[{"data":1,"prerenderedAt":515},["ShallowReactive",2],{"document-gdpr-privacy-policy-D12541":3},{"document":4,"label":23,"preview":11,"thumb":24,"thumb600":25,"description":5,"descriptionCustom":6,"apiDescription":5,"pages":8,"extension":10,"parents":26,"breadcrumb":30,"related":37,"customDescModule":179,"customdescription":6,"mdFm":180,"mdProseHtml":514},{"description":5,"descriptionCustom":6,"label":7,"pages":8,"size":9,"extension":10,"preview":11,"thumb":12,"svgFrame":13,"seoMetadata":14,"parents":16,"keywords":15},"[YOUR COMPANY NAME] GDPR Privacy Policy [YOUR COMPANY] is strongly committed to protecting your privacy and complying with your choices. Both personal and non-personal information collected is safeguarded according to the highest privacy and data protection standards adopted worldwide. We have always had a robust and effective data protection program in place which complies with existing law and abides by the data protection principles. However, we recognise our obligations in updating and expanding this program to meet the demands of the GDPR and the [INSERT RELEVANT COUNTRY DATA PROTECTION LAW IF ANY]. Our Commitment Your information will not be shared, rented or sold to any third party. We use state-of-the-art security measures to protect your information from unauthorized users. We give you the possibility to control the information that you shared with us (opt-out) [YOUR COMPANY] is committed to processing data in accordance with its responsibilities under the GDPR. Article 5 of the GDPR requires that personal data shall be: processed lawfully, fairly and in a transparent manner in relation to individuals; collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes; adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed; accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay; kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.\" Notice We will clearly inform you when information that personally identifies you (\"personal information\") is asked for and you will have the choice to provide it or not. Generally, this information is requested when you [install/download/subscribe] to product updates, newsletters or other online services. Usage We use your personal information for the following purposes: To provide you information that will allow you to use our services To automatically customize your documents with your information To alert you of software upgrades, updates, discounts or other services from [YOUR COMPANY] [SPECIFY ANY OTHER RELEVANT REASON] We collect your email when you [SPECIFY] in order to send you informational communications about [SPECIFY] [, such as their purpose and the best use you can make of them. We also collect your email to send you our promotional offers. We may also collect your name, language, currency, operating system, document searched and country information for a better experience with [YOUR COMPANY] products/services. When you place your order with us, we collect your email in order to [SPECIFY] We also collect your phone number in order to contact you in case these emails bounce back because of a typo in your email address and if we cannot figure out what the correct email address is. We also contact the phone number that is provided if we suspect that the cardholder's credit card information has been compromised, i.e used in a fraudulent way. We also use our clients' email in order to notify of the release of updated versions of the software, new services or promotional offers. Consent When you provide your personal information, you consent that it can be used for the above purposes and that [YOUR COMPANY] is an authorized holder of such information. If you choose not to register or provide personal information, you can still use our website but you will not be able to receive additional services or access certain areas that require registration. When you activate your account, you are providing your consent to occasionally receive information from us. In each communication from us you will have the opportunity to unsubscribe from further communications; alternatively, you may contact us to express your choices at the address provided at the bottom of this page. Access to your information You are entitled to review the personal information you have provided us and ensure that it is accurate and current at all times. To review or update this information simply enter in the [SPECIFY] area or request that we send you this information. Security of information [YOUR COMPANY] is strongly committed to protecting your information and ensuring that your choices are honored. We have taken strong security measures to protect your data from loss, misuse, unauthorized access, disclosure, alteration, or destruction. All sensitive data is stored behind multiple firewalls on secure servers with restricted employee access. We guarantee that all e-commerce transactions follow the latest security measures and use the best available technologies. Secure Sockets Layer (SSL) technology is employed when you place online orders or transmit sensitive information. SSL is one of the safest methods of passing information over the Internet. Retention of information We retain information as long as it is necessary to provide the services requested by you and others, subject to any legal obligations to further retain such information",null,"GDPR Privacy Policy","4",513,"doc","https://templates.business-in-a-box.com/imgs/1000px/gdpr-privacy-policy-D12541.png","https://templates.business-in-a-box.com/imgs/250px/12541.png","https://templates.business-in-a-box.com/svgs/docviewerWebApp1.html?v6#12541.xml",{"title":15,"description":6},"gdpr privacy policy",[17,20],{"label":18,"url":19},"Software & Technology","/templates/software-technology-business/",{"label":21,"url":22},"E-Commerce","/templates/ecommerce-business/","GDPR Privacy Policy Template","https://templates.business-in-a-box.com/imgs/400px/12541.png","https://templates.business-in-a-box.com/imgs/600px/12541.png",[27,17,20],{"label":28,"url":29},"Templates","/templates/",[31,32,34],{"label":28,"url":29},{"label":18,"url":33},"/templates/software-technology/",{"label":35,"url":36},"Data Governance","/templates/data-governance/",[38,42,46,50,54,58,62,66,70,74,78,82,86,102,118,133,149,165],{"label":39,"url":40,"thumb":41,"extension":10},"GDPR Security Policy","/template/gdpr-security-policy-D13445","https://templates.business-in-a-box.com/imgs/250px/13445.png",{"label":43,"url":44,"thumb":45,"extension":10},"GDPR Internal Security Policy","/template/gdpr-internal-security-policy-D13444","https://templates.business-in-a-box.com/imgs/250px/13444.png",{"label":47,"url":48,"thumb":49,"extension":10},"Data Privacy Policy","/template/data-privacy-policy-D13465","https://templates.business-in-a-box.com/imgs/250px/13465.png",{"label":51,"url":52,"thumb":53,"extension":10},"Online Privacy