Practically every company needs a Privacy Policy, which is where you explain how your company collects, uses, shares, and otherwise processes personal data. A Privacy Policy is particularly important if you or your customers are based in the EU, or any other European country (such as the UK) where the General Data Protection Regulation (GDPR) applies.
Under the GDPR, your Privacy Policy must explain almost every aspect of how your company uses personal data.
This article will break down the EU's Privacy Policy requirements, using real examples to help you understand your obligations.
Our Privacy Policy Generator makes it easy to create a Privacy Policy for your business. Just follow these steps:
-
At Step 1, select the Website option or App option or both.
-
Answer some questions about your website or app.
-
Answer some questions about your business.
-
Enter the email address where you'd like the Privacy Policy delivered and click "Generate."
You'll be able to instantly access and download your new Privacy Policy.
- 1. Writing Your EU Privacy Policy
- 2. What to Include in Your EU Privacy Policy
- 2.1. Introduction
- 2.2. Identity of the Data Controller
- 2.3. Categories of Personal Data Processed
- 2.4. Your Purposes and Legal Basis
- 2.5. Storage Period
- 2.6. Recipients of Personal Data
- 2.7. Sources of Personal Data
- 2.8. International Data Transfers
- 2.9. Data Subject Rights
- 3. Do I Need a Separate Cookies Policy?
- 4. How to Display Your EU Privacy Policy
- 5. Summary
Writing Your EU Privacy Policy
Keep your Privacy Policy as simple as possible while still including all the necessary information. Organize the document into sections and subsections to make it easier to navigate. Do not use "legalese" or complex technical language in your Privacy Policy.
The GDPR states that any information provided to data subjects (living individuals) must be:
- Concise
- Transparent
- Intelligible
- Easily accessible
You must use "clear and plain language,"particularly if you believe children may use your services.
Your Privacy Policy should be available in any language spoken by your customers (or target customers).
What to Include in Your EU Privacy Policy
The GDPR doesn't mention the term "Privacy Policy" or "Privacy Notice." The law states what information you must provide people whose personal data you process. Most of the GDPR's transparency information is in Articles 13 and 14 of the GDPR.
Note that there are slightly different rules depending on whether you obtain personal data directly or indirectly from the data subject. The guidance below covers both scenarios.
Introduction
Writing an introduction to your Privacy Policy isn't a legal requirement. But most Privacy Policies include an introduction that explains a bit about the company and the relevant law.
Some companies use their brand voice to write an informal introduction. Here's how Twitter introduces its Privacy Policy:
Identity of the Data Controller
Your Privacy Policy must include the "identity and contact details of the controller."
For most purposes, your company is likely to be "the controller," so you should provide your company's name and contact details. You should also mention if you act as a "joint controller" in some circumstances.
You must also provide the contact details of your data protection officer (DPO) and EU representative, if you have either of these.
Here's how The Access Group meets all these requirements:
Categories of Personal Data Processed
You should explain the categories (types) of personal data you process.
Keep in mind that both "personal data" and "processing" are very broad terms under the GDPR. Read more in What Activities Count as Processing Under the GDPR?
Here's part of Next Steps' Privacy Policy explaining some of the personal data the company processes:
Your Purposes and Legal Basis
You must explain your purposes for processing each category of personal data, plus your legal basis for processing each category of personal data.
You could present this information in a table, listing the categories of personal data in one column, followed by your legal basis for processing, and finally, your purposes for processing.
Here's how Bactobio does this:
If you rely on the legal basis of "legitimate interests," you must provide further information about the legitimate interests that you or a third party are pursuing.
Here's how Experian does this:
If you're relying on "contract" or "legal obligation," you must explain what will happen if the data subject fails to provide the personal data.
Here's how Design Integration does this:
Storage Period
You must explain how long you will store personal data. This can be a specific duration (e.g., two years) or linked to a particular action (e.g., "until you delete your account").
Here's how Snap does this:
Recipients of Personal Data
You must list any processors, other controllers, or third parties that will receive the personal data you control.
An EU court case clarified that controllers should tell data subjects the specific identities of any recipients of their data on request. You should consider listing the specific identities of anyone that will receive personal data in your Privacy Policy.
You can list the "categories" of recipients if you don't yet know the names of some recipients (for example, if you are planning to launch an email marketing campaign but have not yet selected a vendor).
Keep in mind that third-party cookie providers might also qualify as "recipients" of personal data. We'll explain more about how cookies fit into your Privacy Policy below.
