Free Word download β’ Edit online β’ Save & share with Drive β’ Export to PDF
A GDPR Privacy Policy is a public-facing transparency document that tells individuals what personal data your organisation collects, why you collect it, what legal basis you rely on, who you share it with, how long you keep it, and what rights they have under the EU General Data Protection Regulation (Regulation 2016/679). It is not optional β Articles 13 and 14 of the GDPR require the information to be provided at the point of data collection, in plain language, free of charge. This free Word download gives you a structured, regulation-aligned starting point covering every mandatory disclosure element, which you can edit to match your actual data processing activities and publish directly to your website or app.
Operating without a GDPR-compliant privacy policy exposes your organisation to fines of up to β¬20 million or 4% of global annual turnover under Article 83, whichever is higher β and data protection authorities across the EU and UK actively investigate complaints from users who cannot find adequate privacy information. Beyond fines, the absence of a policy undermines user trust at exactly the moment users are deciding whether to share their data with you, directly affecting conversion rates and customer retention. A correctly completed policy also protects you operationally: it forces you to audit what data you actually collect, identify every processor with access to that data, and set retention periods you can defend β the same information regulators request in the first 72 hours of an investigation. This template gives you the structure to get compliant quickly, without starting from a blank page.
| If your situation is⦠| Use this template |
|---|---|
| Public-facing website collecting cookies and analytics data | Website Privacy Policy (GDPR) |
| Mobile app collecting location, device, or health data | Mobile App Privacy Policy |
| HR processing employee or job applicant personal data | Employee Privacy Notice (GDPR) |
| B2B SaaS acting as a data processor for clients | Data Processing Agreement |
| Organisation sharing data with a third country outside the EEA | International Data Transfer Agreement |
| Business needing a cookie consent and disclosure notice | Cookie Policy |
| Company documenting its internal data handling procedures | Data Protection Policy (Internal) |
Why it matters: If consent is your stated basis but you continue processing after a user withdraws it, you are in breach. Consent is also harder to obtain and maintain than legitimate interests or contract.
Fix: Map each processing activity to the most legally appropriate basis. Use consent only for email marketing and non-essential cookies where it is genuinely the right basis.
Why it matters: Stating 'we keep data as long as necessary' without specifying periods fails GDPR Article 13(2)(a) and leaves you unable to defend a deletion request or a regulator's audit.
Fix: Define a specific retention period for every data category β e.g., '7 years for financial records per [APPLICABLE TAX LAW]' β and build a corresponding data deletion schedule.
Why it matters: GDPR Article 13(2)(d) explicitly requires this disclosure. Omitting it is a straightforward compliance failure that regulators check for during routine reviews.
Fix: Add a dedicated paragraph naming the relevant supervisory authority (e.g., the ICO for UK organisations, your lead DPA for EU operations) with a link to their complaints page.
Why it matters: Their policy reflects their data practices, not yours. Claiming to collect only what they collect β or disclosing processors you don't use while omitting ones you do β creates an inaccurate and potentially misleading notice.
Fix: Start from your own data audit. Use a template as a structural guide, but every factual claim in the policy must reflect your actual processing activities.
Why it matters: Adding a new analytics platform, CRM, or marketing tool typically adds new processing activities and processors β none of which are disclosed in the original policy, leaving users uninformed.
Fix: Build a process that triggers a privacy policy review whenever a new data-processing tool is adopted. Assign this responsibility to a named owner in your compliance workflow.
Why it matters: Using retargeting or behavioural advertising cookies under a consent banner that only describes 'analytics' means consent was not validly obtained for the actual purpose β a priority enforcement area for EU data protection authorities.
Fix: Categorise each cookie by its actual function. Advertising and retargeting cookies require their own consent category, separate from analytics.
Enter the full registered legal name, address, company registration number, and the email address or contact form link for privacy enquiries. If your organisation requires a DPO under GDPR Article 37, include their name and contact details.
π‘ Check your official corporate registry filing to confirm the exact legal name β using a brand name alone creates enforcement ambiguity.
Before filling in the template, conduct a data mapping exercise to identify every touchpoint where personal data enters your systems β website forms, checkout, cookies, email sign-ups, CRM imports, and HR records. List each data category in the relevant section.
