GDPR Privacy Policy Requirements Explained
A comprehensive guide to what your privacy policy needs under GDPR, including data subject rights and legal bases.
The General Data Protection Regulation (GDPR) is the world's most comprehensive privacy law. If you process data from EU residents, your privacy policy must meet specific requirements. Here's what you need to know.
Who Does GDPR Apply To?
GDPR applies to any organization that:
- Is based in the EU
- Offers goods or services to EU residents
- Monitors the behavior of EU residents
This means a website in the US that accepts EU visitors likely needs to comply with GDPR.
Mandatory Privacy Policy Elements
Under GDPR Articles 13 and 14, your privacy policy must include:
1. Identity and Contact Details
Name and contact information of the data controller (your organization). If you have a Data Protection Officer, include their contact details.
2. Purposes and Legal Basis
Explain why you collect data and the legal basis for each type of processing. GDPR recognizes six legal bases: consent, contract, legal obligation, vital interests, public task, and legitimate interests.
3. Data Categories
List what types of personal data you collect. Be specific: names, email addresses, payment information, browsing behavior, etc.
4. Recipients
Disclose who receives the data, including third-party processors like payment gateways, email services, and analytics tools.
5. International Transfers
If data is transferred outside the EU, explain the legal mechanism used (Standard Contractual Clauses, adequacy decisions, etc.).
6. Retention Periods
State how long you keep each type of data, or the criteria used to determine retention.
7. User Rights
Inform users of their rights under GDPR:
- Right to access their data
- Right to rectification
- Right to erasure ("right to be forgotten")
- Right to restrict processing
- Right to data portability
- Right to object
- Rights related to automated decision-making
8. Complaint Rights
Inform users they can lodge complaints with a supervisory authority.
Plain Language Requirement
GDPR requires privacy policies to be written in "clear and plain language." Avoid legal jargon. Make it easy for average users to understand what you're doing with their data.
Consent Requirements
If consent is your legal basis, it must be:
- Freely given: No bundled consent or negative consequences for refusing
- Specific: Separate consent for different purposes
- Informed: Users must know what they're consenting to
- Unambiguous: Clear affirmative action (no pre-ticked boxes)
Penalties for Non-Compliance
GDPR violations can result in fines up to 20 million euros or 4% of global annual revenue, whichever is higher. Even smaller violations can result in significant penalties.