What should a GDPR-compliant privacy policy include?
In this post, we’ll look at a GDPR privacy policy template and list everything you may need to make your privacy policy compliant!
The General Data Protection Regulation, at its most basic, specifies how personal data should be lawfully processed, including how it’s collected, used, protected or interacted with in general.
It’s meant to strengthen data protection for all people whose personal information fall within its scope of application.
When you collect users’ data, the GDPR requires that you show a privacy policy, whether if you run a website, an app, an eCommerce or a newsletter (these are just a few examples).
Your privacy policy should be clear and unambiguous, up-to-date and easily accessible throughout your website or app. It should state, at the very least:
As we said, these are just the basic elements.
For instance, you may also need to add the name and contact details of your Data Protection Officer (DPO), or EU representative if that applies to your company.
This article is a part of our series on GDPR and GDPR compliance. Read also:
Copy and paste the GDPR Privacy Policy Template HTML directly into your website.
<h1><strong>Privacy Policy of [Your Company Name]</strong></h1>
<p><strong>Effective Date</strong>: [Insert Date]<br /><br /><strong>Introduction</strong><br /><br />[Your Company Name] is committed to protecting the privacy of our users and customers. This privacy policy explains how we collect, use, share, and protect personal information in accordance with the General Data Protection Regulation (GDPR).</p>
<h4><strong>Data Controller, DPO, and Contact</strong></h4>
<p>[Insert here the contact detail of whoever is responsible for the collection and processing of user personal data at your company. E.g.</p>
<ul>
<li><strong>Data Controller</strong>: [Your Company Name]</li>
<li><strong>Data Protection Officer (DPO)</strong>: [Name and Contact Information, if applicable]</li>
<li><strong>Address</strong>: [Your Business Address]</li>
<li><strong>Email</strong>: [Email Address]</li>
<li><strong>Phone Number</strong>: [Phone Number]</li>
</ul>
<p><br /><strong>Data Collection</strong><br /><br />We collect personal data when you visit our website, use our services, or interact with us. This may include:</p>
<ol>
<li><strong>Name and contact information</strong><br /><em>Example</em>: When you create an account with us or sign up for our newsletter, we collect your name and email address to communicate with you.</li>
<li><strong>Payment details (for customers)</strong><br /><em>Example</em>: During the checkout process, we collect your credit card details and billing address to process payments securely.</li>
<li><strong>Preferences and user feedback</strong><br /><em>Example</em>: We collect feedback from surveys or product reviews that you provide to help us improve our products and services.</li>
<li><strong>Usage data and cookies</strong><br /><em>Example</em>: We use cookies to track how you navigate our site, which helps us improve your browsing experience. We collect information about your IP address, browser type, and pages visited.</li>
</ol>
<p><br />This document was generated with the use of the <a href="https://www.iubenda.com/en/help/45520">GDPR privacy policy template</a>.</p>
<h3><strong>Purpose of Processing</strong></h3>
<p>Your data is processed for the following purposes:</p>
<ol>
<li><strong>To provide and improve our services</strong><br /><em>Example</em>: We use your data to manage your account, process orders, and enhance our website features. If you sign up for an account, we use your data to personalize your shopping experience and ensure faster checkout.</li>
<li><strong>For customer support and communication</strong><br /><em>Example</em>: If you contact customer support, we use your data to respond to your inquiries, resolve issues, and keep you updated on the status of your support requests.</li>
<li><strong>To comply with legal obligations</strong><br /><em>Example</em>: We store your personal information for tax and accounting purposes, and comply with laws such as the EU VAT regulations.</li>
<li><strong>For marketing purposes, with your consent</strong><br /><em>Example</em>: We may send you promotional emails about new products or discounts if you have opted in to receive marketing communications. You can withdraw your consent at any time.</li>
</ol>
<h3><strong>Legal Basis for Processing</strong></h3>
<p>We process your personal data based on the following legal grounds:</p>
<ol>
<li><strong>Your consent</strong><br /><em>Example</em>: If you subscribe to our newsletter, we process your email address based on your consent. You can withdraw consent at any time by unsubscribing.</li>
<li><strong>The need to fulfill a contract with you</strong><br /><em>Example</em>: When you place an order on our website, we process your name, address, and payment information to fulfill the contract of sale.</li>