π‘ Include technical data like IP addresses and cookie identifiers β many organisations overlook these, but they are personal data under GDPR.
For each purpose listed in step 2, select the most appropriate lawful basis from the six options in Article 6. Document your reasoning in an internal record of processing activities (ROPA) β the privacy policy should state the basis, but the ROPA should contain your full justification.
π‘ Default to legitimate interests for analytics and fraud prevention, contract for service delivery, and legal obligation for tax and accounting records β reserve consent for email marketing and non-essential cookies.
List every service provider, analytics platform, payment processor, and cloud host that receives personal data. For each, state the purpose of the transfer and confirm a data processing agreement is in place.
π‘ Check your software stack against your data map β SaaS tools embedded in your workflow often process personal data without your team realising it.
Identify whether any processor or data recipient is based outside the EEA. For each non-EEA transfer, state the legal mechanism β adequacy decision (e.g., UK, Japan, Canada) or standard contractual clauses β and link to or reference the relevant decision.
π‘ US-based SaaS providers processing EU data must rely on SCCs since the invalidation of Privacy Shield in 2020 β verify each provider's transfer mechanism is current.
Define a concrete retention period for every category of data β do not use 'as long as necessary' without a qualifier. Cross-reference statutory retention obligations (tax: typically 6β7 years, employment: varies by jurisdiction) to set defensible minimums and maximums.
π‘ Build a retention schedule as a separate internal document and reference it in the privacy policy β this also satisfies Article 30 ROPA requirements.
Confirm the email address or web form users should contact to exercise rights, and state the 30-day response deadline. Include the name and website of the relevant supervisory authority β for UK organisations, the ICO; for EU organisations, your lead supervisory authority under the one-stop-shop mechanism.
π‘ Set up a dedicated privacy inbox (e.g., privacy@yourdomain.com) so rights requests are never missed in a general enquiries inbox.
Enter the current date as the 'last updated' date and add a version number (e.g., v1.0, v2.3) to the footer of the document. Update both whenever you make a material change to the policy.
π‘ Archive each previous version with its effective date β regulators sometimes request historical privacy policies when investigating complaints about practices from a prior period.
A GDPR privacy policy is a public-facing document that explains how an organisation collects, uses, stores, and shares personal data belonging to individuals in the European Economic Area. It must be provided at the point of data collection, written in plain language, and cover the lawful basis for processing, data subject rights, retention periods, and contact details for privacy enquiries. It satisfies the transparency obligations in GDPR Articles 13 and 14.
Yes β if your website, app, or service collects personal data from individuals located in the EEA, GDPR applies regardless of where your business is incorporated. This includes US, UK, Australian, and Canadian businesses that target or monitor EU residents. The determining factor is the location of the data subject, not the data controller. Failure to comply exposes non-EU businesses to the same fines as EU-based entities.
The terms are often used interchangeably, but technically a privacy notice is directed at data subjects (users, customers, employees) to inform them of their rights and your practices β it is the public-facing document. A privacy policy is an internal governance document describing how the organisation manages personal data. For most small to mid-size organisations, a single document serves both functions and is referred to as a privacy policy or privacy notice.
GDPR Article 6 sets out six lawful bases: (1) consent β the individual has given clear, specific agreement; (2) contract β processing is necessary to fulfil a contract with the individual; (3) legal obligation β processing is required by law; (4) vital interests β processing is necessary to protect someone's life; (5) public task β processing is needed to perform an official function; and (6) legitimate interests β the controller's interest is proportionate and does not override the individual's rights. Most businesses rely primarily on consent, contract, legal obligation, and legitimate interests.
Non-compliance with GDPR transparency obligations can result in fines of up to β¬10 million or 2% of global annual turnover (whichever is higher) under Article 83(4), or up to β¬20 million / 4% of turnover for more serious violations. Regulators also issue public reprimands, require corrective action, and can impose temporary bans on processing. Beyond fines, data subjects can seek compensation for material or non-material damage caused by the violation.
Review the policy whenever you make a material change to your data processing β adding a new tool, changing a processor, entering a new market, or introducing a new product feature that collects additional data. At minimum, conduct a formal annual review against your current data processing activities. Notify users of material changes at least 30 days before they take effect and update the 'last updated' date every time you publish a revision.
