 Facebook

 Twitter

Home Checklist FAQ GDPR News & Updates Search... 

Writing a GDPR-compliant privacy notice

(template included)

Download a PDF version of this template here.

Transparency and informing the public about how their data are being used are two basic goals of the GDPR. This article
explains what is a privacy notice and offers a privacy notice template to help you comply with the law.

The EU General Data Protection Regulation (GDPR) is a first step toward giving EU citizens and residents more control over
how their data are used by organizations. If your company handles the personal information of people in the EU, then you
must comply with the GDPR, no matter where you are in the world. The fines for violating people’s new privacy rights can be
up to 4 percent of your global revenue or €20 million, whichever is higher.

A GDPR privacy notice is an important way to help your customers make informed decisions about the data you collect and
use. We’ve brought together some information from the law itself and from the EU’s guidance documents to help you
understand the components of a good privacy notice. And at the bottom, we’ve included a privacy notice template that you
can adapt to your own organization.

What is a privacy notice?

A privacy notice is a public document from an organization that explains how that organization processes personal data and
how it applies data protection principles. Articles 12, 13, and 14 of the GDPR provide detailed instructions on how to create a
privacy notice, placing an emphasis on making them easy to understand and accessible. If you are collecting data directly
from someone, you have to provide them with your privacy notice at the moment you do so.

Note that the terms “privacy notice” and “privacy policy” do not actually appear in the text of the GDPR and are essentially 
interchangeable. The guidelines explained in this article apply to any public documents in which your organization describes
its data processing activities to customers and the public.

According to the GDPR, organizations must provide people with a privacy notice that is:
GDPR compliance is easier

In a concise, transparent, intelligible, and easily accessible form with encrypted email
Written in clear and plain language, particularly for any information addressed specifically to a child
Learn
We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that more
you are happy
 with it.
Delivered in a timely manner
Ok No Privacy policy
Provided free of charge
The GDPR also stipulates what information an organization must share in a privacy notice. There is a slight variation in  Twitter
 Facebook

requirements depending on whether an organization collects its data directly from an individual or receives it as a third
party. Home Checklist FAQ GDPR News & Updates Search... 

If an organization is collecting information from an individual directly, it must include the following information in its privacy
notice:

The identity and contact details of the organization, its representative, and its Data Protection Officer
The purpose for the organization to process an individual’s personal data and its legal basis
The legitimate interests of the organization (or third party, where applicable)
Any recipient or categories of recipients of an individual’s data
The details regarding any transfer of personal data to a third country and the safeguards taken
The retention period or criteria used to determine the retention period of the data
The existence of each data subject’s rights
The right to withdraw consent at any time (where relevant)
The right to lodge a complaint with a supervisory authority
Whether the provision of personal data is part of a statutory or contractual requirement or obligation and the possible
consequences of failing to provide the personal data
The existence of an automated decision-making system, including profiling, and information about how this system has
been set up, the significance, and the consequences

If an organization obtains your data indirectly (via another organization) its privacy notice must provide all the same
information, except for:

Whether the provision of personal data is part of a statutory or contractual requirement or obligation and the possible
consequences of failing to provide the personal data

And instead must add:

The categories of personal data obtained

Per Article 14(3), if you obtain personal data from a third party, you must communicate the above information to the data
subject either: no later than one month after you have obtained the data, at the time you first communicate with the data
subject, or before sharing the data with another organization.

Generally, a privacy notice will be provided in writing and, where appropriate, supplied electronically. Every organization that
maintains a website should publish their privacy notice there, under the title “Privacy Policy,” and it should be accessible via a
direct link from every webpage. If a website collects any personal data online, the privacy notice or a link to it should be
provided on the same page where the data collection occurs. The GDPR also states that privacy notices must be available
orally upon request to ensure comprehension and to aid the visually impaired.

GDPR privacy notice best practices

Privacy notices should avoid using qualifiers such as “may,” “might,” “some,” “often,” etc. as they are purposefully vague. The
writing should be in the active tense and sentences and paragraphs should be well structured, using bullets to highlight
specific points of note. Avoid unnecessarily legalistic and technical terminology.

According to the European Commission’s GDPR guidelines, the phrases below are not sufficiently clear as to the purposes of 
processing. (We took these examples directly from the document.)