<li><strong>Our legitimate business interests</strong><br /><em>Example</em>: We may process your data to analyze customer behavior and improve our product offerings or website performance. This helps us provide you with better services and tailor our marketing efforts.</li>
<li><strong>Legal requirements</strong><br /><em>Example</em>: We may process your data to comply with obligations such as tax reporting, audits, or responding to legal requests for information.</li>
</ol>
<h3><strong>Data Transfer Outside the EU</strong></h3>
<p>In some cases, we may need to transfer your personal data to countries outside the European Union (EU) or the European Economic Area (EEA). These transfers may occur when our service providers or partners are located in countries outside of the EU/EEA or when we need to store or process data in global data centers. We ensure that any such transfer of your personal data is carried out in compliance with applicable data protection laws, including the General Data Protection Regulation (GDPR). To safeguard your data during these transfers, we rely on standard contractual clauses or other appropriate safeguards, ensuring that your data is protected in accordance with GDPR standards. <br /><br /></p>
<h3><strong>Use of Cookies and Other Trackers</strong></h3>
<p>Our website uses cookies and similar tracking technologies to improve your browsing experience, understand how you use our site, and show you personalized advertising. You can manage your cookie preferences through your browser settings.<br /><br /><em>Example</em>: We use cookies to remember items in your cart, so you don't lose them while browsing other parts of the site.<br /><br />You can access our full cookie policy [here].</p>
<h3><strong>Data Subject Rights</strong></h3>
<p>Under GDPR, you have the right to:</p>
<ol>
<li><strong>Access your personal data</strong><br /><em>Example</em>: You can request a copy of all the personal information we hold about you, such as your account details, order history, and preferences.</li>
<li><strong>Rectify incorrect data</strong><br /><em>Example</em>: If you notice an error in your personal details (like a misspelled name or incorrect address), you can request that we correct it.</li>
<li><strong>Erase your data in certain circumstances</strong><br /><em>Example</em>: You can request the deletion of your account data if you no longer wish to use our services or if your data is no longer necessary for the purposes it was collected.</li>
<li><strong>Restrict or object to processing</strong><br /><em>Example</em>: If you believe your data is being processed unlawfully or if you no longer wish to receive marketing emails, you can request that we restrict or stop processing your personal data.</li>
<li><strong>Data portability</strong><br /><em>Example</em>: You can request a copy of your data in a machine-readable format, which can be transferred to another service provider.</li>
</ol>
<h3><strong>Data Security</strong></h3>
<p>We take appropriate measures to ensure data security, protect against unauthorized access, and comply with GDPR.</p>
<ol>
<li><strong>Technical Measures</strong><br /><em>Example</em>: We use encryption for payment transactions and secure your personal account data with multi-factor authentication.</li>
<li><strong>Organizational Measures</strong><br /><em>Example</em>: Our employees and contractors are trained on GDPR requirements, and access to your personal data is restricted to those who need it to perform their roles.</li>
</ol>
<h3><strong>Data Retention</strong></h3>
<p>Personal data is retained as long as necessary for the purposes stated, unless a longer retention period is required or permitted by law.<br /><br /><em>Example</em>: We store your order history for a period of 7 years for tax and auditing purposes, after which it will be anonymized or deleted.</p>
<h3><strong>Changes to this Policy</strong></h3>
<p>We may update this policy. We will notify you of significant changes and update the “last updated” date at the top of the policy.<br /><br /><em>Example</em>: If we introduce new features on our website that require additional data collection or processing, we will update this policy and inform you about the changes.</p>
<h3><strong>Contact Us</strong></h3>
<p>For questions or to exercise your data protection rights, please contact us at:</p>
<ul>
<li><strong>Data Controller</strong>: [Your Company Name]</li>
<li><strong>Address</strong>: [Your Full Address]</li>
<li><strong>Email</strong>: [Email Address]</li>
<li><strong>Phone Number</strong>: [Phone Number]</li>
</ul>
<p><br />This document was generated with the use of the <a href="https://www.iubenda.com/en/help/45520">GDPR privacy policy template</a>.</p>
Copy and paste the GDPR Privacy Policy Template directly into your WordPress editor.
