GDPR Privacy Policy Template

In May 2018, one of the strictest and most comprehensive data protection laws in the world came into effect - the EU General Data Protection Regulation (GDPR). Complying with the GDPR has required a lot of businesses to closely review their procedures and practices.

One of the most important tasks for your business under the GDPR is to create a Privacy Policy (sometimes called a Privacy Notice). If you already have such a policy, you'll need to update it in order to make sure it meets the GDPR's new requirements.

What is a GDPR Privacy Policy?

What is a GDPR Privacy Policy?

A Data Protection Policy provides anyone who interacts with your business with a complete picture of:

  • What personal data your business collects
  • How and why you use personal data
  • What rights individuals have over the personal data you collect.

Your Data Protection Policy needs to be written in clear and simple language, and easily accessible on your website.

Businesses That Need a GDPR Privacy Policy

Part of the reason that the GDPR is such a big deal is because it applies to so many businesses. It's not only EU companies that have to comply - it's any company (or individual, or charity) that wants to do business in the EU, wherever it's based.

The GDPR covers anyone providing goods or services to individuals in the EU, or monitoring the behavior of such individuals. It doesn't matter whether or not you're making a profit. Obviously this applies to businesses running ecommerce stores or social networks. But the law can also apply to anyone operating a:

  • Mobile app
  • Facebook Page
  • SaaS app

Activities Covered by a GDPR Privacy Policy

Activities Covered by a Privacy Policy

Two very important terms in the GDPR are "processing" and "personal data." Processing personal data is something practically every organization does.

"Personal data" is defined in Article 4(1) of the GDPR as any piece of information that relates to an identifiable person. The most obvious example is a person's name. Their physical address or email address can also be personal data.

There are also more obscure types of information which the EU considers personal data. For example:

  • Data collected by cookies
  • An IP address
  • GPS location data

If it's technically possible to use this information to identify someone, you should assume that it's personal data under the law.

Then there's "processing," which refers to "any operation or set of operations" performed on personal data. Pretty much anything can qualify as processing under the GDPR, so long as it's at least partially automated or forms part of a filing system.

  • Running targeted ads on your website? Using tracking cookies is processing personal information.
  • Compiling a mailing list? That's processing personal data - whether it's used for marketing or not.
  • Accepting purchases through an online store? I'm sure you can see where this is going...

What to Include in Your GDPR Privacy Policy

What to Include in Your GDPR Privacy Policy

Your company may already have this type of policy in place. Several other laws require it, including California's CalOPPA, Canada's PIPEDA and the EU's previous privacy law - the Data Protection Directive.

But the GDPR introduces some new requirements. Anything you created to comply with any other law will most likely not be sufficient.

Here's what you need to provide in your GDPR Privacy Policy.

Contact Details

The GDPR requires you to publish the name and contact details of the data controller. "Data controller" is another key term in the GDPR. It refers to anyone who "determines the purposes and means" of processing personal data.

So, for example, an ecommerce store is a data controller. To allow you to make a purchase, the store must decide the means of processing your personal data, e.g. by asking you to enter your shipping address on its website. It must also decide on the purpose of processing your personal data - to send you your product.

Because your business in some way decides how and why personal data is processed, it qualifies as a data controller. Even deciding to do something as small as collecting IP addresses to run website analytics makes you a data controller.

Whether you're the data controller or someone else is, let people know by including data controller contact details in your Privacy Policy.

Here's how Peyton and Byrne does this:

Peyton and Byrne Privacy Policy: Clause with data controller contact information

It's not necessary to include the term "data controller" in this clause. Here's another example from Snap Surveys:

Snap Surveys Privacy Policy: Contact information clause

If you have a Data Protection Officer (DPO), you're also required to provide their contact details in your Privacy Policy.

Only certain organizations need to nominate a DPO. The DPO monitors data protection practices within the organization and acts as the main contact for data protection enquiries. Articles 37-39 of the GDPR provide more information about the DPO.