“We may use your personal data to develop new services” (as it is unclear what the “services” are or how the data will
help develop them)
GDPRthis
“We may use your personal data for research purposes” (as it is unclear what kind of “research” compliance
refers to) is easier
with encrypted
“We may use your personal data to offer personalised services” (as it is unclear what the “personalization” email
entails)
On the other hand, these kinds of phrases are much better:

We use cookies
“We will to ensure
retain that shopping
your we give you history
the best experience on our website.
and use details If you continue
of the products youtohave
use this site we willpurchased
previously Learn
assume that more
youmake
to are happy
 with it.
suggestions to you for other products which we
Ok believe
No you will also
Privacy policybe interested in” (it is clear that what types of data
 will be processed, that the data subject will be subject to targeted advertisements for products and that their data will
 Facebook
 Twitter
be used to enable this)
“We will retain and evaluateHome
information on your recent
Checklist FAQ visits to our website
GDPR News &and how you move around
Updates different
Search... 
sections of our website for analytics purposes to understand how people use our website so that we can make it more
intuitive” (it is clear what type of data will be processed and the type of analysis which the controller is going to
undertake)
“We will keep a record of the articles on our website that you have clicked on and use that information to target
advertising on this website to you that is relevant to your interests, which we have identified based on articles you have
read” (it is clear what the personalization entails and how the interests attributed to the data subject have been
identified)

GDPR privacy notice template

Here we have provided a sample privacy notice template for a website that collects personal data directly from individuals. It
contains all the necessary information in a clean, easy-to-digest format. You should modify the contents depending on
whether this is a privacy policy for your website or a privacy notice about some other data processing activity.

SAMPLE Our Company Privacy Policy (DOWNLOADABLE PDF)

Sample: Our Company Privacy Policy

Our Company is part of the Our Company Group which includes Our Company International and Our Company Direct. This
privacy policy will explain how our organization uses the personal data we collect from you when you use our website.

Topics:

What data do we collect?

How do we collect your data?
How will we use your data?
How do we store your data?
Marketing
What are your data protection rights?
What are cookies?
How do we use cookies?
What types of cookies do we use?
How to manage your cookies
Privacy policies of other websites
Changes to our privacy policy
How to contact us
How to contact the appropriate authorities


What data do we collect?

Our Company collects the following data:
GDPR compliance is easier
Personal identification information (Name, email address, phone number, etc.) with encrypted email
[Add any other data your company collects]
Learn
We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that more
you are happy
 with it.
Ok No Privacy policy
How do we collect your data?  Facebook
 Twitter

Home Checklist FAQ GDPR News & Updates Search... 

You directly provide Our Company with most of the data we collect. We collect data and process data when you:

Register online or place an order for any of our products or services.

Voluntarily complete a customer survey or provide feedback on any of our message boards or via email.
Use or view our website via your browser’s cookies.
[Add any other ways your company collects data]

Our Company may also receive your data indirectly from the following sources:

[Add any indirect source of data your company has]

How will we use your data?

Our Company collects your data so that we can:

Process your order and manage your account.

Email you with special offers on other products and services we think you might like.
[Add how else your company uses data]

If you agree, Our Company will share your data with our partner companies so that they may offer you their products and
services.

[List organizations that will receive data]

When Our Company processes your order, it may send your data to, and also use the resulting information from, credit
reference agencies to prevent fraudulent purchases.

How do we store your data?

Our Company securely stores your data at [enter the location and describe security precautions taken].

Our Company will keep your [enter type of data] for [enter time period]. Once this time period has expired, we will delete
your data by [enter how you delete users’ data].

Marketing
Our Company would like to send you information about products and services of ours that we think you might like, as well as
those of our partner companies.

[List organizations that will receive data]

If you have agreed to receive marketing, you may always opt out at a later date.


You have the right at any time to stop Our Company from contacting you for marketing purposes or giving your data to other
members of the Our Company Group.

If you no longer wish to be contacted for marketing purposes, please click here. GDPR compliance is easier
with encrypted email

What are
We use cookies your
to ensure data
that we give protection
you the best rights?
experience on our website. Learn
If you continue to use this site we will assume that more
you are happy
 with it.
Ok No Privacy policy
Our Company would like to make sure you are fully aware of all of your data protection rights. Every user isentitled to the
Facebook
 Twitter
following:
Home Checklist FAQ GDPR News & Updates Search... 
The right to access – You have the right to request Our Company for copies of your personal data. We may charge you a
small fee for this service.

