Why is a privacy policy mandatory?
The GDPR requires you to inform data subjects about how you process their personal data. The privacy policy is how you do that.
It is not about creating a legal document nobody reads. It is about communicating clearly and honestly about:
- What data you collect
- Why you collect it
- What you do with it
- How long you keep it
- What rights people have
What must it contain?
The GDPR (Articles 13 and 14) specifies exactly what information you must provide. Below are the mandatory elements:
1. Who are you?
The name and contact details of your organisation (the data controller). If you have a Data Protection Officer (DPO), include their contact details as well.
2. What data do you collect?
Be specific. Not “personal information”, but:
- Name, email address, phone number (via contact form)
- IP address, browser type, pages visited (via analytics)
- Payment details (via the ordering process)
- Employee data (via HR processes)
3. What do you use the data for?
Per category of data, state the purpose. Examples:
- “To respond to your enquiry via the contact form”
- “To process and ship your order”
- “To improve our website based on usage statistics”
- “To send our newsletter (only with your consent)“
4. What is your legal basis?
The GDPR provides six legal bases. The most commonly used for SMEs:
- Consent (e.g. newsletter, marketing cookies)
- Performance of a contract (e.g. processing an order)
- Legal obligation (e.g. accounting retention requirements)
- Legitimate interest (e.g. security, analytics)
5. Who do you share data with?
All parties that have access to the data:
- Your accountant
- Your email marketing tool (Mailchimp, ActiveCampaign)
- Your hosting provider
- Google Analytics (if used)
- Payment provider (Mollie, Stripe)
State whether data is processed outside the EU.
6. How long do you keep the data?
Per data type, the retention period:
- Customer data: duration of the relationship + 2 years
- Invoicing data: 7 years (legal retention obligation)
- Contact form: 2 years after last contact
- Analytics data: maximum 26 months
7. What rights do data subjects have?
Refer to the rights under the GDPR:
- Right of access
- Right to rectification
- Right to erasure
- Right to restriction
- Right to data portability
- Right to object
State how they can exercise these rights (email address, contact form) and that they can lodge a complaint with the supervisory authority.
8. Cookies
If your website places cookies, describe which cookies, for what purpose, and how visitors can withdraw their consent. This can be included in the privacy policy itself or in a separate cookie policy.
Common mistakes
- Copied from the internet without adapting it to your situation - a generic policy that does not match your business is worse than no policy at all
- Legal jargon that nobody understands - write in the language of your target audience
- Outdated because you started using a new tool but did not update the policy
- Hard to find on your website - place a link in the footer of every page
- No separate policy for employees - your staff have the same right to information as your customers
Checklist
- Your policy states your company name and contact details
- You describe specifically what data you collect and why
- You state the legal basis per processing activity
- You list all parties you share data with
- You describe the retention periods
- You inform data subjects about their rights
- You state how data subjects can get in touch
- You mention the right to lodge a complaint with the supervisory authority
- The policy is written in clear, understandable language
- The policy is easy to find on your website (link in footer)
GDPRWise scans your website, detects what data you process and who you share it with, and automatically generates a privacy policy tailored to your situation.