Policy","/template/online-privacy-policy-D13026","https://templates.business-in-a-box.com/imgs/250px/13026.png",{"label":55,"url":56,"thumb":57,"extension":10},"Website Privacy Policy","/template/website-privacy-policy-D839","https://templates.business-in-a-box.com/imgs/250px/839.png",{"label":59,"url":60,"thumb":61,"extension":10},"Data Protection and Privacy Policy","/template/data-protection-and-privacy-policy-D13653","https://templates.business-in-a-box.com/imgs/250px/13653.png",{"label":63,"url":64,"thumb":65,"extension":10},"Policy on Privacy and Employee Monitoring","/template/policy-on-privacy-and-employee-monitoring-D724","https://templates.business-in-a-box.com/imgs/250px/724.png",{"label":67,"url":68,"thumb":69,"extension":10},"Privacy Policy and Code Of Conduct","/template/privacy-policy-and-code-of-conduct-D14035","https://templates.business-in-a-box.com/imgs/250px/14035.png",{"label":71,"url":72,"thumb":73,"extension":10},"Multimedia Publicity - Privacy Release","/template/multimedia-publicity--privacy-release-D797","https://templates.business-in-a-box.com/imgs/250px/797.png",{"label":75,"url":76,"thumb":77,"extension":10},"AI Policy","/template/ai-policy-D13598","https://templates.business-in-a-box.com/imgs/250px/13598.png",{"label":79,"url":80,"thumb":81,"extension":10},"Application Policy","/template/application-policy-D13439","https://templates.business-in-a-box.com/imgs/250px/13439.png",{"label":83,"url":84,"thumb":85,"extension":10},"Attendance Policy","/template/attendance-policy-D12625","https://templates.business-in-a-box.com/imgs/250px/12625.png",{"description":87,"descriptionCustom":6,"label":88,"pages":89,"size":9,"extension":10,"preview":90,"thumb":91,"svgFrame":92,"seoMetadata":93,"parents":95,"keywords":100,"url":101},"Terms and Conditions Welcome to [COMPANY NAME]. Thanks for using our products and services (\"Services\"). The Services are provided by [COMPANY NAME] (\"COMPANY NAME\"), located at [ADRESSE, CITY, STATE, COUNTRY] By using our Services, you are agreeing to these terms. Please read these Terms and Conditions (\"Terms\", \"Terms and Conditions\") carefully before using the http://www.[YOURWEBSITE].com website and the mobile application (the \"Service\") operated by [COMPANY NAME] (\"us\", \"we\", or \"our\"). Our Services are very diverse, so sometimes additional terms or product requirements (including age requirements) may apply. Additional terms will be available with the relevant Services, and those additional terms become part of your agreement with us if you use those Services. Terminology The following terminology applies to these Terms and Conditions, Privacy Statement and Disclaimer notice, and any or all Agreements: \"Client\", \"You\" and \"Your\" refer to you, the person accessing this website and accepting the Company's terms and conditions. \"The Company\", \"Ourselves\", \"We\" and \"Us\" refer to our Company. \"Party\", \"Parties\" or \"Us\" refers to both the Customer and ourselves, or either the Customer or ourselves. All terms refer to the offer, acceptance and consideration of payment necessary to undertake the process of our assistance to the Client in the most appropriate manner, whether through formal meetings of a fixed duration, or by any other means, with the express purpose of meeting the Client's needs in terms of providing the Company's declared services / products, in accordance with and subject to applicable US laws. Any use of the above terminology or other words in the singular, plural, capital letters and/or plural, and/or these terms, is considered interchangeable and therefore a reference to them. Using our Services You must follow any policies made available to you within the Services. Don't misuse our Services. For example, don't interfere with our Services or try to access them using a method other than the interface and the instructions that we provide. You may use our Services only as permitted by law, including applicable export and re-export control laws and regulations. We may suspend or stop providing our Services to you if you do not comply with our terms or policies or if we are investigating suspected misconduct. Using our Services does not give you ownership of any intellectual property rights in our Services or the content you access. You may not use content from our Services unless you obtain permission from its owner or are otherwise permitted by law. These terms do not grant you the right to use any branding or logos used in our Services. Don't remove, obscure, or alter any legal notices displayed in or along with our Services. In connection with your use of the Services, we may send you service announcements, administrative messages, and other information. You may opt out of some of those communications. Some of our Services are available on mobile devices. Do not use such Services in a way that distracts you and prevents you from obeying traffic or safety laws. Privacy Statement We are committed to protecting your privacy. [COMPANY NAME]'s privacy policies explain how we treat your personal data and protect your privacy when you use our Services. By using our Services, you agree that [COMPANY NAME] can use such data in accordance with our privacy policies. Only authorized employees within the company who, in the course of their duties, can access and use information collected from individual customers. We are constantly reviewing our systems and data to ensure the best possible service to our customers. Government authorities have created specific offences for unauthorized actions against computer systems and data. We will investigate such actions with a view to bringing legal action and/or civil action for damages against those responsible. Purchases If you wish to purchase any product or service made available through the Service (\"Purchase\"), you may be asked to supply certain information relevant to your Purchase including, without limitation, your [SPECIFY]. Subscriptions Some parts of the Service are billed on a subscription basis (\"Subscription(s)\"). You will be billed in advance on a recurring [SPECIFY]. Software in our Services When a Service requires or includes downloadable software, this software may update automatically on your device once a new version or feature is available. Some Services may let you adjust your automatic update settings. [COMPANY NAME] gives you a personal, worldwide, royalty-free, non-assignable and non-exclusive license to use the software provided to you by [COMPANY NAME] as part of the Services. This license is for the sole purpose of enabling you to use and enjoy the benefit of the Services as provided by [COMPANY NAME], in the manner permitted by these terms. You may not copy, modify, distribute, sell, or lease any part of our Services or included software, nor may you reverse engineer or attempt to extract the source code of that software, unless laws prohibit those restrictions or you have our written