eForms Logo

GDPR Privacy Policy Template & Generator

Create a high-quality document now!

GDPR Privacy Policy Template & Generator

Updated May 28, 2024

A GDPR privacy policy complies with the European Union’s (EU) data protection law that protects users within the continent on how their personal data is collected, saved, and shared. Even if a website is located outside the European Union, if it has users from the EU, it must be compliant with GDPR.

Table of Contents

What is GDPR?

GDPR stands for General Data Protection Regulation, which is an EU law requiring websites to disclose policies regarding personal data to their users. It went into effect on May 25, 2018, affecting every website an EU user can access.

What is ‘Personal Data’?

personal data‘ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.[1]

GDPR Requirements (7)

  1. Lawful Reason for Collection
  2. Consent
  3. Transparency
  4. Security
  5. Data and Processing Limitations
  6. Data Protection Impact Assessment (DPIA)
  7. Third Countries

1. Lawful Reason for Collection

To collect and process personal data, a website must disclose that it needs the information for any of the following reasons:[2]

  • (most common) For the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject that require protection of personal data, in particular where the data subject is a child.
  • Necessary for the performance of a contract;
  • Compliance with a legal obligation;
  • To protect the vital interests of the user or another individual; or
  • Necessary for the performance of a task to the benefit of public interest or part of official authority vested in the controller.

Any of the above statements must be included in the privacy policy.

2. Consent

An individual’s consent must be obtained prior to processing data. This common pop-up (disclaimer) window appears when accessing an EU website. It may also include links to third parties (that they share information), a cookie policy, and access to a Settings panel to set their collection preferences.

The rules for consent must follow five rules:[3]

  1. Must be able to prove that a user has consented to data collection;
  2. If consent is presented in a written form, it is presented in a “clearly distinguishable” manner and in an “intelligible and easily accessible form, using clear and plain language;”
  3. The user has the right to withdraw their consent, including instructions, at any time and must be just as easy to withdraw as to give consent (i.e., no pre-filled checkboxes);
  4. There can be no negative impact on a user for not giving consent (i.e., cannot access freely available content or services); and
  5. In addition to the website, if any third parties rely on the consent, they must be identified.

3. Transparency

At the time when a website collects personal data from a user, the following must be disclosed:

  • Right to be Informed – The website’s identity, including contact information, to a direct representative and data protection officer (if applicable). In addition, the specific purpose for collecting personal data and how it will be used.[4]
  • Right of Access – The right to obtain their personal data on record, how it is being processed, and who has shared access. This must be provided without charge and within one month of being requested.[5]
  • Right to Rectification – The right to rectify any incomplete or inaccurate data. If a user exercises this right, the website has one month to respond.[6]
  • Right to Erasure – Also known as “right to be forgotten,” obligates a website to no longer process, share, and delete personal data within one month of being requested.[7]
  • Right to Restriction of Processing – The right to restrict processing can be granted when there are inaccuracies in the user’s data, the processing is unlawful, or the use of the website is no longer needed.[8]
  • Right to Object Processing – A user can object to their data being processed upon a request, specifically for direct marketing (i.e., e-mail marketing). The website can only refuse this request if it such request “override the interests, rights and freedoms” of the user.[9]
  • Right to Data Portability – If a user has a contract with a website, then the website is obligated to carry out a transfer of their personal data, through automated means, to another service if requested.[10]
  • Right Against Automated Decision-Making – Users collectively have the right against the use of automated programs to process personal data based on profiling.[11]

4. Security

Keeping personal data secure is a fundamental part of GDPR. It defines a personal data breach as any “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise transmitted.”[12]

Websites must make efforts to ensure their users’ personal data has the proper safeguards to restrict outside forces from breaching. There are heavy fines if a breach occurs, such as British Airways was penalized £20 million and Meta (Facebook) was penalized €17 million for such breaches.

5. Data Storage

A website may only collect and process personal data for specific reasons and must, for transparency purposes, make such collections and processes clear in the privacy policy. This also includes limiting such data that is stored and when it is no longer needed.[13]

Records must be kept up-to-date. GDPR requires that “every reasonable step must be taken to ensure that inaccurate… are erased or rectified.”[13]

6. Data Protection Impact Assessment (DPIA)

If there is a “high risk to the rights and freedoms” of users on a website, a Data Protection Impact Assessment (DPIA) must be conducted proactively before personal data begins processing.[14]

Sample DPIA Template

Download: PDF, MS Word, OpenDocument

Source: www.ico.org.uk



The Data Protection Officer (DPO) of an organization is responsible for creating a DPIA, among other responsibilities.[15]

7. Third Countries

Sending data to non-EU countries include restrictions, per GDPR, Chapter 5, to ensure users’ data is kept under equal safeguards per GDPR. According to the European Commission, the following countries that have been approved to transfer data or part of an “adequacy decision” are as follows:

  • Andorra
  • Argentina
  • Canada (commercial organizations)
  • Faroe Islands
  • Guernsey
  • Israel
  • Isle of Man
  • Japan
  • Jersey
  • New Zealand
  • Republic of Korea
  • Switzerland
  • the United Kingdom under the GDPR and the LED
  • Uruguay as providing adequate protection.

The United States was annulled in July 2020 and remains under continued negotiations with the EU.

Penalties ($)

Higher-Level Tier

A maximum fine of €20 million or 4% of total revenue, whichever is greater, for violations regarding:

  • Data disclosure and processing;
  • Security of personal data;
  • Consent disclosure and documentation;
  • Transferring data to parties outside the EU; and
  • Failing to comply with an order from a GDPR monitoring agency.

Lower-Level Tier

A maximum fine of €10 million or 2% of total revenue, whichever is greater, for violations regarding:

  • Organizations contracted to control and process data;
  • Accredited bodies that conduct assessments; and
  • Monitoring bodies that handle complaints or reported infringements.

Past Fines (3)

  • In 2021, WhatsApp was fined €225 million for not disclosing properly in its privacy policy how personal data is shared between its other subsidiary Meta companies.
  • In 2021, Caixabank was fined a total of €6 million for two violations; (1) unlawfully collecting personal data and (2) not providing specific information disclosing the processing of personal data.
  • In 2021, BBVA was fined a total of €5 million for two violations; (1) Sending SMS messages without prior consent and (2) Lack of disclosure on the collection and use of personal data.

Sample Template

Sample GDPR Privacy Policy

Download: PDF, MS Word, OpenDocument

Source: www.gdpr.eu/privacy-notice/




  1. GDPR, Article 4(1) (Definitions)
  2. GDPR, Article 6 (Lawfulness of processing)
  3. GDPR, Article 7 (Conditions for consent)
  4. GDPR, Article 13, GDPR, Article 14
  5. GDPR, Article 15
  6. GDPR, Article 16
  7. GDPR, Article 17
  8. GDPR, Article 18
  9. GDPR, Article 21
  10. GDPR, Article 20
  11. GDPR, Article 22
  12. GDPR, Article 4(12)
  13. GDPR, Article 5
  14. GDPR, Article 35
  15. GDPR, Article 37