Writing a GDPR-compliant privacy notice (template included)

Transparency and informing the public about how their data are being used are two basic goals of the GDPR. This article explains what is a privacy notice and offers a privacy notice template to help you comply with the law.

The EU General Data Protection Regulation (GDPR) is a first step toward giving EU citizens and residents more control over how their data are used by organizations. If your company handles the personal information of people in the EU, then you must comply with the GDPR, no matter where you are in the world. The fines for violating people’s new privacy rights can be up to 4 percent of your global revenue or €20 million, whichever is higher.

A GDPR privacy notice is an important way to help your customers make informed decisions about the data you collect and use. We’ve brought together some information from the law itself and from the EU’s guidance documents to help you understand the components of a good privacy notice. And at the bottom, we’ve included a privacy notice template that you can adapt to your own organization.

What is a privacy notice?

A privacy notice is a public document from an organization that explains how that organization processes personal data and how it applies data protection principles. Articles 12, 13, and 14 of the GDPR provide detailed instructions on how to create a privacy notice, placing an emphasis on making them easy to understand and accessible. If you are collecting data directly from someone, you have to provide them with your privacy notice at the moment you do so.

Note that the terms “privacy notice” and “privacy policy” do not actually appear in the text of the GDPR and are essentially interchangeable. The guidelines explained in this article apply to any public documents in which your organization describes its data processing activities to customers and the public.

According to the GDPR, organizations must provide people with a privacy notice that is:

The GDPR also stipulates what information an organization must share in a privacy notice. There is a slight variation in requirements depending on whether an organization collects its data directly from an individual or receives it as a third party.

If an organization is collecting information from an individual directly, it must include the following information in its privacy notice:

If an organization obtains your data indirectly (via another organization) its privacy notice must provide all the same information, except for:

And instead must add:

Per Article 14(3), if you obtain personal data from a third party, you must communicate the above information to the data subject either: no later than one month after you have obtained the data, at the time you first communicate with the data subject, or before sharing the data with another organization.

Generally, a privacy notice will be provided in writing and, where appropriate, supplied electronically. Every organization that maintains a website should publish their privacy notice there, under the title “Privacy Policy,” and it should be accessible via a direct link from every webpage. If a website collects any personal data online, the privacy notice or a link to it should be provided on the same page where the data collection occurs. The GDPR also states that privacy notices must be available orally upon request to ensure comprehension and to aid the visually impaired.

GDPR privacy notice best practices

Privacy notices should avoid using qualifiers such as “may,” “might,” “some,” “often,” etc. as they are purposefully vague. The writing should be in the active tense and sentences and paragraphs should be well structured, using bullets to highlight specific points of note. Avoid unnecessarily legalistic and technical terminology.

According to the European Commission’s GDPR guidelines, the phrases below are not sufficiently clear as to the purposes of processing. (We took these examples directly from the document.)

GDPR privacy notice template

Here we have provided a sample privacy notice template for a website that collects personal data directly from individuals. It contains all the necessary information in a clean, easy-to-digest format. You should modify the contents depending on whether this is a privacy policy for your website or a privacy notice about some other data processing activity.

Sample: Our Company Privacy Policy

Our Company is part of the Our Company Group which includes Our Company International and Our Company Direct. This privacy policy will explain how our organization uses the personal data we collect from you when you use our website.

What data do we collect?

Our Company collects the following data:

How do we collect your data?

You directly provide Our Company with most of the data we collect. We collect data and process data when you:

Our Company may also receive your data indirectly from the following sources:

How will we use your data?

Our Company collects your data so that we can:

If you agree, Our Company will share your data with our partner companies so that they may offer you their products and services.

When Our Company processes your order, it may send your data to, and also use the resulting information from, credit reference agencies to prevent fraudulent purchases.

How do we store your data?

Our Company securely stores your data at [enter the location and describe security precautions taken].

Our Company will keep your [enter type of data] for [enter time period]. Once this time period has expired, we will delete your data by [enter how you delete users’ data].

Marketing

Our Company would like to send you information about products and services of ours that we think you might like, as well as those of our partner companies.

If you have agreed to receive marketing, you may always opt out at a later date.

You have the right at any time to stop Our Company from contacting you for marketing purposes or giving your data to other members of the Our Company Group.

If you no longer wish to be contacted for marketing purposes, please click here.

What are your data protection rights?

Our Company would like to make sure you are fully aware of all of your data protection rights. Every user is entitled to the following:

The right to access – You have the right to request Our Company for copies of your personal data. We may charge you a small fee for this service.

The right to rectification – You have the right to request that Our Company correct any information you believe is inaccurate. You also have the right to request Our Company to complete the information you believe is incomplete.

The right to erasure – You have the right to request that Our Company erase your personal data, under certain conditions.

The right to restrict processing – You have the right to request that Our Company restrict the processing of your personal data, under certain conditions.

The right to object to processing – You have the right to object to Our Company’s processing of your personal data, under certain conditions.

The right to data portability – You have the right to request that Our Company transfer the data that we have collected to another organization, or directly to you, under certain conditions.

If you make a request, we have one month to respond to you. If you would like to exercise any of these rights, please contact us at our email:

Cookies

Cookies are text files placed on your computer to collect standard Internet log information and visitor behavior information. When you visit our websites, we may collect information from you automatically through cookies or similar technology

For further information, visit allaboutcookies.org.

How do we use cookies?

Our Company uses cookies in a range of ways to improve your experience on our website, including:

What types of cookies do we use?

There are a number of different types of cookies, however, our website uses:

How to manage cookies

You can set your browser not to accept cookies, and the above website tells you how to remove cookies from your browser. However, in a few cases, some of our website features may not function as a result.

Privacy policies of other websites

The Our Company website contains links to other websites. Our privacy policy applies only to our website, so if you click on a link to another website, you should read their privacy policy.

Changes to our privacy policy

Our Company keeps its privacy policy under regular review and places any updates on this web page. This privacy policy was last updated on 9 January 2019.

How to contact us

If you have any questions about Our Company’s privacy policy, the data we hold on you, or you would like to exercise one of your data protection rights, please do not hesitate to contact us.

Or write to us at:

How to contact the appropriate authority

Should you wish to report a complaint or if you feel that Our Company has not addressed your concern in a satisfactory manner, you may contact the Information Commissioner’s Office.