Iubenda logo
Start generating


Table of Contents

GDPR Privacy Policy Template

What should a GDPR-compliant privacy policy include?

In this post, we’ll look at a GDPR privacy policy template and list everything you may need to make your privacy policy compliant!


Generate your fully customizable Privacy Policy in minutes

Generate a free Privacy Policy for your website that is customizable, professional, and drafted by an international legal team. A simple way to handle GDPR compliance.

Video Thumbnail

See it in action (0:37)

What is the GDPR?

The General Data Protection Regulation, at its most basic, specifies how personal data should be lawfully processed, including how it’s collected, used, protected or interacted with in general.

It’s meant to strengthen data protection for all people whose personal information fall within its scope of application.

What should a GDPR-compliant privacy policy include?

When you collect users’ data, the GDPR requires that you show a privacy policy, whether if you run a website, an app, an eCommerce or a newsletter (these are just a few examples).

Your privacy policy should be clear and unambiguous, up-to-date and easily accessible throughout your website or app. It should state, at the very least:

  • who is the site/app owner;
  • what data is being collected and how;
  • what is the legal basis for the collection;
  • what is the specific purpose of your collection;
  • which third parties will have access to the information and if any of them will collect data;
  • details relating to cross-border/ overseas data transfer and which measures were put into place to facilitate this in a safe and compliant way (where applicable);
  • what rights users have;
  • the description of process for notifying users and visitors of changes or updates to the privacy policy;
  • the effective date of the privacy policy.

As we said, these are just the basic elements.
For instance, you may also need to add the name and contact details of your Data Protection Officer (DPO), or EU representative if that applies to your company.

More on GDPR

This article is a part of our series on GDPR and GDPR compliance. Read also:

👉 GDPR cheat sheet: 15 things to know

GDPR Policy Template

Here’s a template of a GDPR-compliant privacy policy, generated with iubenda’s Privacy and Cookie Policy Generator.

Just click the button to open it!

Privacy Policy

Non-compliance can have strong consequences.

GDPR is well-known for its hefty fines, which can amount up to EUR 20 million (€20m) or 4% of the annual worldwide turnover – whichever is greater. But perhaps equally as concerning are the other potential sanctions: official reprimands (for first-time violations), periodic data protection audits and liability damages.

How do I create a GDPR policy?

You can quickly create a GDPR-compliant privacy policy using a privacy policy generator like iubenda. The generator will guide you to enter details about your site or app, what personal data you collect, and how you use it. iubenda’s easy-to-use privacy policy creator helps you make a customizable policy in minutes that meets GDPR standards.

Make sure your policy is easy to understand. It should explain the rights of people, like how they can access, change, or delete their data, and how to disagree with data use. With our free GDPR privacy policy generator, you can easily add these key points, making sure your policy fits your business perfectly.

What is the standard privacy policy for GDPR?

A standard GDPR privacy policy is a document that outlines to users how a website, app, or organization collects, uses, shares, and manages personal data in compliance with the General Data Protection Regulation (GDPR) standards. This policy should be easily accessible, written in clear and straightforward language, and must include:

  • The types of personal data collected
  • Purposes for processing personal data
  • Legal basis for processing
  • Data sharing and transfer details
  • Data subject rights
  • Information on data security measures
  • Details on how to exercise rights under GDPR
  • Contact information of the data controller and the Data Protection Officer (DPO), if applicable

What are the 7 main principles of GDPR?

The GDPR stands on seven main principles that govern the handling of personal data:

  1. Lawfulness, Fairness, and Transparency: Processing must be lawful, fair, and transparent to the data subject.
  2. Purpose Limitation: Data must be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
  3. Data Minimization: Only data that is necessary for the purposes for which it is processed should be collected.
  4. Accuracy: Personal data must be accurate and, where necessary, kept up to date.
  5. Storage Limitation: Data should be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed.
  6. Integrity and Confidentiality (Security): Personal data must be processed in a manner that ensures appropriate security.
  7. Accountability: The controller is responsible for, and must be able to demonstrate, compliance with the other six principles.

What is the GDPR for privacy?

The GDPR, or General Data Protection Regulation, is a comprehensive data protection law that came into effect on May 25, 2018, in the European Union. It is designed to give individuals more control over their personal data and to unify data protection regulations across all EU member states.

The GDPR applies to any organization, regardless of location, that processes the personal data of EU residents. It specifies transparency, security, and accountability by data processors and controllers, giving individuals the right to access, correct, delete, and restrict the processing of their data, including how it’s collected, used, protected or interacted with in general.

What are the three rules of GDPR?

