GDPR Privacy Policies: What You Must Disclose
Your privacy policy serves as a key legal document that addresses GDPR's transparency requirements. It needs to clearly explain how you collect, use, and protect personal data. Privacy policy deficiencies can trigger regulatory scrutiny even when an organization's underlying practices are sound.
A Note on Terminology: GDPR Articles 13 and 14 require organizations to provide specific "information" to data subjects—the regulation doesn't actually use the term "privacy policy." The external-facing document containing this required information is more precisely called a "privacy notice," while "policy" typically refers to internal procedures. However, "privacy policy" has become the widely accepted industry term for external notices, and we use it throughout this guide to align with common usage and search behavior.
Key Takeaways
| Point | Summary |
|---|---|
| Required content | Identity, purposes, legal basis, recipients, retention periods, rights, international transfers |
| Plain language | Clear, simple language - avoid legal jargon |
| Easily accessible | Prominent link on website, provided at data collection |
| Keep current | Update when practices change; notify users of material changes |
| Layered approach | Short summary + full policy works best for user experience |
Quick Answer: Your privacy policy must include: who you are, what data you collect, why (legal basis), who you share with, how long you keep it, and user rights. Write in plain language and keep it easily accessible.
Why Privacy Policies Matter
Under GDPR's transparency principle, you must inform individuals about your data processing in clear, plain language.
Legal Compliance:
- Meets GDPR Article 13/14 requirements
- Demonstrates transparency
- Provides evidence of disclosure
User Trust:
- Shows commitment to privacy
- Helps users make informed decisions
- Differentiates from competitors
Risk Mitigation:
- Reduces complaint likelihood
- Supports defense in disputes
- Demonstrates good faith
Required Privacy Policy Contents
GDPR Articles 13 and 14 specify exactly what you must include:
When Collecting Data Directly (Article 13)
| Requirement | Example Content |
|---|---|
| Controller Identity | Company name, address, registration |
| Contact Details | Email, postal address, contact form |
| DPO Contact | If applicable, DPO name and contact |
| Processing Purposes | Account management, service delivery, marketing |
| Legal Basis | Contract, consent, legitimate interests |
| Legitimate Interests | If applicable, what interests you're pursuing |
| Recipients | Categories of third parties receiving data |
| International Transfers | Countries outside EU/EEA, safeguards used |
| Retention Period | How long you keep data |
| User Rights | Access, rectification, erasure, etc. |
| Right to Withdraw Consent | If consent is your legal basis |
| Right to Complain | To supervisory authority |
| Statutory/Contractual Requirement | Whether providing data is required |
| Automated Decision-Making | If you use it, logic and consequences |
When Obtaining Data Indirectly (Article 14)
Additional requirements when you didn't collect data directly from the person:
| Requirement | Example Content |
|---|---|
| All Article 13 items | See above |
| Source of Data | Where you obtained the data |
| Categories of Data | Types of data you hold |
| Timing | Within one month or at first contact |
Privacy Policy Structure
Recommended Sections
1. Introduction: Who you are, what this policy covers, how to contact you
2. Information We Collect: Data you provide, data collected automatically, data from third parties
3. How We Use Your Information: Purpose-by-purpose breakdown, legal basis for each purpose
4. Sharing Your Information: Categories of recipients, third-party services, legal requirements
5. International Transfers: Countries involved, safeguards in place
6. Data Retention: How long we keep data, criteria for determining periods
7. Your Rights: List of all GDPR rights, how to exercise them
8. Security: Overview of measures, your responsibilities
9. Cookies: What cookies we use, link to cookie policy
10. Children's Privacy: Age restrictions, parental consent
11. Changes to This Policy: How we notify changes, policy version/date
12. Contact Us: Privacy inquiries, DPO contact
Writing Clear Privacy Policies
Language Requirements
| Principle | Implementation |
|---|---|
| Plain Language | Avoid legal jargon |
| Concise | Don't be unnecessarily lengthy |
| Transparent | No hidden meanings |
| Accessible | Easy to find and read |
| Age-Appropriate | If targeting children |
Good vs. Bad Examples
Bad: Legal Jargon
"The Controller may process Personal Data for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract."