<h1><strong>Privacy Policy of [Your Company Name]</strong></h1>
<p><strong>Effective Date</strong>: [Insert Date]<br /><br /><strong>Introduction</strong><br /><br />[Your Company Name] is committed to protecting the privacy of our users and customers. This privacy policy explains how we collect, use, share, and protect personal information in accordance with the General Data Protection Regulation (GDPR).</p>
<h4><strong>Data Controller, DPO, and Contact</strong></h4>
<p>[Insert here the contact detail of whoever is responsible for the collection and processing of user personal data at your company. E.g.</p>
<ul>
<li><strong>Data Controller</strong>: [Your Company Name]</li>
<li><strong>Data Protection Officer (DPO)</strong>: [Name and Contact Information, if applicable]</li>
<li><strong>Address</strong>: [Your Business Address]</li>
<li><strong>Email</strong>: [Email Address]</li>
<li><strong>Phone Number</strong>: [Phone Number]</li>
</ul>
<p><br /><strong>Data Collection</strong><br /><br />We collect personal data when you visit our website, use our services, or interact with us. This may include:</p>
<ol>
<li><strong>Name and contact information</strong><br /><em>Example</em>: When you create an account with us or sign up for our newsletter, we collect your name and email address to communicate with you.</li>
<li><strong>Payment details (for customers)</strong><br /><em>Example</em>: During the checkout process, we collect your credit card details and billing address to process payments securely.</li>
<li><strong>Preferences and user feedback</strong><br /><em>Example</em>: We collect feedback from surveys or product reviews that you provide to help us improve our products and services.</li>
<li><strong>Usage data and cookies</strong><br /><em>Example</em>: We use cookies to track how you navigate our site, which helps us improve your browsing experience. We collect information about your IP address, browser type, and pages visited.</li>
</ol>
<p><br />This document was generated with the use of the <a href="https://www.iubenda.com/en/help/45520">GDPR privacy policy template</a>.</p>
<h3><strong>Purpose of Processing</strong></h3>
<p>Your data is processed for the following purposes:</p>
<ol>
<li><strong>To provide and improve our services</strong><br /><em>Example</em>: We use your data to manage your account, process orders, and enhance our website features. If you sign up for an account, we use your data to personalize your shopping experience and ensure faster checkout.</li>
<li><strong>For customer support and communication</strong><br /><em>Example</em>: If you contact customer support, we use your data to respond to your inquiries, resolve issues, and keep you updated on the status of your support requests.</li>
<li><strong>To comply with legal obligations</strong><br /><em>Example</em>: We store your personal information for tax and accounting purposes, and comply with laws such as the EU VAT regulations.</li>
<li><strong>For marketing purposes, with your consent</strong><br /><em>Example</em>: We may send you promotional emails about new products or discounts if you have opted in to receive marketing communications. You can withdraw your consent at any time.</li>
</ol>
<h3><strong>Legal Basis for Processing</strong></h3>
<p>We process your personal data based on the following legal grounds:</p>
<ol>
<li><strong>Your consent</strong><br /><em>Example</em>: If you subscribe to our newsletter, we process your email address based on your consent. You can withdraw consent at any time by unsubscribing.</li>
<li><strong>The need to fulfill a contract with you</strong><br /><em>Example</em>: When you place an order on our website, we process your name, address, and payment information to fulfill the contract of sale.</li>
<li><strong>Our legitimate business interests</strong><br /><em>Example</em>: We may process your data to analyze customer behavior and improve our product offerings or website performance. This helps us provide you with better services and tailor our marketing efforts.</li>
<li><strong>Legal requirements</strong><br /><em>Example</em>: We may process your data to comply with obligations such as tax reporting, audits, or responding to legal requests for information.</li>
</ol>
<h3><strong>Data Transfer Outside the EU</strong></h3>
<p>In some cases, we may need to transfer your personal data to countries outside the European Union (EU) or the European Economic Area (EEA). These transfers may occur when our service providers or partners are located in countries outside of the EU/EEA or when we need to store or process data in global data centers. We ensure that any such transfer of your personal data is carried out in compliance with applicable data protection laws, including the General Data Protection Regulation (GDPR). To safeguard your data during these transfers, we rely on standard contractual clauses or other appropriate safeguards, ensuring that your data is protected in accordance with GDPR standards. <br /><br /></p>
<h3><strong>Use of Cookies and Other Trackers</strong></h3>
<p>Our website uses cookies and similar tracking technologies to improve your browsing experience, understand how you use our site, and show you personalized advertising. You can manage your cookie preferences through your browser settings.<br /><br /><em>Example</em>: We use cookies to remember items in your cart, so you don't lose them while browsing other parts of the site.<br /><br />You can access our full cookie policy [here].</p>
<h3><strong>Data Subject Rights</strong></h3>
<p>Under GDPR, you have the right to:</p>
<ol>
<li><strong>Access your personal data</strong><br /><em>Example</em>: You can request a copy of all the personal information we hold about you, such as your account details, order history, and preferences.</li>
<li><strong>Rectify incorrect data</strong><br /><em>Example</em>: If you notice an error in your personal details (like a misspelled name or incorrect address), you can request that we correct it.</li>