permission. Disclaimer Exclusions and Limitations The information contained on this website is provided on an \" as is \" basis. To the fullest extent permitted by law, this company: excludes all representations and warranties with respect to this website and its content or that are or may be provided by affiliates or any other third party, including with respect to any inaccuracy or omission in this website and/or the Company's documentation; and excludes any liability for damages arising out of or in connection with your use of this website. [COMPANY NAME], and [COMPANY NAME]'s suppliers and distributors, will not be responsible for lost profits, revenues, or data, financial losses or indirect, special, consequential, exemplary, punitive damages or damage caused to your computer, computer software, systems and programs and data relating thereto or any other direct or indirect, consequential or incidental damages. Liability for our Services To the extent permitted by law, the total liability of [COMPANY NAME], and its suppliers and distributors, for any claims under these terms, including for any implied warranties, is limited to the amount you paid us to use the Services. In all cases, [COMPANY NAME], and its suppliers and distributors, will not be liable for any loss or damage that is not reasonably foreseeable. However, this company does not exclude liability for death or personal injury caused by its negligence. The above exclusions and limitations apply only to the extent permitted by law. We recognize that in some countries, you might have legal rights as a consumer. None of your legal rights as a consumer are affected waived by contract. Business uses of our Services If you are using our Services on behalf of a business, that business accepts these terms","Terms And Conditions","6","https://templates.business-in-a-box.com/imgs/1000px/terms-and-conditions-D12667.png","https://templates.business-in-a-box.com/imgs/250px/12667.png","https://templates.business-in-a-box.com/svgs/docviewerWebApp1.html?v6#12667.xml",{"title":94,"description":6},"terms and conditions",[96,99],{"label":97,"url":98},"Legal Agreements","business-legal-agreements",{"label":97,"url":98},"terms conditions","/template/terms-and-conditions-D12667",{"description":103,"descriptionCustom":6,"label":104,"pages":105,"size":106,"extension":10,"preview":107,"thumb":108,"svgFrame":109,"seoMetadata":110,"parents":111,"keywords":116,"url":117},"YOUR WEBSITE ADDRESS SERVICE AGREEMENT/TERMS OF USE ACCEPTANCE OF TERMS The services that [YOUR COMPANY NAME] provides to User is subject to the following Terms of Use (\"TOU\"). [YOUR COMPANY NAME] reserves the right to update the TOU at any time without notice to User. The most current version of the TOU can be reviewed by clicking on the \"Terms of Use\" hypertext link located at the bottom of our Web pages. This Agreement, which incorporates by reference other provisions applicable to use of [YOUR WEBSITE ADDRESS], including, but not limited to, supplemental terms and conditions set forth hereof (\"Supplemental Terms\") governing the use of certain specific material contained in [YOUR WEBSITE ADDRESS], sets forth the terms and conditions that apply to use of [YOUR WEBSITE ADDRESS] by User. By using [YOUR COMPANY NAME] (other than to read this Agreement for the first time), User agrees to comply with all of the terms and conditions hereof. The right to use [YOUR WEBSITE ADDRESS] is personal to User and is not transferable to any other person or entity. User is responsible for all use of User's Account (under any screen name or password) and for ensuring that all use of User's Account complies fully with the provisions of this Agreement. User shall be responsible for protecting the confidentiality of User's password(s), if any. [YOUR COMPANY NAME] shall have the right at any time to change or discontinue any aspect or feature of [YOUR WEBSITE ADDRESS], including, but not limited to, content, hours of availability, and equipment needed for access or use. Changed Terms [YOUR COMPANY NAME] shall have the right at any time to change or modify the terms and conditions applicable to User's use of [YOUR WEBSITE ADDRESS], or any part thereof, or to impose new conditions, including, but not limited to, adding fees and charges for use. Such changes, modifications, additions or deletions shall be effective immediately upon notice thereof, which may be given by means including, but not limited to, posting on [YOUR WEBSITE ADDRESS], or by electronic or conventional mail, or by any other means by which User obtains notice thereof. Any use of [YOUR WEBSITE ADDRESS] by User after such notice shall be deemed to constitute acceptance by User of such changes, modifications or additions. DESCRIPTION OF SERVICES Through its Web property, [YOUR COMPANY NAME] provides User with access to a variety of resources, including download areas, communication forums and product information (collectively \"Services\"). The Services, including any updates, enhancements, new features, and/or the addition of any new Web properties, are subject to the TOU. Equipment User shall be responsible for obtaining and maintaining all telephone, computer hardware, software and other equipment needed for access to and use of [YOUR WEBSITE ADDRESS] and all charges related thereto. User Conduct User shall use [YOUR WEBSITE ADDRESS] for lawful purposes only. User shall not post or transmit through [YOUR WEBSITE ADDRESS] any material which violates or infringes in any way upon the rights of others, which is unlawful, threatening, abusive, defamatory, invasive of privacy or publicity rights, vulgar, obscene, profane or otherwise objectionable, which encourages conduct that would constitute a criminal offense, give rise to civil liability or otherwise violate any law, or which, without [YOUR COMPANY NAME] 's express prior approval, contains advertising or any solicitation with respect to products or services. Any conduct by a User that in [YOUR COMPANY NAME] 's discretion restricts or inhibits any other User from using or enjoying [YOUR WEBSITE ADDRESS] will not be permitted. User shall not use [YOUR WEBSITE ADDRESS] to advertise or perform any commercial solicitation, including, but not limited to, the solicitation of users to become subscribers of other on-line information services competitive with [YOUR COMPANY NAME]. [YOUR WEBSITE ADDRESS] contains copyrighted material, trademarks and other proprietary information, including, but not limited to, text, software, photos, video, graphics, music and sound, and the entire contents of [YOUR WEBSITE ADDRESS] are copyrighted as a collective work under the [YOUR COUNTRY] copyright laws. [YOUR COMPANY NAME] owns a copyright in the selection, coordination, arrangement and enhancement of such content, as well as in the content original to it. User may not modify, publish, transmit, participate in the