Privacy Tech EU
Compliance 22 May 2026 6 min read

GDPR Privacy Policy: What You Must Include — Privacy Tech EU

A GDPR-compliant privacy policy is not optional for any organisation that processes personal data about EU residents. Articles 13 and 14 of GDPR set out exactly what information must be provided to data subjects — Article 13 covers data collected directly from individuals, Article 14 covers data obtained from other sources.

This checklist covers all mandatory and recommended elements.

Mandatory Elements Under Article 13 (Data Collected Directly)

When collecting personal data directly from individuals — via a contact form, account registration, checkout, or any other interaction — the following information must be provided at the time of collection:

1. Identity and Contact Details of the Controller

The full legal name of the organisation, its registered address, and contact details (email or postal address). If you are based outside the EU but subject to GDPR, you must also name your EU representative under Article 27.

2. Contact Details of the Data Protection Officer

If your organisation has appointed a DPO (mandatory for certain organisations, optional for others), their contact details must be included. This can be an email address dedicated to privacy queries — it does not need to be the DPO’s personal contact information.

For every category of personal data you collect, you must state:

  • What you use it for (the purpose)
  • Your legal basis — consent, contract, legal obligation, vital interests, public task or legitimate interests

If you rely on legitimate interests, you should describe what those interests are. If you rely on consent, remind individuals that they have the right to withdraw consent at any time.

4. Recipients or Categories of Recipients

Disclose any third parties that receive the personal data. You do not need to list every individual recipient, but you must be specific enough that individuals understand who receives their data — “advertising partners” without further detail is insufficient.

5. International Transfers

If personal data is transferred outside the EEA (European Economic Area), you must state this and describe the safeguards in place — for example, Standard Contractual Clauses, adequacy decisions, or Binding Corporate Rules.

6. Retention Periods

State how long you will keep each category of personal data, or the criteria used to determine retention periods. “We keep data for as long as necessary” does not satisfy this requirement — be specific where possible.

7. Data Subject Rights

Inform individuals of all rights they hold under GDPR:

  • Right of access (Article 15)
  • Right to rectification (Article 16)
  • Right to erasure (Article 17)
  • Right to restriction of processing (Article 18)
  • Right to data portability (Article 20)
  • Right to object (Article 21)
  • Rights in relation to automated decision-making and profiling (Article 22)
  • Right to withdraw consent at any time (where processing is based on consent)

See our EU data rights guide for full explanations of each right.

8. Right to Lodge a Complaint

Individuals must be told of their right to complain to their national supervisory authority. Include the name and contact details of the relevant authority — for example, the CNIL (France), the ICO (UK), the BfDI (Germany), or the AEPD (Spain).

9. Whether Providing Data Is a Statutory or Contractual Requirement

If personal data must be provided by law or as a requirement of entering into a contract, this must be stated — along with the consequences of not providing it.

10. Automated Decision-Making and Profiling

If you use automated decision-making processes that produce legal or similarly significant effects on individuals — including profiling — you must disclose this and explain the logic involved, the significance of the processing, and the consequences.

Additional Requirements Under Article 14 (Indirect Collection)

If you obtain personal data from third parties — purchasing mailing lists, receiving data from data brokers, obtaining data from other controllers — the same information as above must be provided, with additions:

  • The categories of personal data collected (since you did not receive it directly)
  • The source from which the data originates
  • Within one month of obtaining the data (or at the time of first communication with the individual, whichever is earlier)

Plain language — GDPR’s requirement that privacy information be provided in “a concise, transparent, intelligible and easily accessible form, using clear and plain language” is enforceable. Avoid legal jargon.

Layered approach — present a short summary with key information prominently, with links to fuller explanations. This is particularly useful for privacy notices at point of data collection (e.g. contact forms).

Version control — maintain dated versions of your privacy policy. If you make material changes, notify individuals proactively.

Accessibility — the privacy policy should be accessible in one click from every page of your website, typically in the footer. It should also be accessible without JavaScript and in a format accessible to screen readers.

FAQ

Frequently Asked Questions

How long should a privacy policy be? +

There is no minimum or maximum length requirement. The test is whether it contains all mandatory information in an intelligible form. Many compliant policies are 1,000-3,000 words; highly complex data processing operations naturally require more detailed policies.

Can I use a template privacy policy from the internet? +

Templates can be a useful starting point but must be customised to reflect your actual data processing. A template that does not match your real practices fails GDPR's transparency requirement — and may be worse than no privacy policy, as it creates a misleading picture of your data processing.

Do I need a separate cookie policy? +

A cookie policy is not legally mandated as a separate document, but because cookie consent has specific requirements under the ePrivacy Directive, many organisations maintain a dedicated page covering cookie categories, their purposes, and the consent mechanism.

What legal bases must a privacy policy disclose? +

For every processing activity, the policy must state both the purpose and the GDPR Article 6(1) legal basis: consent, contract, legal obligation, vital interests, public task, or legitimate interests. Where legitimate interests is the basis, the policy must briefly describe what those interests are.

Must international transfers be disclosed in a privacy policy? +

Yes. Where personal data is transferred outside the EEA, the privacy policy must state this and describe the safeguards in place — for example, Standard Contractual Clauses, adequacy decisions, or Binding Corporate Rules.

← Back to Blog