GDPR Privacy Policy Template

A core requirement of the  EU General Data Protection Regulation (GDPR) is to provide transparency to all involved about the personal data you collect. You provide transparency by publishing a Privacy Policy. This Privacy Policy must meet the GDPR requirements and have all required information items included. 

In this article, we will take a look at what the GDPR requires, and how you can create a Privacy Policy that aligns with how your business processes personal data.

GDPR Privacy Policy Template – drafting a GDPR Policy template for your company can be an intricate task, therefore consider using our GDPR compliance software to make it easier. In a few easy steps, get your GDPR Privacy Policy template ready to implement on your site. 

GDPR Privacy Policy Template – Follow these few easy steps: 

1. Select your industry sector

GDPR Privacy Policy Template -1

2. Confirm your business processes

GDPR Privacy Policy Template-2

3. Generate your Privacy Policies

GDPR Privacy Policy Template-3

4. Our updates keep you in the green

GDPR Policy Template-4

 

GDPR Privacy Policy Template

Our GDPR Compliance Software for the SME, will allow you to Generate a privacy policy for your site, choose an easy and economical solution.

GDPR and Privacy Policy 

If you are subject to the GDPR, you must have a Privacy Policy that is in line with the GDPR. Our GDPR Privacy Policy Template will help you comply with the requirements. 

The GDPR applies to you if you:

Are located in the EU, or Offer goods and services to individuals located in the EU, or Monitor the behaviour of individuals located in the EU.


The GDPR has some very specific requirements with respect to your privacy policy:

  • Your policy on privacy must be written in clear, simple language.
  • You must include your legal basis for processing personal information.
  • You must inform users what rights they have under GDPR.
  • You have to inform people how long you’ll keep their personal information. 
  • You also have to talk about international data transfers in detail and list safeguards.

The GDPR is an EU privacy law that stipulates businesses have to inform customers how they collect, use, store, and get rid of user data, hence the importance of your privacy policy. It also gives EU consumers privacy rights so make sure you mention those rights in your privacy policy. At the same time you should operationalise those rights to ensure that when customers want to execute those rights you can respond to those appropriately.

What is a GDPR Privacy Policy?

A GDPR Privacy Policy is document that explains how you collect and use user data in line with the requirements of the GDPR. A GDPR Privacy Policy is frequently referred to as a GDPR Privacy Statement or a GDPR Privacy Notice. Most privacy laws state that you have to have a Privacy Policy. And under the GDPR, it’s one of the most important documents your business needs to have. Moreover, when done right, it is the ideal way to show your customers and the government that you care about protecting their information. As a result, it is crucial to have the GDPR Privacy Policy template uploaded on your site. 

Why is it important to have a GDPR privacy policy?

With a Privacy Policy, your business can show customers that they can trust you with their personal information. It’s also a chance to really get a handle on how much personal information your company has and whether or not it follows the law, when it comes to protecting that information.

Personal data is big business. Companies like Facebook made a lot of money by handling people’s personal information.

The GDPR sets the rules about how personal data should be processed in the EU. It gives people rights over their personal information. Without privacy laws like the GDPR, people wouldn’t be able to control what businesses and governments do with the information they have about them.

Your company may already have a Privacy Policy because:

  • The Personal Information Protection and Electronic Documents Act of Canada (PIPEDA)
  • The Online Privacy Protection Act of California (CalOPPA)
  • The Privacy Act of Australia
  • The Data Protection Directive (GDPR’s predecessor)

The current GDPR is not the same. It has stricter rules than any of the above laws, so anything you did to follow those laws probably won’t be enough to follow the GDPR.

The GDPR tells you exactly what information you have to include in your Privacy Policy. Most of these are in Articles 13 and 14.

It’s important to remember that this document is to be public and not just for your existing customers. It should be for anyone whose personal information you might handle, this includes people who visit your website, prospects, your suppliers etc.

 

Let’s look at the things you’ll need to include in your GDPR Privacy Policy template.

Introduction

You should start your Privacy Policy with a short explanation of who your company is and what your Privacy Policy is. Put in the date that the Privacy Policy goes into effect (the “effective date”).

Definitions

To make your Privacy Policy easier for the average person to read and understand, make sure to define any terms that might be unclear or that have very specific legal meanings that might not be obvious, or widely known.

Article 12 of the GDPR says that your Privacy Policy must be written in language that is clear and easy to understand. Because of this, you should try to avoid using legal terms as much as possible.

In some cases, though, it might not be possible to avoid. So, in your GDPR Privacy Policy Template, you should have a section where you explain what key terms mean.