transfer or sale, create derivative works, or in any way exploit, any of the content, in whole or in part. User may download copyrighted material for User's personal use only. Except as otherwise expressly permitted under copyright law, no copying, redistribution, retransmission, publication or commercial exploitation of downloaded material will be permitted without the express permission of [YOUR COMPANY NAME] and the copyright owner. In the event of any permitted copying, redistribution or publication of copyrighted material, no changes in or deletion of author attribution, trademark legend or copyright notice shall be made. User acknowledges that it does not acquire any ownership rights by downloading copyrighted material. User shall not upload, post or otherwise make available on [YOUR WEBSITE ADDRESS] any material protected by copyright, trademark or other proprietary right without the express permission of the owner of the copyright, trademark or other proprietary right and the burden of determining that any material is not protected by copyright rests with User. User shall be solely liable for any damage resulting from any infringement of copyrights, proprietary rights, or any other harm resulting from such a submission. By submitting material to any public area of [YOUR WEBSITE ADDRESS], User automatically grants, or warrants that the owner of such material has expressly granted [YOUR COMPANY NAME] the royalty-free, perpetual, irrevocable, non-exclusive right and license to use, reproduce, modify, adapt, publish, translate and distribute such material (in whole or in part) worldwide and/or to incorporate it in other works in any form, media or technology now known or hereafter developed for the full term of any copyright that may exist in such material. User also permits any other User to access, view, store or reproduce the material for that User's personal use. User hereby grants [YOUR COMPANY NAME] the right to edit, copy, publish and distribute any material made available on [YOUR WEBSITE ADDRESS] by User. The foregoing provisions of Section 5 are for the benefit of [YOUR COMPANY NAME], its subsidiaries, affiliates and its third-party content providers and licensors and each shall have the right to assert and enforce such provisions directly or on its own behalf. USE OF SERVICES The Services may contain email services, bulletin board services, chat areas, news groups, forums, communities, personal web pages, calendars, photo albums, file cabinets and/or other message or communication facilities designed to enable User to communicate with others (each a \"Communication Service\" and collectively \"Communication Services\"). User agrees to use the Communication Services only to post, send and receive messages and material that are proper and, when applicable, related to the particular Communication Service. By way of example, and not as a limitation, User agrees that when using the Communication Services, User will not: Use the Communication Services in connection with surveys, contests, pyramid schemes, chain letters, junk email, spamming or any duplicative or unsolicited messages (commercial or otherwise). Defame, abuse, harass, stalk, threaten or otherwise violate the legal rights (such as rights of privacy and publicity) of others. Publish, post, upload, distribute or disseminate any inappropriate, profane, defamatory, obscene, indecent or unlawful topic, name, material or information","Website Service Agreement Terms of Use","9",75,"https://templates.business-in-a-box.com/imgs/1000px/website-service-agreement_terms-of-use-D840.png","https://templates.business-in-a-box.com/imgs/250px/840.png","https://templates.business-in-a-box.com/svgs/docviewerWebApp1.html?v6#840.xml",{"title":6,"description":6},[112,114],{"label":18,"url":113},"software-technology-business",{"label":21,"url":115},"ecommerce-business","website service agreement terms use","/template/website-service-agreement-terms-of-use-D840",{"description":119,"descriptionCustom":6,"label":120,"pages":121,"size":9,"extension":10,"preview":122,"thumb":123,"svgFrame":124,"seoMetadata":125,"parents":127,"keywords":126,"url":132},"NON-DISCLOSURE AGREEMENT (NDA) This Non-Disclosure Agreement (the \"Agreement\") is made and effective [DATE], BETWEEN: [YOUR COMPANY NAME] (the \"Disclosing Party\"), a corporation organized and existing under the laws of the [State/Province] of [STATE/PROVINCE], with its head office located at: [YOUR COMPLETE ADDRESS] AND: [RECEIVING PARTY NAME] (the \"Receiving Party\"), an individual with his main address located at OR a corporation organized and existing under the laws of the [State/Province] of [STATE/PROVINCE], with its head office located at: [COMPLETE ADDRESS] WHEREAS, Receiving Party has been or will be engaged in the performance of work on [DESCRIBE]; and in connection therewith will be given access to certain confidential and proprietary information; and WHEREAS, Receiving Party and Disclosing Party wish to evidence by this Agreement the manner in which said confidential and proprietary material will be treated. NOW, THEREFORE, it is agreed as follows: NON-DISCLOSURE OF CONFIDENTIAL INFORMATION Both Parties understand and agree that each Party may have access to the confidential information of the other party. For the purposes of this Agreement, \"Confidential Information\" means proprietary and confidential information about the Disclosing Party's (or it's suppliers') business or activities. Such information includes all business, financial, technical, and other information marked or designated by such Party as \"confidential\" or \"proprietary.\" Confidential Information also includes information which, by the nature of the circumstances surrounding the disclosure, ought in good faith to be treated as confidential. For the purposes of this Agreement, Confidential Information does not include: Information that is currently in the public domain or that enters the public domain after the signing of this Agreement. Information a Party lawfully receives from a third Party without restriction on disclosure and without breach of a non-disclosure obligation. Information that the Receiving Party knew prior to receiving any Confidential Information from the Disclosing Party. Information that the Receiving Party independently develops without reliance on any Confidential Information from the Disclosing Party. Each Party agrees that it will not disclose to any third Party or use any Confidential Information disclosed to it by the other Party except when expressly permitted in writing by the other Party. Each Party also agrees that it will take all reasonable measures to maintain the confidentiality of all Confidential Information of the other Party in its possession or control. TERM The term of this Agreement is [number] of [years/months] from the date of execution by both Parties. TITLE The Receiving Party agrees