The right to rectification – You have the right to request that Our Company correct any information you believe is inaccurate.
You also have the right to request Our Company to complete the information you believe is incomplete.

The right to erasure – You have the right to request that Our Company erase your personal data, under certain conditions.

The right to restrict processing – You have the right to request that Our Company restrict the processing of your personal
data, under certain conditions.

The right to object to processing – You have the right to object to Our Company’s processing of your personal data, under
certain conditions.

The right to data portability – You have the right to request that Our Company transfer the data that we have collected to
another organization, or directly to you, under certain conditions.

If you make a request, we have one month to respond to you. If you would like to exercise any of these rights, please contact
us at our email:

Call us at:

Or write to us:

Cookies
Cookies are text files placed on your computer to collect standard Internet log information and visitor behavior information.
When you visit our websites, we may collect information from you automatically through cookies or similar technology

For further information, visit allaboutcookies.org.

How do we use cookies?

Our Company uses cookies in a range of ways to improve your experience on our website, including:

Keeping you signed in

Understanding how you use our website
[Add any uses your company has for cookies]

What types of cookies do we use?

There are a number of different types of cookies, however, our website uses: 

Functionality – Our Company uses these cookies so that we recognize you on our website and remember your
previously selected preferences. These could include what language you prefer and location you are in. A mix of first-
party and third-party cookies are used.
GDPR compliance is easier
Advertising – Our Company uses these cookies to collect information about your visit to our website, the content you
withOur
viewed, the links you followed and information about your browser, device, and your IP address. encrypted
Companyemail
sometimes shares some limited aspects of this data with third parties for advertising purposes. We may also share
Learn
We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that more
you are happy
 with it.
online data collected through cookies with our advertising partners. This means that when you visit another website,
you may be shown advertising based on yourOk
browsing
No patterns on our website.
Privacy policy
 [Add any other types of cookies your company uses]  Facebook
 Twitter

How to manage cookies

Home Checklist FAQ GDPR News & Updates Search... 

You can set your browser not to accept cookies, and the above website tells you how to remove cookies from your browser.
However, in a few cases, some of our website features may not function as a result.

Privacy policies of other websites

The Our Company website contains links to other websites. Our privacy policy applies only to our website, so if you click on a
link to another website, you should read their privacy policy.

Changes to our privacy policy

Our Company keeps its privacy policy under regular review and places any updates on this web page. This privacy policy was
last updated on 9 January 2019.

How to contact us
If you have any questions about Our Company’s privacy policy, the data we hold on you, or you would like to exercise one of
your data protection rights, please do not hesitate to contact us.

Email us at:

Call us:

Or write to us at:

How to contact the appropriate authority

Should you wish to report a complaint or if you feel that Our Company has not addressed your concern in a satisfactory
manner, you may contact the Information Commissioner’s Office.

Email:

Address

Ben Wolford
Editor in Chief, GDPR EU

A journalist by training, Ben has reported and covered stories around the world. He joined ProtonMail to help lead
the fight for data privacy. GDPR compliance is easier
with encrypted email

Learn
We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that more
you are happy
 with it.
Ok No Privacy policy
  Facebook
 Twitter

Home Checklist FAQ GDPR News & Updates Search... 

About GDPR.EU
 

GDPR.EU is a website operated by Proton Technologies AG, which is co-funded by Project REP-791727-1 of the Horizon 2020 Framework
Programme of the European Union. This is not an official EU Commission or Government resource. The europa.eu webpage concerning
GDPR can be found here. Nothing found in this portal constitutes legal advice.

Getting Started Templates Technical Review About Us

What is GDPR? Data Processing Data Protection Office GDPR.eu is co-funded by

Agreement Guide the Horizon 2020
What are the GDPR Fines?
Framework Programme of
Right to Erasure Request GDPR and Email
GDPR Compliance Checklist the European Union and
Form
Does GDPR apply outside operated by Proton
Writing a GDPR-compliant of the EU Technologies AG.
privacy notice

GDPR Forms and Templates

 Data Processing Agreement 

 Right to Erasure Request Form 
 Privacy Policy 

© 2021 Proton Technologies AG. All Rights Reserved.

Terms and Conditions

   
Privacy Policy

GDPR compliance is easier

with encrypted email

Learn
We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that more
you are happy
 with it.
Ok No Privacy policy