Practically every company needs a Privacy Policy, which is where you explain how your company collects, uses, shares, and otherwise processes personal data. A Privacy Policy is particularly important if you or your customers are based in the EU, or any other European country (such as the UK) where the General Data Protection Regulation (GDPR) applies.

Under the GDPR, your Privacy Policy must explain almost every aspect of how your company uses personal data.

This article will break down the EU's Privacy Policy requirements, using real examples to help you understand your obligations.

Our Privacy Policy Generator makes it easy to create a Privacy Policy for your business. Just follow these steps:

  1. At Step 1, select the Website option or App option or both.

    TermsFeed Privacy Policy Generator: Create Privacy Policy - Step 1

  2. Answer some questions about your website or app.

    TermsFeed Privacy Policy Generator: Answer questions about website - Step 2

  3. Answer some questions about your business.

    TermsFeed Privacy Policy Generator: Answer questions about business practices  - Step 3

  4. Enter the email address where you'd like the Privacy Policy delivered and click "Generate."

    TermsFeed Privacy Policy Generator: Enter your email address - Step 4

    You'll be able to instantly access and download your new Privacy Policy.



Writing Your EU Privacy Policy

Keep your Privacy Policy as simple as possible while still including all the necessary information. Organize the document into sections and subsections to make it easier to navigate. Do not use "legalese" or complex technical language in your Privacy Policy.

The GDPR states that any information provided to data subjects (living individuals) must be:

  • Concise
  • Transparent
  • Intelligible
  • Easily accessible

You must use "clear and plain language,"particularly if you believe children may use your services.

Your Privacy Policy should be available in any language spoken by your customers (or target customers).

What to Include in Your EU Privacy Policy

What to Include in Your EU Privacy Policy

The GDPR doesn't mention the term "Privacy Policy" or "Privacy Notice." The law states what information you must provide people whose personal data you process. Most of the GDPR's transparency information is in Articles 13 and 14 of the GDPR.

Note that there are slightly different rules depending on whether you obtain personal data directly or indirectly from the data subject. The guidance below covers both scenarios.

Introduction

Writing an introduction to your Privacy Policy isn't a legal requirement. But most Privacy Policies include an introduction that explains a bit about the company and the relevant law.

Some companies use their brand voice to write an informal introduction. Here's how Twitter introduces its Privacy Policy:

Twitter Privacy Policy: Introduction clause

Identity of the Data Controller

Your Privacy Policy must include the "identity and contact details of the controller."

For most purposes, your company is likely to be "the controller," so you should provide your company's name and contact details. You should also mention if you act as a "joint controller" in some circumstances.

You must also provide the contact details of your data protection officer (DPO) and EU representative, if you have either of these.

Here's how The Access Group meets all these requirements:

Access Group Privacy Notice: About us clause

Categories of Personal Data Processed

You should explain the categories (types) of personal data you process.

Keep in mind that both "personal data" and "processing" are very broad terms under the GDPR. Read more in What Activities Count as Processing Under the GDPR?

Here's part of Next Steps' Privacy Policy explaining some of the personal data the company processes:

Next Step Privacy Policy: Personal data we collect about you clause - Surveys section

You must explain your purposes for processing each category of personal data, plus your legal basis for processing each category of personal data.

You could present this information in a table, listing the categories of personal data in one column, followed by your legal basis for processing, and finally, your purposes for processing.

Here's how Bactobio does this:

Bactobio Privacy Policy: Legal bases chart excerpt

If you rely on the legal basis of "legitimate interests," you must provide further information about the legitimate interests that you or a third party are pursuing.

Here's how Experian does this:

Experian Our Legal Basis for Processing Your Data page: What is Legitimate Interest section

If you're relying on "contract" or "legal obligation," you must explain what will happen if the data subject fails to provide the personal data.

Here's how Design Integration does this:

Design Integration GDPR Policy: How DI Will Process Your Personal Information clause - Bank account details section

Storage Period

You must explain how long you will store personal data. This can be a specific duration (e.g., two years) or linked to a particular action (e.g., "until you delete your account").

Here's how Snap does this:

Snap Data Policy: How Long we Keep Your Information clause excerpt

Recipients of Personal Data

You must list any processors, other controllers, or third parties that will receive the personal data you control.

An EU court case clarified that controllers should tell data subjects the specific identities of any recipients of their data on request. You should consider listing the specific identities of anyone that will receive personal data in your Privacy Policy.

You can list the "categories" of recipients if you don't yet know the names of some recipients (for example, if you are planning to launch an email marketing campaign but have not yet selected a vendor).

Keep in mind that third-party cookie providers might also qualify as "recipients" of personal data. We'll explain more about how cookies fit into your Privacy Policy below.

Here's how Zeidler lists its third-party recipients of personal data:

Zeidler Privacy Notice: Storing your personal information and transfers outside the UK and EU clause excerpt

Sources of Personal Data

If you obtain personal data indirectly from the data subject (including from third parties, public sources, or third-party cookies), you must list your sources of personal data. Many Privacy Policies also list the types of personal data they receive directly from data subjects.

