GDPR Privacy Policy Template

Is your website accessible to European citizens and residents? If so, do you have a GDPR Privacy Policy yet?

The GDPR comes with a whole host of new requirements that impact processing activities, organizational roles, and transparency. Choosing a GDPR Privacy Policy is the first step to ensuring compliance and preventing the hefty fines that come with GDPR violations.

What goes into a GDPR Privacy Policy? We'll show you how to build one here.

What is the GDPR?

The GDPR (General Data Protection Regulation) is the regulation within European law that provides data protection to all individuals in the European Union or the European Economic Area.

Europe's GDPR rules are the world's strongest data protection rules. The legislation builds on the first data protection rules introduced in the 1990s by integrating technological advances and knowledge about how tech companies process data.

In most cases, the GDPR doesn't mean you need to change everything about the way you process data. Instead, it's an evolution in data protection. Many businesses already comply with the GDPR by using encryption, reporting data breaches, and limiting the data they capture.

What's changed?

People now have more rights to access the data companies hold about them.

There's also greater accountability for businesses to uphold secure and transparent data processing and management practices. The EU's accountability system features a hallmark series of fines that range from 2 to 4 percent of total global turnover for the worst offenders.

Although the GDPR features thousands of technical details, the spirit of the law is transparency and accountability.

Data processors can't operate in the dark. If you process data belonging to European citizens, you must share your processing practices in a GDPR Privacy Policy. By sharing those policies, it is easier for both your users/customers and the government to hold you accountable.

After all, poor data practices take a toll on data subjects. Breaches, over-sharing, and poor collection practices dramatically impact European citizen's reasonable expectations for privacy.

The GDPR holds two principles in high regard: data processor obligations and data subject rights.

Data processors find their obligations laid out in Article 28:

  1. Data processors must provide sufficient guarantees to use the appropriate technical and organizational measures that meet GDPR requirements.
  2. Data processors may not work with another processor without prior authorization from the controller.
  3. Data processors and controllers must sign a contract detailing: subject matter, duration, nature, and purpose of processing. It must also include type of personal data, categories of data subjects, and the rights of the controller.

Data subjects find their rights listed in Chapter 3: Rights of the data subject. Their rights include:

  1. The Right to Be Informed
  2. The Right of Access
  3. The Right to Rectification
  4. The Right to Erasure
  5. The Right to Restrict Processing
  6. The Right to Data Portability
  7. The Right to Object
  8. The Right to Avoid Automated Decision-Making

Finally, there are the six privacy principles of the GDPR:

  1. Lawfulness, Fairness, and Transparency
  2. Limitations on Purposes of Collection, Processing, and Storage
  3. Data Minimization
  4. Accuracy of Data
  5. Data Storage Limits
  6. Integrity and Confidentiality

The GDPR comes with a large number of principles and rights to learn, but getting acquainted with them helps build a compliant GDPR Protection Policy and better understand what impact your processes and procedures have on your ability to operate.

Essential Components of a GDPR Privacy Policy

Your Data Protection Policy should outline the way you comply with the obligations and rights addressed by the GDPR.

A GDPR Privacy Policy should have clauses that address the following:

  • What personal information you collect
  • How you collect it
  • How you use it
  • Your legal basis for data collection
  • Your data security practices
  • Information about third-party sharing
  • Data Protection Officer information (if applicable)
  • Any automated decision-making you do
  • User rights
  • International data transfers
  • Use by children
  • Cookies

Let's get started.

How to Create a GDPR Privacy Policy

After introducing your company and your GDPR Protection Policy, you'll fill out the following sections with the relevant details from your GDPR preparedness plan.

Personal Information You Collect

Preparing for the GDPR means performing an audit of all the different categories of data you collect. You'll also share the data categories in your GDPR Privacy Policy.

You need to share whatever types of data you collect from data subjects. Make the list as complete as possible and update it regularly. Failure to provide transparency about the data you collect is a GDPR violation.

Some of the types of data you may collect include:

  • Contact details
  • Account information
  • Payment information
  • User generated content

Most companies choose to display this clause at the top of the their GDPR Privacy Policy because it provides context for the rest of the document.

TK Maxx, a retailer with physical and digital footprints in the EU, added its complete list of information collected:

TK Maxx Privacy and Cookie Policy: Information we collect clause

As you can see, the list is granular and includes specific examples of data it keeps in its database. Your list should also explicitly reference data. This becomes simpler when you collect only the necessary amount of data, which the GDPR also requests you do.

