Back to blog

10 Must-Have Elements of Every GDPR-Compliant Privacy Policy

GDPR

Written by

Published May 29, 2019 · Updated September 15, 2022

10 Must-Have Elements of Every GDPR-Compliant Privacy Policy

Gone are the days when privacy policies were so vague that only lawyers could understand them. In Europe, at least, we owe it to GDPR.

One of the reasons the EU introduced GDPR was to make people more informed and put them in control of how businesses collect, use, share, secure and process their personal data.

Making privacy policies clear and comprehensive became one of the key requirements of the new law. Failure to comply with this provision can result in hefty fines or even prosecution. If you haven’t done so already, it’s high time you review the contents of your privacy policy.

In this post, we’ll explain how to prepare a privacy policy that meets GDPR requirements.

Remember: Creating a consumer-friendly privacy policy is just one part of a larger strategy toward GDPR compliance. You can browse our blog articles on GDPR to learn more about how to adapt your processes to the law’s requirements.

Best practices for a GDPR-compliant privacy policy

In GDPR, the main source of guidance regarding privacy policies is Article 12. Among other things, it tells us that communication regarding data processing must be:

  • concise
  • transparent
  • in clear and plain language
  • intelligible
  • easily accessible
  • free of charge

So, in other words, to comply with those provisions, you need to make sure that your privacy policy is:

  • written in simple language and presented in an accessible form – so that your users can easily understand it
  • comprehensive – so that it covers all aspects of your personal data processing activities, and
  • easily accessible – so it’s good to provide a link to the privacy policy both in the consent form (if you use one) and somewhere on your main page

What information to include in a GDPR-friendly privacy policy

Let’s look into what your privacy notice should include to meet the legal requirements of GDPR. We’ll also give you some real-life examples from the Piwik PRO privacy policy to make things even clearer.

Here are the crucial aspects of your data processing activities you need to add to your privacy policy:

1) Who is processing the data

The first important thing to establish is who is actually collecting and processing visitors’ data.
Article 13(1)(a) of GDPR requires that you provide your users with:

“the identity and the contact details of the controller and, where applicable, of the controller’s representative”

That can be the name of your company, location, and contact information. We decided to address this requirement by disclosing the following data:

The data controller for (1) Marketing and Sales and (2) Piwik PRO product-related activities is: Piwik PRO group, that includes Piwik PRO SA (ul. Św. Antoniego 2/4, 50-073 Wrocław, Poland), Piwik PRO GmbH (Kurfürstendamm 21, 10719 Berlin, Germany). Learn more about the Piwik PRO group at https://piwik.pro/about/.

The data controller for (3) Recruitment is: Piwik PRO group, that includes Piwik PRO SA (ul. Św. Antoniego 2/4, 50-073 Wrocław, Poland), Piwik PRO GmbH (Kurfürstendamm 21, 10719 Berlin, Germany) and Piwik PRO LLC (222 Broadway, 19th Floor, New York, NY 10038, United States). Learn more about the Piwik PRO group at https://piwik.pro/about/.

The State of GDPR Consent

Overview and scoring of how websites have adapted to data privacy regulations

Download your copy now

As you can see, we had to make a distinction between the data gathered for marketing and sales purposes and information used in recruitment processes. If your company’s structure is as complex as ours, you should provide the details of each entity that has access to such data.

A good rule of thumb is also to include details for contacting your DPO (if you have appointed one). In our privacy policy, it looks like this:

If you feel something is not addressed in this Privacy Policy or have further questions, our Data Protection Officer (DPO) can be reached at gdpr@piwik.pro.

Article 13(1)(c) of GDPR requires that you provide information on:

“the purposes of the processing for which the personal data are intended as well as the legal basis for the processing

There are six different legal bases for processing personal data. Two of them are particularly important for businesses – consent and legitimate interest.

In your privacy policy, you should clearly state the chosen ground(s) for processing personal data and explain the reasoning behind each ground. Also, you should inform users about their rights to object to a certain type of processing and provide them with a way to do so – we’ll discuss this later on.

Want to learn more about the legal grounds for processing personal data? Read this: A Practical Guide to Acquiring Consent in the Age of GDPR.

As for our data processing, we decided that consent would be the best fit. Here’s how we present it to visitors:

We process personal data based on consent according to Art. 6(1)(a) GDPR, which you are free to give or refuse. You’ll see consent options when you visit our website for the first time. You can change your decisions at anytime by clicking the button below. If you change your decision it will not affect the lawfulness of processing based on consent before its withdrawal.