Here's how Zeidler lists its third-party recipients of personal data:
Sources of Personal Data
If you obtain personal data indirectly from the data subject (including from third parties, public sources, or third-party cookies), you must list your sources of personal data. Many Privacy Policies also list the types of personal data they receive directly from data subjects.
Here's how Lajna UK does this:
International Data Transfers
If you transfer personal data outside of the EU (or any other jurisdiction where the GDPR directly applies, such as the UK), you must explain which international data transfer safeguards you use for this.
Here's how The Guardian does this:
Data Subject Rights
Your EU Privacy Policy should inform people of their data subject rights and explain how they can make a data subjects rights request.
Here's how Air Quality News lists the rights of data subjects under the GDPR:
Later on in the Privacy Policy, the company explains how people can exercise their rights. Here's an example regarding the right of access:
If you rely on consent for any processing of personal data, you should also notify people of their right to withdraw consent.
Here's how Advocacy Matters does this:
You must also disclose that people have the right to lodge a complaint with a data protection authority about how you have processed their personal data.
Here's an example from Experian:
If you engage in "automated individual decision-making with legal or similarly significant effects" (for example, AI-driven recruiting or credit checks), you must notify people about their rights in this area.
Here's an example from Chubb:
Your Privacy Policy might need additional information depending on what other privacy laws you may have to comply with elsewhere in the world.
Check out our article Privacy Laws By Country for more detailed information.
Do I Need a Separate Cookies Policy?
The GDPR does not require you to create a separate Cookies Policy in addition to your Privacy Policy. You can use your main Privacy Policy to disclose all the details of how you use cookies.
However, many companies do create a separate Cookies Policy. This is fine, as long as you provide some basic information in your Privacy Policy, and direct people to view your Cookies Policy for more information.
The EU's rules on cookies mainly come from the ePrivacy Directive (sometimes called the EU Cookie Law). Under this law, you must disclose "clear and comprehensive information" about how you use cookies, whether or not those cookies collect personal data.
Cookies that collect personal data (which includes most marketing and analytics cookies) are also covered by the GDPR. All the above transparency rules apply to your use of these cookies.
Whether you explain your cookies practices via your Privacy Policy or a separate Cookies Policy, you should disclose at least the following information:
- What cookies are
- Which cookies you use
- Your purposes for using each cookie
- Which third parties might have access to your users' data via these cookies
- How long cookies will remain on a user's device
- How users can control cookies
You can display some of this information in a table. Here's how the European Commission does this:
Next we'll look at how to display your Privacy Policy after it's drafted and ready to be shared with the public.
How to Display Your EU Privacy Policy
You should display a link to your EU Privacy Policy in the following places:
- On your website's homepage
- On your cookie banner or within your cookie consent notice
- On any webpage on which you collect personal data (for example, via cookies)
- Alongside forms that collect personal data
- At checkout
- Within the "settings" menu (or other relevant menu) of your mobile app
- In any other location where you collect personal information
Let's look at some examples of how companies display their Privacy Policy links.
Here's how Bupa displays a Privacy Policy link on its website's footer:
Here's how the ICO displays a Privacy Policy link alongside its newsletter signup form:
Here's how Tesco links to its Privacy Policy during the account creation process:
And here's how the BBC Weather Android app links to a Privacy Policy in the app's "settings" menu:
Summary
Here's a summary of all the information you must include in your EU Privacy Policy:
-
The identity and contact details of the data controller, including (if applicable):
- Contact details for your EU representative
- Contact details for your data protection officer (DPO)
-
The categories of personal data you process
-
Your purposes for processing personal data
-
Your legal bases for processing personal data
- If you rely on "legitimate interests," details about the legitimate interests you're pursuing
- If you rely on "contract" or "legal obligation," information about what will happen if the data subject fails to provide personal data
-
Information about how long you will store personal data
-
Details of any recipients of personal data
-
Information about your sources of personal data
-
Information about the safeguards you rely on for any international transfers of personal data
-
Information about the GDPR's data subject rights, including:
- An explanation of each data subject right
- Instructions on how to exercise each right
- If you rely on consent, instruction on how to withdraw consent
- If you engage in certain types of automated processing, information on the rights of data subjects in this area
- Details of the relevant data protection authority (DPA) if people wish to make a complaint
Remember to provide a link to your Privacy Policy on your homepage, your app's settings menu, and any other place you collect personal data.
Comprehensive compliance starts with a Privacy Policy.
Comply with the law with our agreements, policies, and consent banners. Everything is included.