GDPR Article 37 requires a DPO for: public authorities and bodies; organisations whose core activities involve large-scale, systematic monitoring of data subjects; and organisations that process special category data (health, biometric, criminal records) on a large scale. Even if not mandatory, many organisations appoint a DPO or a privacy lead voluntarily. If you have one, their contact details must be included in the privacy policy.
Generic generators produce boilerplate text that rarely maps to your actual processing activities. They typically omit retention periods, use vague lawful basis language, and fail to name your specific processors. This template gives you a structured starting point that you populate with the facts from your own data audit, producing a policy that accurately reflects what you actually do β which is what GDPR requires and what regulators check.
A data processing agreement (DPA) is a contract between a data controller and a data processor governing how the processor handles personal data on the controller's behalf. A GDPR privacy policy is a public-facing transparency document directed at data subjects. Both are required under GDPR but serve entirely different purposes β the DPA is a B2B contract; the privacy policy is a user-facing disclosure.
A cookie policy is a dedicated document focused solely on the types of cookies used, their purpose, duration, and how users can manage consent. A GDPR privacy policy covers all personal data processing, of which cookies are one component. Many organisations publish both β a comprehensive privacy policy and a shorter, standalone cookie policy linked from the consent banner.
Terms and conditions set out the contractual rules governing use of a product or service β they are binding on both parties. A privacy policy discloses how personal data is processed and is not a contract. They are complementary documents: T&Cs govern the commercial relationship; the privacy policy governs data rights. Both should be linked from every website footer.
An internal data protection policy documents how the organisation's staff must handle personal data β governance procedures, breach response, access controls, and training requirements. A GDPR privacy policy is an external document for data subjects. The internal policy governs employee behaviour; the privacy policy informs users of their rights. Both are required for a complete GDPR compliance framework.
Must disclose sub-processor chains (cloud hosts, analytics, support tools), handle data processor versus controller distinctions carefully, and address standard contractual clauses for US-based infrastructure.
Payment processor disclosure, cookie consent for advertising retargeting, and 7-year retention of transaction records for tax compliance are the key requirements.
Processing health data triggers Article 9 special category rules, requiring an explicit consent basis, a data protection impact assessment, and enhanced security disclosures.
Client data processed during engagements requires disclosure of retention tied to professional indemnity and statutory limitation periods, typically 6β7 years post-engagement.
Job applicant data retention is a common compliance gap β most organisations should keep unsuccessful candidate data for no more than 6β12 months unless explicit consent for longer retention is obtained.
Consent management for email marketing, cookie categorisation for behavioural advertising, and profiling disclosures under Article 22 are the highest-risk areas for this sector.
| Path | Best for | Cost | Time |
|---|---|---|---|
| Use the template | Small to mid-size businesses with standard data flows β website contact forms, email marketing, e-commerce transactions, and common SaaS tools | Free | 2β4 hours including data audit |
| Template + professional review | Organisations processing special category data, operating across multiple EU jurisdictions, or with complex processor chains | $500β$1,500 for a data protection consultant or privacy lawyer review | 3β5 business days |
| Custom drafted | Large enterprises, regulated sectors (healthcare, fintech, HR tech), or organisations subject to supervisory authority scrutiny | $2,000β$8,000+ for a full GDPR compliance engagement including ROPA and DPIAs | 2β6 weeks |
This document is one of 3,000+ business & legal templates included in Business in a Box.
Access over 3,000+ business and legal templates for any business task, project or initiative.
Customize your ready-made business document template and save it in the cloud.
Share your files and folders with your team. Create a space of seamless collaboration.
"Fantastic value! I'm not sure how I'd do without it. It's worth its weight in gold and paid back for itself many times."
"I have been using Business in a Box for years. It has been the most useful source of templates I have encountered. I recommend it to anyone."
"It has been a life saver so many times I have lost count. Business in a Box has saved me so much time and as you know, time is money."
Stop downloading documents. Start operating with clarity. Business in a Box gives you the Business Operating System used by over 250,000 companies worldwide to structure, run, and grow their business.
Start freeΒ Β·Β No credit card required