As for legitimate interest, to gain a better understanding of what it means and how to utilize it in your documentation, check out this helpful guide by the Information Commissioner’s Office (ICO).

3) The purposes for collecting personal data

Another requirement originating from Article 13(1)(c) of GDPR is to present the purposes for which personal data is processed.

Information about every aspect of processing should be comprehensive, detailed and easy to understand. That’s why we decided to divide our purposes into two main groups – marketing and sales, and recruitment.

We provided a general description for each of them. This is what we wrote regarding our marketing and sales activities:

We work hard to find and introduce new people to our product as well as improve the quality of our website. We want to communicate clearly and directly with everyone that visits. To do this we need data.

Then, we went into more detail. We broke down each reason into smaller ones and presented a practical application of each type of data gathered by our tools. It looks like this:

Name of the purpose Description
Analytics improving site user interface, optimizing sales and marketing content
A/B testing and personalization A/B tests, content personalization, improving site user interface, optimizing sales and marketing content
Marketing automation sending marketing materials relevant to your interests
Retargeting displaying our advertisements on other websites

This way, our visitors get a thorough insight into how we use the data we gather about them. Of course, the same set of information is displayed when we first ask for consent. Right now, our consent request looks like this:

In the past, we also asked our users for permission to process data for A/B tests and marketing automation. For this reason, both purposes are still listed in our privacy policy.

4) What types of personal data you collect

Merely stating that you collect personal data is not enough – you need to go into more detail. Another important thing to include in your privacy policy is the exact types of personal data that you collect and process.

We present this information in two different ways. First, we state that:

We request processing of personal data of visitors, such as IP address, a cookie identifier and email address (but only in the case that visitors request information be sent by email). We also collect non-personal data to learn how visitors found our website, what kind of device they’re using, how long they stayed, which pages they visited, etc. This non-personal data is tied to a temporary identifier that is removed after the end of each browsing session.

Then, we provide our users with the full list of personal data collected for each purpose:

Name of the purpose Personal data used
Analytics browser cookies, browsing behavior on piwik.pro, device information, IP address
A/B testing and personalization browser cookies, browsing behavior on piwik.pro, device information, IP address
Marketing automation browser cookies, browsing behavior on piwik.pro, IP address, other data you give us will be added to your visitor profile
Retargeting browser cookies, browsing behavior on piwik.pro, IP address

If that wasn’t enough, we also present our visitors with separate documents describing our tracking data scope and the list of collected data cookies.

Not sure which types of information come under the scope of personal data? Here’s a great ebook to help you figure it out:
Free Cheat Sheet: PII, Personal Data or Both?

5) How long you’re going to store the data

Another important requirement comes from Article12(2)(a). It obliges you to inform your visitors about:

“the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period”.

This is how we wrote about it in our own privacy policy, in a section dedicated to the data collected during the recruitment process:

We collect and use personal information you have provided only for the purposes of recruitment process. Data that we collect throughout recruitment is used only for the communication with candidates, to evaluate their qualifications and to make a final hiring decision. During the recruitment process we use software from external partners such as Google Suite and Dropbox. The maximum time your data is held is 36 months.

The State of GDPR Consent

Overview and scoring of how websites have adapted to data privacy regulations

Download your copy now

6) Whether you transfer the data internationally

Article 13 (1)(f) of the GDPR requires that you provide information about:

“[…] the fact that the controller intends to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available.”

So in our privacy policy, we’ve included the following note:

Piwik PRO Analytics Suite Cloud is hosted on Microsoft Azure Netherlands and Microsoft Azure Germany. The older version of the platform is hosted by Leaseweb in the US and Germany.

Piwik PRO On-Premises is hosted on the client’s infrastructure.

Also, we’ve added information about the location of servers used by each third party we share visitor data with (more on that soon).

7) Whether you use the data in automated decision-making

If you use automated decision-making (for example, in credit scoring or user profiling) to provide services or products to your users, you have to disclose this. Article 12(2)(f) of GDPR says:

“the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.”

As a company, we don’t use profiling or automated decision-making, so we didn’t include this entry in our privacy policy. But this is how Phaidon International addresses this requirement:

8) What third parties you share the data with

Article 13(1)(e) requires you to provide information about: “the recipients or categories of recipients of the personal data, if any”.