Here's how Lajna UK does this:

Lajna UK Privacy Policy: Where do we get your personal data from clause excerpt

International Data Transfers

If you transfer personal data outside of the EU (or any other jurisdiction where the GDPR directly applies, such as the UK), you must explain which international data transfer safeguards you use for this.

Here's how The Guardian does this:

The Guardian Privacy Policy: International Data Transfers clause

Data Subject Rights

Your EU Privacy Policy should inform people of their data subject rights and explain how they can make a data subjects rights request.

Here's how Air Quality News lists the rights of data subjects under the GDPR:

Air Quality News Privacy GDPR and Cookie Policy: Your Rights clause

Later on in the Privacy Policy, the company explains how people can exercise their rights. Here's an example regarding the right of access:

Air Quality News Privacy GDPR and Cookie Policy: How Can You Access Your Data clause

If you rely on consent for any processing of personal data, you should also notify people of their right to withdraw consent.

Here's how Advocacy Matters does this:

Advocacy Matters Privacy Policy: Obtaining Your Consent clause

You must also disclose that people have the right to lodge a complaint with a data protection authority about how you have processed their personal data.

Here's an example from Experian:

Experian UK Consumer Privacy Policy: Right to contact the ICO supervisory authority section

If you engage in "automated individual decision-making with legal or similarly significant effects" (for example, AI-driven recruiting or credit checks), you must notify people about their rights in this area.

Here's an example from Chubb:

Chubb Privacy Policy: Automated Decision Making and Profiling clause

Your Privacy Policy might need additional information depending on what other privacy laws you may have to comply with elsewhere in the world.

Check out our article Privacy Laws By Country for more detailed information.

Do I Need a Separate Cookies Policy?

Do I Need a Separate Cookies Policy?

The GDPR does not require you to create a separate Cookies Policy in addition to your Privacy Policy. You can use your main Privacy Policy to disclose all the details of how you use cookies.

However, many companies do create a separate Cookies Policy. This is fine, as long as you provide some basic information in your Privacy Policy, and direct people to view your Cookies Policy for more information.

The EU's rules on cookies mainly come from the ePrivacy Directive (sometimes called the EU Cookie Law). Under this law, you must disclose "clear and comprehensive information" about how you use cookies, whether or not those cookies collect personal data.

Cookies that collect personal data (which includes most marketing and analytics cookies) are also covered by the GDPR. All the above transparency rules apply to your use of these cookies.

Whether you explain your cookies practices via your Privacy Policy or a separate Cookies Policy, you should disclose at least the following information:

  • What cookies are
  • Which cookies you use
  • Your purposes for using each cookie
  • Which third parties might have access to your users' data via these cookies
  • How long cookies will remain on a user's device
  • How users can control cookies

You can display some of this information in a table. Here's how the European Commission does this:

European Commission Cookies Policy: Cookie chart excerpt

Next we'll look at how to display your Privacy Policy after it's drafted and ready to be shared with the public.

How to Display Your EU Privacy Policy

How to Display Your EU Privacy Policy

You should display a link to your EU Privacy Policy in the following places:

  • On your website's homepage
  • On your cookie banner or within your cookie consent notice
  • On any webpage on which you collect personal data (for example, via cookies)
  • Alongside forms that collect personal data
  • At checkout
  • Within the "settings" menu (or other relevant menu) of your mobile app
  • In any other location where you collect personal information

Let's look at some examples of how companies display their Privacy Policy links.

Here's how Bupa displays a Privacy Policy link on its website's footer:

Bupa website footer with Privacy Policy link highlighted

Here's how the ICO displays a Privacy Policy link alongside its newsletter signup form:

ICO sign up form with Privacy Notice link highlighted

Here's how Tesco links to its Privacy Policy during the account creation process:

Tesco Create Account form with Privacy and Cookies Policy link highlighted

And here's how the BBC Weather Android app links to a Privacy Policy in the app's "settings" menu:

BBC Weather App: Settings menu with Privacy and Cookies Policy link highlighted

Summary

Here's a summary of all the information you must include in your EU Privacy Policy:

  • The identity and contact details of the data controller, including (if applicable):

    • Contact details for your EU representative
    • Contact details for your data protection officer (DPO)
  • The categories of personal data you process

  • Your purposes for processing personal data

  • Your legal bases for processing personal data

    • If you rely on "legitimate interests," details about the legitimate interests you're pursuing
    • If you rely on "contract" or "legal obligation," information about what will happen if the data subject fails to provide personal data
  • Information about how long you will store personal data

  • Details of any recipients of personal data

  • Information about your sources of personal data

  • Information about the safeguards you rely on for any international transfers of personal data

  • Information about the GDPR's data subject rights, including:

    • An explanation of each data subject right
    • Instructions on how to exercise each right
    • If you rely on consent, instruction on how to withdraw consent
    • If you engage in certain types of automated processing, information on the rights of data subjects in this area
    • Details of the relevant data protection authority (DPA) if people wish to make a complaint

Remember to provide a link to your Privacy Policy on your homepage, your app's settings menu, and any other place you collect personal data.

Privacy Policy Generator
Comprehensive compliance starts with a Privacy Policy.

Comply with the law with our agreements, policies, and consent banners. Everything is included.

Generate Privacy Policy