that all Confidential Information furnished by the Disclosing Party shall remain the sole property of the Disclosing Party. DISCLAIMER","Non Disclosure Agreement Nda","3","https://templates.business-in-a-box.com/imgs/1000px/non-disclosure-agreement-nda-D12692.png","https://templates.business-in-a-box.com/imgs/250px/12692.png","https://templates.business-in-a-box.com/svgs/docviewerWebApp1.html?v6#12692.xml",{"title":126,"description":6},"non disclosure agreement nda",[128,129],{"label":97,"url":98},{"label":130,"url":131},"Confidentiality Agreements","confidentiality-agreement","/template/non-disclosure-agreement-nda-D12692",{"description":134,"descriptionCustom":6,"label":135,"pages":121,"size":9,"extension":10,"preview":136,"thumb":137,"svgFrame":138,"seoMetadata":139,"parents":141,"keywords":140,"url":148},"DATA PROCESSING AGREEMENT This Data Processing Agreement (\"Agreement\") is entered into effect as of [DATE], BETWEEN: [DATA CONTROLLER NAME], (\"Data Controller\") an individual with their main address located at OR a team leader of a group organized within the [Company/Organization] of [COMPANY/ORGANIZATION NAME], with its office located at: [COMPLETE ADDRESS] AND: [DATA PROCESSOR NAME], (\"Data Processor\") an individual with their main address located at OR a member of the team organized within the [Company/Organization] of [COMPANY/ORGANIZATION NAME], with their address located at: [COMPLETE ADDRESS] RECITALS: WHEREAS, the Data Controller is engaged in [DESCRIPTION OF BUSINESS ACTIVITY], and in connection therewith, collects and processes Personal Data; WHEREAS, the Data Controller wishes to engage the Data Processor to perform certain services which require the processing of Personal Data on behalf of the Data Controller; WHEREAS, the parties seek to ensure compliance with the relevant data protection laws and regulations in the processing of Personal Data; NOW, THEREFORE, in consideration of the mutual covenants contained herein, the parties hereto agree as follows: DEFINITIONS AND INTERPRETATION \"Personal Data\" means any information relating to an identified or identifiable natural person ('Data Subject') that is processed by the Data Processor on behalf of the Data Controller as a result of the services provided under this Agreement. \"Processing\" encompasses any operation performed on Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction. Definitions of \"Data Subject\", \"Controller\", \"Processor\", and \"Supervisory Authority\" shall be in accordance with the definitions provided by the relevant data protection laws and regulations. SCOPE AND PURPOSE OF DATA PROCESSING 2.1 The Data Processor agrees to process Personal Data solely for the purpose of [SPECIFY SERVICES] and strictly within the documented instructions received from the Data Controller, unless required by law to which the Data Processor is subject","Data Processing Agreement","https://templates.business-in-a-box.com/imgs/1000px/data-processing-agreement-D13954.png","https://templates.business-in-a-box.com/imgs/250px/13954.png","https://templates.business-in-a-box.com/svgs/docviewerWebApp1.html?v6#13954.xml",{"title":140,"description":6},"data processing agreement",[142,145],{"label":143,"url":144},"Finance & Accounting","finance-accounting",{"label":146,"url":147},"Shareholders & Investors","shareholders-investors","/template/data-processing-agreement-D13954",{"description":150,"descriptionCustom":6,"label":151,"pages":121,"size":9,"extension":10,"preview":152,"thumb":153,"svgFrame":154,"seoMetadata":155,"parents":157,"keywords":156,"url":164},"INFORMATION SECURITY POLICY PURPOSE The purpose of this Information Security Policy is to establish guidelines and procedures for safeguarding [COMPANY NAME]'s sensitive information, data, and resources. This Policy aims to ensure the confidentiality, integrity, and availability of information assets and protect against unauthorized access, use, disclosure, and breaches. SCOPE This Policy applies to all employees, contractors, vendors, and third-party entities who access, handle, or manage [COMPANY NAME]'s information systems, networks, applications, and data. INFORMATION CLASSIFICATION Data Classification: Information assets will be classified based on their sensitivity and criticality into categories such as \"Confidential,\" \"Internal Use Only,\" and \"Public.\" Handling Procedures: Different handling procedures and security controls will apply to each classification level. ACCESS CONTROL User Authentication: Access to systems and data will require strong authentication methods, including passwords, biometrics, and multi-factor authentication (MFA). Least Privilege: Users will be granted access privileges based on the principle of least privilege, meaning they will have access only to the information and systems necessary to perform their roles. DATA PROTECTION Encryption: Sensitive data in transit and at rest will be encrypted using strong encryption algorithms. Data Loss Prevention (DLP): DLP measures will be implemented to prevent the unauthorized transmission or sharing of sensitive data outside the organization. Data Retention: Data will be retained in compliance with legal and regulatory requirements. SECURITY AWARENESS ","Information Security Policy","https://templates.business-in-a-box.com/imgs/1000px/information-security-policy-D13552.png","https://templates.business-in-a-box.com/imgs/250px/13552.png","https://templates.business-in-a-box.com/svgs/docviewerWebApp1.html?v6#13552.xml",{"title":156,"description":6},"information security policy",[158,161],{"label":159,"url":160},"Human Resources","human-resources",{"label":162,"url":163},"Company Policies","company-policies","/template/information-security-policy-D13552",{"description":166,"descriptionCustom":6,"label":167,"pages":8,"size":9,"extension":10,"preview":168,"thumb":169,"svgFrame":170,"seoMetadata":171,"parents":173,"keywords":172,"url":178},"COOKIE POLICY We at [WEBSITE NAME] use cookies to ensure you get the best experience when you are using our services. This Cookie Policy provides you with clear and comprehensive information about the cookies we use and the purpose for using those cookies on this Platform. Please read the following carefully to understand our policies and practices regarding the use of cookies on our Platform. By using or accessing our Platform, you agree to this Cookie Policy. This policy may change from time to time and your continued use of the Platform is deemed to be acceptance of such changes, so please check the policy periodically for updates. YOUR CONSENT You consent to placement of cookies on your browser by us and our third-party service providers. Please read this Cookie Policy carefully for details about why we use cookies and the information they collect from and about you. WITHDRAW YOUR CONSENT ANY TIME If you do not wish to accept cookies in connection with your use