Here's how NHS England provides contact details for its DPO:

NHS England Privacy Notice: DPO contact details clause

Categories of Personal Data

Think about all the different ways your company processes personal data. For example, when shopping at an ecommerce store, here are some of the ways that a customer's personal data could be processed:

  • Their IP address is recorded in the log files.
  • Cookies are placed on their computer.
  • Their activities are monitored by analytics software.
  • They provide their name, email address, shipping address and payment card details when making a purchase.

And that's potentially just the first five minutes of the customer's relationship with the business.

Your GDPR Privacy Policy needs to disclose what types of personal data you collect from people directly (Article 13) and indirectly (from other sources) (Article 14). This doesn't only include your customers. You're probably collecting personal data from other people, too. Your Data Protection Policy is a public-facing document that anyone can access.

Here's an example from Electrolux:

Electrolux Data Privacy Statement: Types of personal data we collect clause

Electrolux is really covering all bases here. It's difficult to imagine how a customer's air humidity or water hardness might constitute personal data. But when combined with other information, it does reveal something about a person.

This is a good example of a company that has clearly thought carefully about all the different types of data it collects and does a great job of disclosing it all.

Why and How You Process Personal Data

You need to have a purpose for every piece of personal data you're collecting. If you don't need it - don't collect it.

This sounds like common sense, but for many years, some companies were collecting as much personal data as they could - through server logs, tracking cookies or unnecessary sign-up details (such as asking for someone's gender when they're signing up for your email newsletter)..

Your Privacy Policy needs to explain your purposes for processing the various types of personal data you collect.

Here's an excerpt of a clause that discloses this from Amazon Europe:

Amazon UK Privacy Notice: Excerpt of clause about what purposes personal information is processed

Your Legal Bases

Under the GDPR, you need to have a legal basis for all the data processing you carry out. Article 6 of the GDPR lists the six legal bases. If none of these apply, processing someone's personal data is not allowed.

  • Consent - You've gained the person's permission in a way that's compatible with the GDPR>. For example, they've given you their email address and asked you to add them to your mailing list.
  • Contract - you have a contract with the person, or you're about to enter into one, and you need to process their personal data to fulfill your obligations. For example, the person has bought one of your products and you need to pass on their address to a shipping company.
  • Legal obligation - You need to process a person's personal data in order to comply with the law. For example, you've been ordered to provide information by a court.
  • Vital interests - A person's life would be at risk if you fail to process personal data in a particular way. For example, passing on a person's medical records to a surgeon where the person is unable to consent.
  • Public task - Certain organizations can process personal data for reasons of public interest, in some official capacity. For example, a water or electricity company carrying out public works might need to store a list of addresses.
  • Legitimate interests - You are processing personal data in a way that it is in you or someone else's interests. It is lawful, ethical, necessary and in-line with the person's reasonable expectations. You have carried out a Legitimate Interests Assessment. For example, a restaurant that keeps a list of customers who have been banned from the premises.

You'll need to think carefully about your legal basis for each means of data processing and explain this to your customers.

Here's an example from recruitment company Ian Williams:

Ian Williams Privacy Notice: Legal bases clause

If you're relying on legitimate interests, you also need to provide details of your Legitimate Interests Assessment.

If you're relying on contract or legal obligation, you need to let you customers know what might happen if they don't provide the necessary personal data.

Here's an example from Writeupp:

Writeupp Privacy Policy: If you fail to provide personal information clause

Note that this sort of restriction to services is not acceptable if you are relying on consent.

Third Parties

Personal data gets passed around a lot. It's important that your customers can keep track of what will happen to their personal data once you've collected it.

In a typical day your personal data might be shared online with third parties such as:

  • Analytics services
  • Third party advertisers
  • Payment processors
  • Mail carriers
  • Direct marketing companies

You only need to disclose the categories (types) of third parties with whom you share personal data in your Data Protection Policy.