<li><strong>Erase your data in certain circumstances</strong><br /><em>Example</em>: You can request the deletion of your account data if you no longer wish to use our services or if your data is no longer necessary for the purposes it was collected.</li>
<li><strong>Restrict or object to processing</strong><br /><em>Example</em>: If you believe your data is being processed unlawfully or if you no longer wish to receive marketing emails, you can request that we restrict or stop processing your personal data.</li>
<li><strong>Data portability</strong><br /><em>Example</em>: You can request a copy of your data in a machine-readable format, which can be transferred to another service provider.</li>
</ol>
<h3><strong>Data Security</strong></h3>
<p>We take appropriate measures to ensure data security, protect against unauthorized access, and comply with GDPR.</p>
<ol>
<li><strong>Technical Measures</strong><br /><em>Example</em>: We use encryption for payment transactions and secure your personal account data with multi-factor authentication.</li>
<li><strong>Organizational Measures</strong><br /><em>Example</em>: Our employees and contractors are trained on GDPR requirements, and access to your personal data is restricted to those who need it to perform their roles.</li>
</ol>
<h3><strong>Data Retention</strong></h3>
<p>Personal data is retained as long as necessary for the purposes stated, unless a longer retention period is required or permitted by law.<br /><br /><em>Example</em>: We store your order history for a period of 7 years for tax and auditing purposes, after which it will be anonymized or deleted.</p>
<h3><strong>Changes to this Policy</strong></h3>
<p>We may update this policy. We will notify you of significant changes and update the “last updated” date at the top of the policy.<br /><br /><em>Example</em>: If we introduce new features on our website that require additional data collection or processing, we will update this policy and inform you about the changes.</p>
<h3><strong>Contact Us</strong></h3>
<p>For questions or to exercise your data protection rights, please contact us at:</p>
<ul>
<li><strong>Data Controller</strong>: [Your Company Name]</li>
<li><strong>Address</strong>: [Your Full Address]</li>
<li><strong>Email</strong>: [Email Address]</li>
<li><strong>Phone Number</strong>: [Phone Number]</li>
</ul>
<p><br />This document was generated with the use of the <a href="https://www.iubenda.com/en/help/45520">GDPR privacy policy template</a>.</p>
Non-compliance can have strong consequences.
GDPR is well-known for its hefty fines, which can amount up to EUR 20 million (€20m) or 4% of the annual worldwide turnover – whichever is greater.
But perhaps equally as concerning are the other potential sanctions: official reprimands (for first-time violations), periodic data protection audits and liability damages.
You can quickly create a GDPR-compliant privacy policy using a privacy policy generator like iubenda. The generator will guide you to enter details about your site or app, what personal data you collect, and how you use it. iubenda’s easy-to-use privacy policy creator helps you make a customizable policy in minutes that meets GDPR standards.
Make sure your policy is easy to understand. It should explain the rights of people, like how they can access, change, or delete their data, and how to disagree with data use. With our free GDPR privacy policy generator, you can easily add these key points, making sure your policy fits your business perfectly.
Generate a free Privacy Policy for your website that is customizable, professional, and drafted by an international legal team. A simple way to handle GDPR compliance.
See it in action (0:37)
A standard GDPR privacy policy is a document that outlines to users how a website, app, or organization collects, uses, shares, and manages personal data in compliance with the General Data Protection Regulation (GDPR) standards. This policy should be easily accessible, written in clear and straightforward language, and must include:
The GDPR stands on seven main principles that govern the handling of personal data:
The GDPR, or General Data Protection Regulation, is a comprehensive data protection law that came into effect on May 25, 2018, in the European Union. It is designed to give individuals more control over their personal data and to unify data protection regulations across all EU member states.
The GDPR applies to any organization, regardless of location, that processes the personal data of EU residents. It specifies transparency, security, and accountability by data processors and controllers, giving individuals the right to access, correct, delete, and restrict the processing of their data, including how it’s collected, used, protected or interacted with in general.
While the GDPR is governed by several principles and detailed provisions, three core rules or requirements can be highlighted for simplification:
These rules are part of the broader framework established by the GDPR to protect personal data and ensure privacy rights.
Below, we explore how several well-known brands, including e-commerce platforms and service providers, articulate their GDPR privacy policies. We delve into the privacy policies of Barbour, a British luxury and lifestyle brand known for its outerwear, and Squarebird, a digital marketing and web development agency, to provide a broader perspective on privacy practices across different industries.
❗️ These GDPR privacy policy examples showcase the diversity of privacy policies across different sectors, from tech and e-commerce to lifestyle brands and digital marketing agencies. Each organization’s approach to GDPR compliance reflects its unique data processing activities and customer interactions.
For the most accurate and up-to-date information, it’s essential to refer directly to the privacy policies on each company’s website.
iubenda’s tools can help you achieve GDPR compliance in minutes. Access our full range of GDPR solutions here.