of the Platform, you will need to delete and block or disable cookies via your browser settings; see below for more information on how to do this. Please note that disabling cookies will affect the functionality of the Platform and may prevent you from being able to access certain features on the Platform. WHAT ARE COOKIES? A cookie is a small file of letters and numbers that may be stored on your browser or the hard drive of your computer when you visit our Platform. Cookies contain information about your visits to that Platform. A cookie is a small piece of data that a Platform asks your browser to store on your computer or mobile device. The cookie allows the Platform to \"remember\" your actions or preferences over time. Most browsers support cookies, but users can set their browsers to decline them and can delete them whenever they like. WHY DO WE USE COOKIES? . Cookies are commonly used by Platforms to serve many different functions. We use cookies on our Platform to allow us to tailor our Platform to your needs and deliver a better and more personalized service. Cookies help us improve the performance of our Platform by enabling us to: Help you navigate between pages on the Platform efficiently Protect your security Remember information about your preferences and recognize you when you return to our Platform Allow us to customize our Platform according to your individual interests Measure how people are using our services in order to improve our services and browsing experience Personalize advertising and make the content more relevant for you Speed up your searches Make our Platform easier to use Generally give you a better online experience Cookies are not unsafe or in themselves a threat to your online privacy, as we do not store sensitive information. The cookies used on our Platform never collect anything that personally identifies you, such as your name or address, and we never sell your details to any third parties. HOW ARE COOKIES USED? The web server providing the webpage can store a cookie on the user's computer or mobile device. An external web server that manages files included or referenced in the webpage is also able to store cookies. All these cookies are called http header cookies. Another way of storing cookies is through JavaScript code contained or referenced in that page. Each time the user requests a new page, the web server can receive the values of the cookies it previously set and return the page with content relating to these values. Similarly, JavaScript code is able to read a cookie belonging to its domain and perform an action accordingly. We use \"analytics\" cookies, which, in conjunction with our web server's log files, allow us to calculate the aggregate number of people visiting our Platform and which parts of our Platform are most popular. This helps us gather feedback so that we can improve our Platform and better serve our users. We do not generally store any personal information that you provide to us in a cookie. We also use \"social media\" cookies to personalize your interaction with third-party social media platforms such as Twitter and Facebook, where our Platform uses such features. Such cookies recognize users of these social media sites when you view social media content on our Platform. They also allow you to quickly share content across media, through the use of simple \"sharing\" buttons. WHAT ARE DIFFERENT TYPES OF COOKIES? First-party cookies - these are our own cookies set by our Platform, controlled by us and used to provide information about the usage of our Platform. Third-party cookies - these are cookies from any other domain. We use a number of suppliers that may also set cookies on your device on our behalf when you visit our Platform to allow them to deliver the services they are providing. HOW LONG DO COOKIES STAY ON YOUR COMPUTER? Cookies that are used on a Platform may be either session cookies or persistent cookies. Session cookies are temporary cookies that remain on your device until you leave the Platform. Persistent cookies are stored on your hard drive until you delete them or they reach their expiry date. These may, for example, be used to remember your preferences when you use the Platform and recognize you on your return. WHAT COOKIES DO WE USE? Strictly Necessary cookies: Some cookies are essential for the operation of our Platform","Cookie Policy","https://templates.business-in-a-box.com/imgs/1000px/cookie-policy-D13174.png","https://templates.business-in-a-box.com/imgs/250px/13174.png","https://templates.business-in-a-box.com/svgs/docviewerWebApp1.html?v6#13174.xml",{"title":172,"description":6},"cookie policy",[174,177],{"label":175,"url":176},"Sales & Marketing","sales-marketing",{"label":175,"url":176},"/template/cookie-policy-D13174",false,{"seo":181,"reviewer":192,"quick_facts":196,"at_a_glance":198,"personas":202,"variants":227,"glossary":253,"sections":290,"how_to_fill":341,"common_mistakes":382,"faqs":407,"industries":435,"comparisons":459,"diy_vs_pro":473,"educational_modules":486,"related_template_ids_curated":489,"schema":500,"classification":502},{"meta_title":182,"meta_description":183,"primary_keyword":184,"secondary_keywords":185},"GDPR Privacy Policy Template (Free Word)","Free GDPR privacy policy template for businesses handling EU personal data. Covers lawful basis, data subject rights, retention, and cookies. Free Word and PDF download.","gdpr privacy policy template",[15,186,187,188,189,190,191],"gdpr privacy notice template","gdpr compliant privacy policy","privacy policy template word","gdpr data privacy policy","privacy policy template free","website privacy policy gdpr",{"name":193,"credential":194,"reviewed_date":195},"Bruno Goulet","CEO, Business in a Box","2026-05-02",{"difficulty":197,"legal_review_recommended":179,"signature_required":179},"advanced",{"what_it_is":199,"when_you_need_it":200,"whats_inside":201},"A GDPR Privacy Policy is a public-facing document that tells individuals what personal data your organisation collects, why you collect it, how long you keep it, who you share it with, and what rights they have over it under the EU General Data Protection Regulation. This free Word download gives you a structured, regulation-aligned starting point you can edit online and publish to your website or share with users as a standalone privacy notice.\n","You need it the moment your website, app, or business collects, stores, or processes personal data from individuals in the European Economic Area — including names, email addresses, IP addresses, cookies, or payment information. GDPR Article 13 and 14 require the notice to be provided at the point of data collection, before processing begins.\n","Identity and contact details of the data controller, lawful bases for each processing activity, categories of personal data collected, data retention periods, third-party sharing and international transfers, cookie policy, data subject rights and how to exercise them, and contact details for your Data Protection Officer or privacy lead.