How Personal Information is Collected

Do you collect only data provided directly by users, or do you get your data supply from a third party? However you collect it, you also need to share the mechanisms by which you come by your data.

Topshop, a global retailer, combines the "How Data Is Collected" section with the list of data categories they collect.

Topshop Privacy and Cookies Policy: How we collect information clause excerpt

The method works well for Topshop because the types of data it collects are completely intertwined with its collection methods. Topshop tends to go light on the details, but it implies what types of data it will collect and use.

Forbes includes a clause titled "Voluntary Submission" that breaks down ways a user may submit different information to the company including when the company asks for it or through a member profile page a user creates:

Forbes Privacy Statement: Voluntary Submission clause

How Personal Information is Used

The GDPR requires you to have an imminent use for all the data you collect. In other words, if you don't need it soon, then don't collect it. Data minimization is a key part of data security for the legislation.

Expect to list roughly - or explicitly - how you intend to use the data and to what end.

Marie Claire Boutique, an online retailer, discloses how it uses personally identifiable information such as to improve products and services:

Marie Claire Boutique Privacy Privacy: Use of personally identifiable information

River Island, a UK-based retailer, takes a more granular approach to account for the data it collects from users. It comes in the form of an extensive, bullet-point list:

River Island Privacy Notice: How do we use your personal data clause

River Island lists specific instances when user data comes in handy. Most of them refer to essential business practices like responding to refund requests, delivering orders, and processing payments.

It also notes that it might send you information about recommended products, but it only does so when the users are pre-existing and have consented or have not opted out. These qualifiers are important for a GDPR Privacy Policy because they are a reference to the rights users explicitly have under the new legislation.

Legal Basis for Data Collection

You need a legal basis for every piece of data you collect. GDPR Article 6 covers the lawfulness of processing and lists these 6 legal bases:

  1. Consent
  2. Legitimate interests
  3. Contractual necessity
  4. Legal obligations
  5. Vital interests
  6. Public interests

If the data you collect doesn't fall under one of these legal bases, then you aren't allowed to collect that data. You need to find a basis for every category of data you collect, which you should do as part of your pre-GDPR audit and processing plan.

Costa Coffee, a European coffee chain, shares its legal basis of legitimate interests and gives details about its reasoning:

Costa Coffee Privacy Policy: Legal basis and legitimate interests clause

Costa Coffee also collects some data under the legal basis of Consent. The organization differentiates between what data it collects under this basis and how it might use the data:

Costa Coffee Privacy Policy: Legal basis and consent clause

Data Security Practices

With a high profile breach appearing to happen every other week, data security practices are more important than ever. You should share your commitment to security within your GDPR Privacy Policy as a customer-facing promise to engage in smart data security practices.

Marriott International provides a brief overview of its security practices within its policy:

Mariott Global Privacy Statement: Security clause

Marriott not only shares that it uses "reasonable" measures, but also encourages customers to get in touch if they fear their data has been compromised.

Stabucks also provides a similarly short data security section noting its use of protective measures.

Starbucks Privacy Statement: How we protect your information - security clause

Like Marriott, it makes a point to say that no technology is perfect and none can offer 100 percent security. These statements are important for liability and do not violate the GDPR.

Third Party Sharing

If you share the data you control or process with any other party, you need to say so in your disclose this.

Generally, you need to:

  • State that you use other providers
  • Explain why you use other providers
  • Share how you use other providers
  • Provide details on who controls the data and how

Customers need to know that you don't hand out their data like candy.

How does this appear in your GDPR Privacy Policy? EE, a mobile services provider servicing the United Kingdom, offers a suitable example:

EE Privacy Policy: Third-party service providers clause

As you can see, EE doesn't name its service providers and partners specifically, but it acknowledges it works with other companies and commits to remaining the data controller in each scenario.

Data Protection Officer Information (if applicable)

Article 37 of the GDPR requires some groups to nominate a Data Protection Officer. It is necessary whenever you are a public authority or body and you process data held by EU citizens.

You'll also need a Data Protection Officer if you:

  • Engage in regular and systematic monitoring of data subjects on a large scale, or
  • Engage in large scale processing of special categories of data or data relating to criminal offences and convictions

If you do need a Data Protection Officer, or you decide that hiring one is good practice, then you'll list these details in your GDPR Privacy Policy and elsewhere on your site.

The Health Service Executive, the Republic of Ireland's health body, is a public body and therefore requires the use of a Data Protection Officer. It lists the details in its Data Protection Policy here:

Health Service Executive Privacy Statement: DPO clause

You can simply state that you have appointed a Data Protection Officer and provide the contact details for the DPO.