Principles for Processing Personal Data

Article 5 of the GDPR contains six principles, by which all personal data must be processed. They are:

  1. Lawfulness, fairness, and transparency: Follow the law, don’t use personal information in ways that people wouldn’t expect, and be open about how you protect data.
  2. Purpose limitation: You must normally only process, and use, personal data for the exact reason you collected it, and nothing in addition.
  3. Data minimization: means that you shouldn’t process more data than you have to.
  4. Accuracy: Make sure that any personal data you hold is adequate and accurate.
  5. Storage limitation: Don’t store personal data for longer than you need to.
  6. Integrity and confidentiality: Always handle personal information in a safe way.

 

Types of Personal Data You Process

In your Privacy Policy, inform your users what kinds of personal information you collect and how you use it.

The GDPR has a very broad idea of what “personal data” is. It’s likely that a lot of it is processed by your company.

Personal data includes everything from IP addresses to cookie data, so your website may process personal data from people who will never even contact your business. In your Privacy Policy, you need to be very clear about what kind of personal information you deal with and why.

Many companies divide this part of their Privacy Policies into sub-sections, such as “data that you provide us,” “data collected by our website”.

How You Process Personal Data

According to the “purpose limitation” and “data minimization” principles, you must always have a good reason to use any personal data you have. And in your Privacy Policy, you must explain why you want to process personal data.

The legal reasons why a person’s personal data can be used are:

  1. Consent: You have obtained their permission in a way that is in line with GDPR.
  2. Contract: You have a contract that says you have to handle their personal information.
  3. Legal obligation: If you didn’t process their personal data, you’d be breaking the law.
  4. Vital interests: Their life (or the life of someone else) may depend on how you handle their personal information.
  5. Public task: You have to use their personal information to do something that is in the public interest.
  6. Legitimate Interest: You have a good reason to process their personal data, and you’ve done a Legitimate Interests Assessment.

Your Privacy Policy must specify the legal grounds for processing. When you say that you have “legitimate interests,” you need to explain what those are. When you use “consent” as a legal basis, you must mention that your users have the right to change their minds and withdraw consent. 

Retention of Personal Data

The “storage limitation” principle says that you shouldn’t keep personal information for longer than you need to. In your Privacy Policy, you should explain how long you’ll keep each type of personal information you collect.

Who You Share Personal Data With

Under the GDPR, you can share personal information as long as you are transparent about it, and you have a valid legal basis to do so. Your Privacy Policy needs to state who you share personal information with, and how.

Note that the GDPR doesn’t require you to list the names of every company you share data with. Instead, you just have to list the types of companies (e.g. payment processors, couriers, etc.).

But make sure you check the Terms and Conditions of companies with whom you have a Data Processing Agreement.

International Transfers of Personal Data

If you send personal information from a country outside of the EU, you need to mention so in your Privacy Policy.

Under the GDPR, you can only send personal information outside of the EU only if you have a certain reason. In this part of your Privacy Policy, you should explain which mechanisms you use for international transfers.

Data Rights

The GDPR gives people eight rights about how their personal data is used. You are required to facilitate these rights when requested, as long as certain conditions are met. Your Privacy Policy should explain how users can use their rights.

These 8 data rights are:

  1. The right to be informed
  2. The right of access
  3. The right to rectification
  4. The right to erasure (known as “the right to be forgotten”)
  5. The right to restrict processing
  6. The right to data portability
  7. The right to object
  8. Rights in relation to automated decision-making

Not all of the rights will likely apply to your business, but you still need to know about them.

Your Privacy Policy needs to inform people about these rights, and give them a way to use them. This could just be an email address or a web form.

 

Changes to Your Privacy Policy

People should know that you might need to change your Privacy Policy, and they should know how you’ll let them know.

Everyone who deals with your business should be able to see and read your Privacy Policy.

A Privacy Policy isn’t a contract. You might process some data because you have a contract to do so, or because your users have given you permission to do so. But they really don’t have a choice about whether or not to agree to the Privacy Policy.

So, you might not need your customers to “agree” to your Privacy Policy the same way they might agree to your Terms and Conditions or Returns and Refunds Policy, but you should try to make sure they’ve read it. You can also ask them to prove that they did it.

 

Privacy Policy on Your Website

You should include a link to your Privacy Policy in a footer that stays on every page of your website. You can place it next to other policies, like your Terms and Conditions or Acceptable Use Policy.

Drafting your own GDPR Privacy Policy is a complex task, our GDPR Privacy Policy Template comes in handy, follow a few easy steps and get your Privacy Policy done. 

Our GDPR compliance software for SME can generate all of the documents that the GDPR regulation requires:

Your Privacy Policy that you should put on your website, Privacy Policy for your employees that should be in a separate file, a Data Sharing Agreement and a GDPR Register.