Here's part of this section of Facebook's Data Policy:

Facebook Data Policy: Sharing with third-party partners clause

International Transfers

Transferring data outside of the EU is allowed under the GDPR, but under certain conditions. There are a couple of bases you need to cover in your GDPR Privacy Policy.

You need to disclose:

  • Whether you're transferring personal data to a third country outside of the EU.
  • Whether the third country has been deemed by the European Commission to have adequate data protection standards.
  • If the third country hasn't been deemed "adequate," details of the safeguards, rules or considerations that you have in place under Articles 46, 47 or 49.

Let's take a look at how M Squared approaches this:

M Squared Privacy Policy: Excerpt of International Transfers clause discussing safeguards

There are three ways that the company ensures that international transfers of personal data are safe.

  • Adequacy decisions - Certain countries are deemed safe by default. You can transfer data to them in the same way that you might transfer data within a single country, or around the EU. You can view the list of countries here.
  • Specific contracts - Where countries are not on the approved list, the European Commission provides model contracts which can be used to ensure that there is a legally binding level of data protection.
  • Privacy Shield - The United States is not on the European Commission's approved list. However, US companies can sign up for the EU-US Privacy Shield, which will allow them to participate in international data transfers.

Data Storage Periods

Your Data Protection Policy needs to disclose how long you'll be keeping the various types of personal data you hold - or at least the method you use to determine this.

One of the key principles of the GDPR is "storage limitation." You must only keep personal data for as long as you actually need it. This might be several years such as in the case of some banking information or meeting records, or it might be several days in the case of certain web server log data.

Whatever your storage period is for a particular type of personal data, you need to be able to justify it, and you need to disclose it.

Here's an example from Nestle:

Nestle Privacy Policy: Retention of your personal data clause

In some cases it's not possible to give a storage period in days or years because the duration will vary according to the nature of the customer's relationship with the company. This is fine, so long as you explain this.

Bosch also provides details of the different periods for which cookies are stored:

Bosch Data Protection Policy: Excerpt of Overview of Marketing Tools and Cookies clause

Data Rights

One of the ways that the GDPR achieves its aim of bringing people greater control over their personal data is through the eight data rights it provides. These are set out in Article 3 of the GDPR.

Some of these rights require specific action to be taken by the data controller on request. For example, under the right of access, a customer could approach you for a copy of any of the personal data you hold on them. Or under the right to erasure, they can request that you delete certain personal data.

Your Data Protection Policy must let people know what their rights are, and how they can access or exert them.

Here's an example of some of the rights, as explained by Crunch:

Crunch Privacy Policy: Excerpt of Your Rights clause

You also need to let people know that they can make a complaint to a Data Protection Authority if they aren't happy with the way you have processed their personal data.

Here's an example from Resolver:

Resolver Privacy Policy: Complaints clause

If your company makes certain important decisions automatically, you need to explain this to your customers. The rules around automated decision-making are explained in Article 22 and Recital 71 of the GDPR.

Here's how Chubb explains this:

Chubb Privacy Policy: Automated Decision Making and Profiling clause

Summary of Your GDPR Privacy Policy

Summary of Your GDPR Privacy Policy

The GDPR requires you to provide information about practically everything you do with people's personal data. This can be a daunting task, but you need to do it to comply with the law. It will also help to ensure that you're adhering to the best data protection practices possible.

Your Data Protection Policy needs to include:

  • Contact details for your company and DPO (if applicable)
  • The categories of personal data you collect
  • Information about and why you process personal data (your purposes)
  • Your legal bases for processing personal data
    • If you're relying on legitimate interests, details of your Legitimate Interests Assessment
    • If you're relying on contract or legal obligation, details of what will happen if people fail to provide this personal data
  • The categories of third parties with whom you share personal data
  • Details of any international transfers of personal data
  • How long you store personal data
  • The rights people have over their personal data.
    • Explain how you can help people facilitate these rights
    • Explain whether you carry out any automated decision-making