Automated Decision-Making

Do you use software or a web application that makes decisions about customers without human intervention? If so, European citizens have a right to know - and you need to detail how to use human intervention.

Article 22 provides a right not to be subjected to automated processing, including profiling and automated decision-making. It applies when the decision results in a legal effect or provides similar significant effects on their life.

The most common automated decision-making activities tend to relate to finance. If you offer financing on your site or you are a financial institution, then you'll need this section.

Bank of Ireland completes a substantial amount of automated analysis of data. Its uses include:

  • Administrative purposes
  • Managing business decisions
  • Complying with legal obligations
  • Making automated lending decisions

Because of this, the bank's section on automated processing is substantially longer than an organization who uses automated processing only casually:

Bank of Ireland Data Privacy Notice: Automated decision-making clause excerpt

Even if you don't intend to use profiling or another processing activity covered under Article 22, you might choose to include such a clause anyway.

OSP Cyber Academy explains that it does not engage in automated decision-making under its User Rights section:

OSP Cyber Academy Privacy Policy: Automated decision-making and profiling clause

User Rights

The GDPR affords users eight rights:

  1. The Right to be Informed
  2. The Right of Access
  3. The Right to Rectification
  4. The Right to Erasure
  5. The Right to Restrict Processing
  6. The Right to Data Portability
  7. The Right to Object
  8. The Right to Avoid Automated Decision-Making

Your role as a data processor is to not only support these rights but to help make users aware of them. When users know their rights, they are better able to exercise them.

These rights come up over and over throughout your Policy in one way or another. You should, however, list these rights explicitly within the text.

Many compliant organizations choose to list them under their own heading for maximum transparency.

Virgin Media lists each of the rights and provides a form that users can use if they wish to exert any of the rights:

Virgin Media: GDPR FAQ - User rights section

International Data Transfers

If you send data outside of the EU, you need to share those practices to provide data subjects the opportunity to make an informed decision about sharing their data with you.

You need to share whether you send data abroad, whether you engage in any data treaties, and why you send the data away.

EE, which we looked at earlier, is part of BT Group - an international telecommunications operation with footprints across the world. As such, it processes data outside the EU, typically in India and the Philippines. The company shares where it processes data and to which countries it may disclose user data to:

EE Privacy Policy: International Data Transfer clause with list of countries

Use by Children

The GDPR also brought in new regulations for the protection of personal data of children. The GDPR lists the age of consent for children at 16, but member states have the latitude to change the limit to as low as 13.

Additionally, if you are a data controller who offers services directly to children, you need to write a GDPR Privacy Policy in such a way that a 13-year-old might understand.

If your site is accessible to children and you provide a service that attracts children and teens, address it in your policy.

Twitch TV, a video game service, attracts children of all ages and directly addresses children's privacy requirements in its policy. It implores children under 13 not to use any Twitch service for any reason at any time:

Twitch TV Privacy Policy: Children's Privacy clause

It also provides a section directly related to the GDPR by stating that it will "not knowingly engage in that processing for users under the age of consent established by applicable data protection law."

It discloses that it will stop processing of data as soon as it realizes it has inadvertently engaged in processing data of children below the age of consent and will remove the data.

These statements are helpful because they recognize that EU states may set different age limits. It also acknowledges that it may accidentally process the data and puts in place a procedure to remove it, which makes the organization's data processing procedures GDPR-compliant.

The GDPR operates with an understanding that some users may try to circumvent privacy issues, and thus gives the opportunity for processors to correct it without immediate punishment. Just be sure to note that you understand this in your GDPR Privacy Policy.

Cookies

Cookies collect personal data and thus are covered by the GDPR.

Waitrose includes cookies in its clause about what types of personal information it collects:

Wiatrose Privacy Notice: What personal data we collect - clause

UK retailer Sainsbury's provides a separate section for cookies:

Sainsbury's Privacy Policy: Cookies and similar technologies clause

Sainsbury's has a separate Cookie Policy which it links to this clause. If you have a Cookie Policy, consider doing the same thing to help with transparency and keeping your readers informed.

Conclusion

Your GDPR Privacy Policy needs to cover all the primary GDPR principles by acknowledging and supporting user rights and providing transparency to your data processing practices.

By including the above clauses in your GDPR Privacy Policy and upholding them in your data processing practices, you are on your way to compliance with the world's most comprehensive privacy legislation to date.