What to Include in a GDPR Privacy Policy

You know you need a Privacy Policy and you think you also need to be compliant with GDPR. So what are the requirements of a GDPR Privacy Policy?

The exact content of your websites Privacy Policy will be determined by the type of business you are running. However all Privacy Policies do require these things in order to be GDPR compliant: an outline of what personal data your company collects, why you collect that data, who the data may be shared with, where it is stored, and how it is kept protected. It must also ensure that users are made aware of all of their rights when it comes to their personal data.

What is a Privacy Policy?

A Privacy policy is a legal document. It is an agreement between you and your user hat outlines what data you collect from them, and how and why you collect their personal data. It also explains where and how the data is stored and what security measures you have in place to protect the data.

There are international privacy laws that your privacy policy should comply with. For further information read on international laws, read our article: International privacy laws

What to Include in a GDPR compliant Privacy Policy

To understand what is required in a GDPR compliant privacy policy you need to know what GDPR is. GDPR stands for the General Data Protection regulation which the EU put in place to protect the rights of its residents and citizens and their personal data. It is a law For an in depth look into the GDPR read our article GDPR Compliance and Checklist.

Here is a list of the sections and clauses that your GDPR Privacy Policy need to include:

  • Table of Contents
  • Data Collection
  • Personally Identifying Information’
  • Non-Personally Identifying Information
  • Cookie Policy
  • Data Protection Rights (Under GDPR)
  • Data Protection Fee
  • Policy Changes
  • Contact Information
  • How to Contact Data Controller
  • How to Contact Data Protection Officer

Table of Contents

As you can see with Netflix’s Privacy Policy Table of Contents everything is easy to understand and access

Data Collection

A clear explanation of what kind of data will be collected from the user is a must in order to be GDPR compliant. It is also required that you include how the data is collected, where the data is stored and processed and how long the data is retained. Another aspect of data collection to include is the security measures you have implemented to protect your users personal data.

Personally Identifying Information

Your Privacy Policy needs to explain what Personally Identifying Information (PII) is. Let your users know what types of PII your company/website collects (example: Full name, Street Address, birthdate). It is also required for you to explain:

  • how the information collected is used
  • whether the information may be disclosed to third parties
  • and if so who, how the user can opt in or opt out of personal information collection
  • how they can update, restrict or delete their personal information
  • how they can request erasure of their personal information.

Non Personally Identifying Information

Your company/website may also collect Non Personally Identifying Information like education status, geo location or IP address. A Privacy Policy needs to contain information about what type of Non-Personally Identifying Information you collect and how you may use this information also.


Your Privacy Policy should have a section explaining Cookies. What is a cookie? and how does it enables certain functions on your website? What types of cookies does your website use and what are they used for? and how can your users opt out of them if they wish?

Your Data Protection Rights

In alignment with the GDPR, see our article on it here, you must outline the data protection rights of your users/customers.

The rights are as follows:

  • to be informed: Your users have the right to be know about how you collect and use their personal data. This is a major requirement under the GDPR to promote transparency. Users must be provided information of Privacy at the time their personal data is collected.
  • of access: Your users have the right to access their data at any time, they can request this either verbally or through writing to you. You have a one month time period in which you must respond to the request.
  • rectification: Users of your website have the right to have any inaccuracies in their personal data changed. This can be done through a verbal or written request and you have one calendar month in which to respond.
  • to be forgotten: Under the GDPR users have the right to have their personal data erased. This right can also be known as the right to erasure. Once again users can make this request either verbally or through writing and you have a month is which to respond to the request.
  • restrict processing: users have the right to request that you do not process their personal data. The can make this request either verbally or in writing and you need to respond within one calendar month. However the right to have personal data restricted only applies in certain circumstances.
  • object to processing: Your users have the right to object to their personal data being used for the purpose of direct marketing. They can also request that you stop processing their personal data and there are some circumstances in which this applies. These circumstances are if the processing is for :” a task carried out in the public interest; the exercise is of official authority vested in you; or your legitimate interests (or those of a third party).”
  • data portability: this right allows your users to have access to their personal data so they can use it for their own purposes. They can move this data from one IT environment to another safely and securely.
  • to object to automated processing: Your users are able to object to the processing of their personal data that is processed without human involvement by automated means.

Data Processing Fee

You must let your users/customers know if there may be a processing fee for any of their requests involving their data. In most cases a fee won’t apply but you must inform them of the chance there may be one.

Contact details

You must put the company contact details in your privacy policy statement in order for your users to be able to contact you easily.

How to contact the data controller

Under the GDPR you must have contact details for the data controller officer (if you have one) made available in your Privacy Policy.

How to Contact data protection officer

Contact detail for the data protection officer (if you have one) are to be made available in your privacy policy under the GDPR.


To ensure your Privacy Policy complies with the GDPR your users need to be informed about their rights in relation to the personal data you are collecting form them. The Privacy Policy must include information on what personal data you collect, how you use it, how you collect it, why you collect it, where it is stored and how it’s kept secure.

Your Legal Toolkit

Latest Articles

What is the Data Protection Act 2018?

The Data Protection Act (DPA) 2018 is the UK’s updated data protection law which became effective on 25th May 2018 and was recently amended on the 1st January 2021 to reflect the United Kingdom’s exit from the EU. It sits alongside the UK GDPR and replaces the Data Protection Act 1998. The United Kingdom is […]

Where to put a Privacy Policy on your Website?

A Privacy Policy is a legal requirement for any business or website, but where should you put your Privacy Policy on your website? To be compliant with a number of International laws, including GDPR, CalOPPA and Australian Privacy Act 1988, your privacy policy is required to be in a prominent, easily located place on your […]

3 Reasons Your Website Needs a Privacy Policy

Whether you own a website, blog or eCommerce store you may find yourself wondering, do I need a privacy policy? The short answer is, if you collect personal data from your readers or users in any form, then yes you do need a privacy policy. The three most important reasons you will require a privacy […]