Good: Plain Language
"We process your data to provide the services you've signed up for. For example, when you create an account, we use your email address to set up your profile and send you important updates about your account."
Bad: Vague
"We may share your data with third parties for business purposes."
Good: Specific
"We share your data with:
- Stripe (payment processing)
- AWS (data hosting)
- Intercom (customer support)
Each provider only receives the data necessary for their service."
Layered Privacy Notices
For better user experience, use a layered approach:
Layer 1: Short Notice (At Collection)
- Key information at a glance
- Who you are
- Main purposes
- Link to full policy
- Displayed prominently
Layer 2: Summary (On Website)
- Expandable sections
- Visual presentation
- Key points highlighted
- Links to detailed sections
Layer 3: Full Policy
- Complete legal document
- All required disclosures
- Detailed explanations
- Always accessible
Short Notice Example
We use your email to:
• Send your purchase receipts
• Provide customer support
• Send product updates (with your consent)
[Read our full Privacy Policy]
Just-in-Time Notices
Provide relevant information at the point of collection:
| Collection Point | Just-in-Time Notice |
|---|---|
| Registration Form | "We'll use this email for account notifications and support." |
| Newsletter Signup | "You'll receive weekly updates. Unsubscribe anytime." |
| Cookie Banner | "We use cookies for analytics and personalization." |
| Payment Page | "Payment processed securely by Stripe. We don't store your card." |
Keeping Your Policy Updated
When to Update
| Trigger | Action Required |
|---|---|
| New Data Collection | Add to policy before collecting |
| New Processing Purpose | Update purposes section |
| New Third-Party Sharing | Add recipient to policy |
| New Legal Basis | Update legal basis section |
| Business Changes | Review entire policy |
| Annual Review | Best practice even without changes |
Communicating Changes
| Change Type | Notification Method |
|---|---|
| Material Changes | Email notification + prominent website notice |
| Minor Updates | Website notice + updated date |
| Any Changes | Update "last modified" date |
Version Control
- Maintain dated versions
- Keep historical copies
- Document what changed and when
- Reference version in consent records
Privacy Policy Checklist
Identity & Contact:
- Company name and legal form
- Registered address
- Contact email/form
- DPO contact (if applicable)
Data Collection:
- Categories of data collected
- Sources of data
- Mandatory vs. optional data
Processing:
- All purposes listed
- Legal basis for each purpose
- Legitimate interests explained
Sharing:
- All recipients/categories listed
- Purpose of each sharing
- International transfers disclosed
Retention:
- Retention periods specified
- Criteria for retention
Rights:
- All GDPR rights listed
- How to exercise each right
- Right to complain to DPA
Technical:
- Cookie information
- Security overview
- Automated decision-making
Practical:
- Easy to find on website
- Clear, plain language
- Dated/versioned
- Works on mobile
How Bastion Helps
Creating and maintaining a compliant privacy policy requires ongoing attention as your business and data practices evolve. Working with experienced partners helps ensure your privacy policy accurately reflects your operations and meets GDPR requirements.
| Challenge | How We Help |
|---|---|
| Policy Creation | Templates tailored to your specific business context and data flows |
| Legal Compliance | Expert review to ensure GDPR requirements are addressed |
| Updates | Guidance on when and how to update policies as practices change |
| Version Management | Support for maintaining historical versions and documenting changes |
| Implementation | Guidance on publishing, layered notices, and just-in-time disclosures |
Having expert support helps ensure your privacy policy is both comprehensive and understandable—avoiding the common pitfall of policies that are legally dense but fail to communicate clearly with users.
Looking for help with your privacy policy? Talk to our team →