Regulation (GDPR). It is an updated version that replaced the Data Protection Directive.

In this article, we’ll explain how to create a GDPR compliant privacy policy for your website, whom it protects, and what the customers’ rights are according to this law. Read on!

What Is a Privacy Notice?

A privacy notice is a document in which organizations explain they process their clients’ personal data, why, and how they keep it private. The main aim of a privacy notice is to encourage transparency i.e., to prevent keeping individuals in the dark about how their data is collected and used. A privacy notice is important for both parties. The organization collects the personal data they need, and the individual is satisfied knowing how the company’s data protection works and is reassured that the information will not be used beyond its original purpose. Articles 12, 13, and 14 of the GDPR can help you understand how to write a privacy policy because they contain detailed instructions on what a privacy policy should include.

Although the terms “privacy policy” and “privacy notice” do not appear in the GDPR text, they are still used interchangeably.

Every organization should publish a privacy policy on its website that should be:

  • Written in clear and plain language
  • Transparent, down-to-the-point, easily accessible, and intelligible
  • Free of charge
  • Distributed and updated in a timely manner

For apps, the privacy policy should be easily accessible within the app, usually no more than two clicks away.

DID YOU KNOW: Organizations need to do everything in their power to ensure that their clients have read the privacy policy and fully understand the GDPR privacy policy requirements.

What Is GDPR and Why Is It Important?

On May 25, 2018, the European Union adopted a new type of data regulation. Even today, it still remains the toughest online privacy law. Its main goal is to give individuals more insight and control over how organizations use their data and how the same data is protected from potential fraud by third parties.

Nevertheless, even if it was drafted and created to protect its EU citizens, its constraints are not limited to the EU. Whenever the majority in a given organization is from the EU, no matter the organization’s location, the organization still needs to comply with the GDPR privacy policy. Every website in the EU or a website dealing with EU citizens needs to have an appropriate privacy policy. Many companies are affected by this law and they need to be aware of its requirements.

The importance of GDPR lies in the fact that it enhances the protection of European citizens’ data rights, and gives companies and organizations a clear outline of what they must do to protect these rights. An owner of a company might be subject to hefty fines of up to 4% of their global revenue or twenty million euros, whichever is higher if they fail to comply with the GDPR requirements.

Key Takeaways

The privacy notice should make it easy to understand how an organization will use an individual’s data.
The website privacy notice should be short and written in simple language so that all users will understand it easily.
Transparency is a key principle of GDPR, preventing companies from processing data without users’ consent.
According to the GDPR, individuals have the right to be informed about how their data is processed and protected.

What Should a GDPR Compliant Privacy Policy Include?

There are a few things that should be included in the privacy policy according to the General Data Protection Regulation (GDPR):


There are strict GDPR guidelines that state that the privacy policy should explain how personal data is collected and used. Here are a few questions that companies must address:

  • What type of information is collected
  • How the information is collected
  • Who collects it (contact info)
  • Who uses it
  • How is the information stored
DID YOU KNOW: For some, paying attention to all the details when creating a privacy policy could be a nightmare. That’s why many prefer to use privacy policy generators that help you draft the best policy.


8 Rights Customer Have Under the GDPR

  • The right to erasure

The right to erasure, a.k.a the right to be forgotten, is found in Article 17 of the GDPR. It means that individuals can ask an organization that has collected their data to erase it. The organization then has a legal obligation to act accordingly. This is done most often when the personal data collected are no longer necessary for the purposes for which it was collected in the first place.

  • The right to rectification

Another right that organizations must mention in their GDPR privacy policy and comply with is the right to rectification. Namely, the individual (data subject) has the right to correct any data that is either outdated, incorrect, or incomplete.

  • The right to restrict processing

European data subjects have the right to block any data processing or usage, especially when the controller no longer needs the data for its original purpose. Specifically, individuals can limit the way an organization uses its data.

  • The right to access

After the data is collected, individuals have the right to request a copy of the personal information that an organization stores on them.

  • The right to data portability

Another right mentioned in article 20 of the GDPR privacy notice is the right to data portability. This right allows European data subjects to transfer any data from one controller to another while transferring securely in a machine-readable format. Whenever possible, it also allows an automatic data transfer from one controller to another, without the data subject’s involvement.

  • The right to object to processing

At any moment when customers feel as if their data is used without their explicit consent, they are free to object to the misuse of their data.

Whether you transfer data internationally

Organizations should state explicitly whether they’ll transfer the processed data outside of their jurisdictions in the privacy policy.

Legal basis for data collecting 

Under GDPR requirements, any organization needs to have a valid reason for using personal data. There are six lawful reasons for collecting and processing personal data:

  • consent
  • performance of a contract
  • legitimate interest
  • vital interest
  • legal requirement
  • public interest


Contrary to popular belief, cookies are not harmful for your browser. They are designed to personalize and collect information about each user’s session. The GDPR privacy notice should address the obvious: how the cookies are used and what types, along with how one can manage cookies. Apps and websites use cookies in various ways that could further improve the user experience. Boohoo Group PLC, for instance, explicitly explains what types of cookies their website uses and further allows customers to decide whether they want to accept all the cookies or only the necessary ones:

Possible Changes

A privacy policy should inform clients of any changes or updates relating to the processing of data on the website.

Contact information

A user should be able to easily contact someone from the company regarding the data the company holds on them. So giving an e-mail address or a telephone number is essential. Sainsbury’s GDPR privacy policy, for example, shows that they provide all the relevant contact information in case a client wants more details on how their data will be used:

DID YOU KNOW: It’s not always easy for SME enterprises to comply with GDPR. However, following a small business privacy policy template and using a GDPR privacy policy checklist will certainly help.

Best Practices

Sometimes data controllers tend to use indefinite language, making the whole privacy policy difficult to understand which could lead to a misunderstanding between parties. Using clear, precise language, on the other hand, prevents differing interpretations. For instance, according to GDPR guidelines, a good privacy policy would be phrased similar to the example below:

The phrase is taken from the official PDF format found on the official GDPR site. It recommends using simple, yet meticulous language to make sure that the information is conveyed as clearly as possible.


We hope that this article will help your business stay compliant with the GDPR. If your organization or company is affected by the GDPR in any way, knowing what your privacy policy should include is very important. It will help you protect your clients’ and employees’ data as well as avoid paying any fines.


Do I need a GDPR privacy policy?

This particular policy protects European citizens from data misuse. If your website collects personal data from European data subjects, then you definitely need a privacy policy that complies with GDPR.

How do I make my privacy policy GDPR compliant?

In order to make sure that your privacy policy complies with the GDPR, you need to follow the GDPR guidelines by creating a transparent privacy policy, written in plain language. Looking at a GDPR privacy policy template will give you an idea of what to include in your privacy policy.

What is a GDPR compliant privacy policy?

A GDPR compliant privacy policy is a document that explains how the company in question collects and processes personal data. The GDPR guidelines apply to organizations around the world as long they target people from the EU.


I’m an entrepreneur by profession and an artist by passion. I do business to pay the bills and make music to bring the thrills. Thanks to a bachelor in Business Administration, I'm well-versed in all things business. Owning a construction company certainly helps, too, but it also brings out my love for building and home protection.

Latest from Noel

How to Create Your Own Email Domain Free of Charge How to Trademark a Company Name [Full Guide for 2024] Best Father’s Day Gifts [List of 31 Gift Ideas for 2024] Is Dropshipping Worth It? [Ultimate Guide for 2024]

Leave a Reply