In order to comply with the law, we’ve created a list of tools we use in our marketing and sales activities:

Name of the purpose Third parties involved
Analytics Hotjar, HubSpot, Google Ads (Conversion Pixel)
A/B testing and personalization VWO
Marketing automation HubSpot
Retargeting Facebook Ads, Google Ads, LinkedIn Ads, Twitter Ads

However, in our opinion, simply listing all the names of third parties involved in processing personal data is not enough.

That’s why our privacy policy has another section called “Our partners – tools we use for Marketing and what we use them for”. This section provides:

  • a description of each third-party
  • their data retention, location and storage policies
  • purposes of data processing and the legal basis under which we process data using a given tool

For instance, this is how we describe VWO:

VWO is a testing and optimization platform we use to create A/B tests on our websites. VWO collects aggregate data for goals, tests, surveys, and website reviews. VWO is hosted on SSAE16-certified Bare Metal Servers. All production data is stored in IBM SoftLayer data centers spread across different locations. Data is retained for 45-90 days. (Purpose of processing data: A/B testing and personalization based on consent, Legal basis: Art. 6 (1)(a) GDPR)

Then, to make things even clearer, we added the following note:

We do NOT send collected data to other sub-processors or third parties nor do we use it for our own purposes.

In this part, it’s also good to address external links posted on your website and explain what happens after visitors click on them. Here’s how we did it:

Third-Party Websites

Links from our site to external websites do not operate under this Privacy Policy. For example, if you click on a referrer website link on our site, you may be taken to a website that we do not control. These third-party websites may independently solicit and collect information from you, including personal and financial data. We recommend that you consult the privacy statements of all third-party websites you visit by clicking on the “privacy” link typically located at the bottom of the webpage you are visiting.

Remember: Under GDPR, in order to give a third-party access to your users’ data, you must sign a DPA with them. Here you can read more about creating a DPA aligned with EU data privacy regulations: Data Processing Agreement: 7 Elements Every DPA Should Have.

9) What are the data subject rights

In Article 13(2)(b), we can read that a privacy policy should also include information about:

“the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability.”

For the record, GDPR requires you to inform users about their eight rights, namely:

  • the right to be informed
  • the right of access
  • the right to rectification
  • the right to erasure
  • the right to restrict processing
  • the right to data portability
  • the right to object

Along with the list of the rights, you should also provide your visitors with a way to exercise them. In the case of our own privacy policy, we’ve included widgets from our Piwik PRO GDPR Consent Manager.

One for data subject requests:

And another one for managing privacy settings:

Thanks to this, our visitors can not only get acquainted with their rights, but they can also actively exercise them without leaving our privacy page. In addition, we provide an email address to which visitors can send their subject requests:

You have a right to access your data, correct or remove it, or completely withdraw your consent for processing it at any time. Such requests should be sent to our DPO: gdpr@piwik.pro. The withdrawal of a consent does not affect the lawfulness of processing based on consent before its withdrawal.

Regarding the rights of data subjects – you also need to include information about the visitors’ right to lodge a complaint with a supervisory authority if they’re not satisfied with the contents of your privacy policy or the way you process their data.

In the case of our privacy policy, the information looks like this:

You have the right to lodge a complaint with a supervisory authority (in Poland, the President of the Data Protection Office).

The State of GDPR Consent

Overview and scoring of how websites have adapted to data privacy regulations

Download your copy now

10) How you’ll inform users about changes to your policy

The last thing to include is a description of the process for notifying users and visitors of changes or updates to the privacy policy. This is to let users know if the document has changed since the last time they read it.

To keep our users informed, we have included the following message in our privacy policy:

We will occasionally update this Privacy Policy. When changes to this Privacy Policy will be posted, the date at the top of this Privacy Policy will be revised. We recommend to check the website from time to time to inform yourself of any changes in this Privacy Policy or any of other policies.

As you can see, the most recent updates to our privacy policy were made in February this year.

Privacy policy and GDPR – some conclusions

Writing a comprehensive yet easily understandable privacy policy requires the right approach. You want visitors to read it and get clear information about how you process their data.

Naturally, the contents of privacy policies will vary across different organizations and industries. Besides our guidelines, you need to take into account the particular needs and requirements of your organization.

We hope that this post comes in handy and helps you understand how to draft a privacy policy that complies with the GDPR.

If you want to explore the topic of GDPR and learn how to ensure your business follows its requirements, check out these posts on our blog:

Author

Karolina Lubowicka

Senior Content Marketer and Social Media Specialist

An experienced copywriter who takes complex topics of data privacy & GDPR and makes them understandable for all. LinkedIn Profile

See more posts by this author