\n",[203,207,211,215,219,223],{"title":204,"use_case":205,"icon_asset_id":206},"SaaS founders and product teams","Publishing a regulation-aligned privacy notice before EU product launch","persona-startup-founder",{"title":208,"use_case":209,"icon_asset_id":210},"E-commerce operators","Disclosing how customer data is collected, stored, and shared with payment processors","persona-retailer",{"title":212,"use_case":213,"icon_asset_id":214},"Marketing managers","Documenting lawful bases for email marketing and cookie-based advertising","persona-marketing-manager",{"title":216,"use_case":217,"icon_asset_id":218},"HR and people operations teams","Notifying job applicants and employees of how their personal data is processed","persona-hr-manager",{"title":220,"use_case":221,"icon_asset_id":222},"Small business owners","Meeting GDPR transparency obligations without an in-house legal team","persona-small-business-owner",{"title":224,"use_case":225,"icon_asset_id":226},"Compliance and data protection officers","Standardising the privacy notice across multiple websites or business units","persona-operations-director",[228,232,236,239,242,246,249],{"situation":229,"recommended_template":230,"slug":231},"Public-facing website collecting cookies and analytics data","Website Privacy Policy (GDPR)","gdpr-privacy-policy-D12541",{"situation":233,"recommended_template":234,"slug":235},"Mobile app collecting location, device, or health data","Mobile App Privacy Policy","data-privacy-policy-D13465",{"situation":237,"recommended_template":238,"slug":231},"HR processing employee or job applicant personal data","Employee Privacy Notice (GDPR)",{"situation":240,"recommended_template":135,"slug":241},"B2B SaaS acting as a data processor for clients","data-processing-agreement-D13954",{"situation":243,"recommended_template":244,"slug":245},"Organisation sharing data with a third country outside the EEA","International Data Transfer Agreement","international-agent-agreement-D13520",{"situation":247,"recommended_template":167,"slug":248},"Business needing a cookie consent and disclosure notice","cookie-policy-D13174",{"situation":250,"recommended_template":251,"slug":252},"Company documenting its internal data handling procedures","Data Protection Policy (Internal)","customer-data-protection-policy-D13645",[254,257,260,263,266,269,272,275,278,281,284,287],{"term":255,"definition":256},"Personal Data","Any information that relates to an identified or identifiable living individual, including names, email addresses, IP addresses, and cookie identifiers.",{"term":258,"definition":259},"Data Controller","The organisation or individual that determines the purposes and means of processing personal data — the party legally responsible for GDPR compliance.",{"term":261,"definition":262},"Data Processor","A third party that processes personal data on behalf of the controller — such as a cloud hosting provider or email marketing platform.",{"term":264,"definition":265},"Lawful Basis","One of six legal grounds under GDPR Article 6 that must exist before processing personal data — consent, contract, legal obligation, vital interests, public task, or legitimate interests.",{"term":267,"definition":268},"Data Subject","The living individual whose personal data is being collected or processed — typically a customer, user, employee, or website visitor.",{"term":270,"definition":271},"Data Subject Rights","GDPR-guaranteed entitlements including the right to access, rectify, erase, restrict, port, and object to the processing of one's personal data.",{"term":273,"definition":274},"Legitimate Interests","A lawful basis permitting processing when the controller's interest is balanced against and does not override the data subject's rights — requires a documented legitimate interests assessment.",{"term":276,"definition":277},"Data Retention Period","The defined length of time personal data is kept before it is securely deleted or anonymised, which must be disclosed in the privacy notice.",{"term":279,"definition":280},"Data Protection Officer (DPO)","A designated individual responsible for overseeing GDPR compliance — mandatory for public authorities, organisations processing data at large scale, or those processing special categories of data.",{"term":282,"definition":283},"Special Category Data","Sensitive personal data requiring enhanced protection under GDPR Article 9, including health information, racial or ethnic origin, biometric data, and political opinions.",{"term":285,"definition":286},"International Transfer","The movement of personal data to a country outside the European Economic Area, which requires an adequacy decision, standard contractual clauses, or another approved safeguard.",{"term":288,"definition":289},"Privacy by Design","A GDPR principle requiring data protection to be built into systems and processes from the outset rather than added as an afterthought.",[291,296,301,306,311,316,321,326,331,336],{"name":292,"plain_english":293,"sample_language":294,"common_mistake":295},"Identity of the data controller","States who is responsible for the personal data — full legal name, registered address, company number, and primary privacy contact or DPO details.","[COMPANY LEGAL NAME], registered in [COUNTRY] under number [REGISTRATION NUMBER], with its registered office at [ADDRESS], is the data controller for personal data collected through [WEBSITE / SERVICE]. Privacy enquiries: [PRIVACY EMAIL].","Using only a trading name or brand name instead of the full registered legal entity name — regulators and data subjects need the legal entity to exercise rights or lodge complaints.",{"name":297,"plain_english":298,"sample_language":299,"common_mistake":300},"What personal data we collect and how","Lists each category of personal data collected, the collection method (form, cookie, API, manual input), and whether provision is mandatory or voluntary.","We collect: (a) contact data — name, email address, phone number — provided when you complete our contact form; (b) technical data — IP address, browser type, pages visited — collected automatically via cookies; (c) transaction data — billing name and address, payment method type — collected at checkout.","Listing data categories so broadly — 'usage data' or 'personal information' — that users cannot understand what is actually collected, which fails the GDPR transparency requirement.",{"name":302,"plain_english":303,"sample_language":304,"common_mistake":305},"Lawful basis for each processing activity","Maps each processing purpose to one of the six GDPR lawful bases, with a plain-English explanation of why that basis applies.","We process your contact data to respond to your enquiry (lawful basis: contract — Article 6(1)(b)). We process your technical data