While the GDPR is governed by several principles and detailed provisions, three core rules or requirements can be highlighted for simplification:

  1. Consent: Organizations must obtain clear and explicit consent from individuals before collecting, processing, or sharing their personal data, unless another lawful basis for processing is applicable.
  2. Right to Access and Control: Individuals have the right to access their personal data, correct inaccuracies, delete their data, and object to data processing in certain circumstances.
  3. Data Protection Measures: Organizations must implement appropriate technical and organizational measures to ensure a high level of security for personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage.

These rules are part of the broader framework established by the GDPR to protect personal data and ensure privacy rights.

GDPR Privacy Policy Example

As mentioned above, any business processing the personal data of individuals in the European Union must create a GDPR-compliant privacy policy. This example aims to provide a basic outline. It is highly recommended to use a professional privacy policy generator to ensure that your privacy policy is fully compliant with the GDPR and reflects the specificities of your data processing activities. This approach simplifies the process of creating a tailored privacy policy that meets your requirements.


[Your Company Name] is committed to protecting the privacy of our users and customers. This privacy policy explains how we collect, use, share, and protect personal information in accordance with the General Data Protection Regulation (GDPR).
Data Collection

We collect personal data when you visit our website, use our services, or interact with us. This may include:

  • Name and contact information
  • Payment details (for customers)
  • Preferences and user feedback
  • Usage data and cookies

Purpose of Processing

Your data is processed for the following purposes:

  • To provide and improve our services
  • For customer support and communication
  • To comply with legal obligations
  • For marketing purposes, with your consent

Legal Basis for Processing

We process your personal data based on:

  • Your consent
  • The need to fulfill a contract with you
  • Our legitimate business interests
  • Legal requirements

Data Sharing and Transfer

We may share your data with third parties for service provision, legal compliance, or with your explicit consent. Data may be transferred outside the EU, and we ensure all transfers comply with GDPR.

Data Subject Rights

Under GDPR, you have the right to:

  • Access your personal data
  • Rectify incorrect data
  • Erase your data in certain circumstances
  • Restrict or object to processing
  • Data portability

Data Security

We take appropriate measures to ensure data security, protect against unauthorized access, and comply with GDPR.

Data Retention

Personal data is retained as long as necessary for the purposes stated, unless a longer retention period is required or permitted by law.

Changes to this Policy

We may update this policy. We will notify you of significant changes and update the “last updated” date at the top of the policy.

Contact Us

For questions or to exercise your data protection rights, please contact our Data Protection Officer at [Contact Information].

Privacy Policy Sample

Below, we explore how several well-known brands, including e-commerce platforms and service providers, articulate their GDPR privacy policies. We delve into the privacy policies of Barbour, a British luxury and lifestyle brand known for its outerwear, and Squarebird, a digital marketing and web development agency, to provide a broader perspective on privacy practices across different industries.


GDPR Privacy Policy
  • Barbour’s privacy policy details how they handle customer information in the context of e-commerce and retail, including data collected during purchase and account registration, use of data for marketing and personalization, and measures to protect customer privacy.


gdpr privacy policy example
  • Squarebird’s privacy notice focuses on how they collect and use client data in the realm of digital marketing and web development, including data collected through website interactions, consent, and data protection measures.

❗️ These GDPR privacy policy examples showcase the diversity of privacy policies across different sectors, from tech and e-commerce to lifestyle brands and digital marketing agencies. Each organization’s approach to GDPR compliance reflects its unique data processing activities and customer interactions.

For the most accurate and up-to-date information, it’s essential to refer directly to the privacy policies on each company’s website.

How iubenda can help you generate and manage a GDPR Privacy Policy document

iubenda’s tools can help you achieve GDPR compliance in minutes. Access our full range of GDPR solutions here.

  • ✅ Offering hundreds of available clauses, we ensure our privacy policies include all elements commonly required in many regions and services. We apply the strictest standards by default, allowing you full customization as necessary.
  • ✅ Lawyers create our policies, our lawyers monitor them, and we host them on our servers. This ensures they always meet the latest legal and third-party requirements.
  • ✅ We make our privacy policies easily customizable and offer the option to include a cookie policy. This is essential if your website or app uses cookies.

With our Free GDPR Privacy Policy Generator the generation process is easy and intuitive:

  1. Choose Website, fill in your website name or URL, select your language and click on Start generating;
  2. Click on Generate now under Privacy and Cookie Policy;
  3. Select and add all the relevant services to your website (i.e. Google Analytics, social media widgets…);
  4. privacy policy
  5. Generate your privacy policy in one click (all clauses are pre-drafted by lawyers);
  6. Lastly, copy and paste the code to add the document to your website’s footer;

Generate a GDPR Privacy Policy for your site

Get started for free

About us


GDPR compliance for your site, app and organization


See also