for website analytics (lawful basis: legitimate interests — Article 6(1)(f); we have assessed that our interest in understanding site performance does not override your privacy interests).","Citing consent as the lawful basis for every processing activity. Consent is the hardest basis to maintain — if it is withdrawn, processing must stop. Legitimate interests or contract are often more appropriate and durable.",{"name":307,"plain_english":308,"sample_language":309,"common_mistake":310},"How and why we use your data (purposes)","Describes each purpose for processing in plain language — account management, service delivery, marketing, fraud prevention, legal compliance — so users understand what their data is actually used for.","We use your data to: (a) create and manage your account; (b) process and fulfil your orders; (c) send you service-related communications; (d) send you marketing emails where you have opted in; (e) comply with our legal and regulatory obligations.","Bundling all purposes into a single vague paragraph. GDPR requires each purpose to be identifiable — mixing them prevents users from exercising selective objection rights.",{"name":312,"plain_english":313,"sample_language":314,"common_mistake":315},"Third-party sharing and data processors","Identifies every category of third party that receives personal data, names key processors where practical, and explains why the sharing occurs.","We share your data with: [PAYMENT PROCESSOR] to process transactions; [EMAIL PLATFORM] to send transactional and marketing emails; [CLOUD HOSTING PROVIDER] for data storage; [ANALYTICS PROVIDER] for website analytics. All processors are bound by data processing agreements requiring GDPR-equivalent protections.","Omitting third-party processors entirely or listing only vague categories like 'service providers.' Users have a right to know who holds their data, and regulators expect specific disclosure.",{"name":317,"plain_english":318,"sample_language":319,"common_mistake":320},"International data transfers","Discloses whether personal data is transferred outside the EEA, identifies the destination country, and states the legal safeguard in place — adequacy decision, standard contractual clauses, or binding corporate rules.","Some of our service providers are based in the United States. Where we transfer personal data outside the EEA, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914) to ensure adequate protection.","Transferring personal data to a non-EEA country without any safeguard and failing to disclose the transfer — this is one of the most frequently fined GDPR violations.",{"name":322,"plain_english":323,"sample_language":324,"common_mistake":325},"Data retention periods","States how long each category of personal data is kept and the criteria used to determine retention — statutory requirement, contract duration, or business necessity.","Customer account data: retained for the duration of the account plus 3 years after closure. Transaction records: 7 years to meet our tax and accounting obligations. Marketing preferences: until you withdraw consent or opt out. Technical/log data: 12 months.","Stating 'we keep data only as long as necessary' without specifying any actual periods. This fails the GDPR requirement for specific retention information and prevents users from knowing when their data will be deleted.",{"name":327,"plain_english":328,"sample_language":329,"common_mistake":330},"Data subject rights and how to exercise them","Lists all eight GDPR rights, explains how a user can exercise each one, and states the response timeframe — typically 30 days.","You have the right to: access your data (Article 15); rectify inaccurate data (Article 16); erase your data in certain circumstances (Article 17); restrict processing (Article 18); data portability (Article 20); object to processing (Article 21). To exercise any right, contact [PRIVACY EMAIL]. We will respond within 30 days.","Omitting the right to lodge a complaint with a supervisory authority — GDPR Article 13(2)(d) requires explicit mention of this right and the relevant authority's contact details.",{"name":332,"plain_english":333,"sample_language":334,"common_mistake":335},"Cookies and tracking technologies","Explains which cookies and tracking tools are used, categorises them (strictly necessary, functional, analytics, marketing), states their duration, and links to the cookie consent mechanism.","We use: (a) strictly necessary cookies to operate the website — session ID, security tokens — these cannot be disabled; (b) analytics cookies ([PROVIDER], 12 months) to understand how users navigate the site; (c) marketing cookies ([PROVIDER], 24 months) to serve relevant advertising. You can manage your preferences at any time via our [COOKIE SETTINGS LINK].","Describing cookies as 'analytics' when they are used for advertising retargeting — mislabelling cookie categories is a priority enforcement area for data protection authorities.",{"name":337,"plain_english":338,"sample_language":339,"common_mistake":340},"How we protect your data and policy updates","Outlines the technical and organisational security measures in place and explains how users will be notified of material changes to the privacy policy.","We implement [ENCRYPTION STANDARD] in transit and at rest, role-based access controls, and regular security testing. We will notify you of material changes to this policy by email or prominent website notice at least [X] days before the changes take effect. Last updated: [DATE].","Claiming specific certifications (ISO 27001, SOC 2) that the organisation does not actually hold — a regulatory investigation or data breach will expose the misrepresentation and compound liability.",[342,347,352,357,362,367,372,377],{"step":343,"title":344,"description":345,"tip":346},1,"Identify your legal entity and data controller details","Enter the full registered legal name, address, company registration number, and the email address or contact form link for privacy enquiries. If your organisation requires a DPO under GDPR Article 37, include their name and contact details.","Check your official corporate registry filing to confirm the exact legal name — using a brand name alone creates enforcement ambiguity.",{"step":348,"title":349,"description":350,"tip":351},2,"Audit and list every category of personal data you collect","Before filling in the template, conduct a data mapping exercise to identify every touchpoint where personal data enters your systems — website forms, checkout, cookies, email sign-ups, CRM imports, and HR records. List each data category in the relevant section.","Include technical data like IP addresses and cookie identifiers — many organisations overlook these, but they are personal data under GDPR.",{"step":353,"title":354,"description":355,"tip":356},3,"Assign a lawful basis to each processing activity","For each purpose listed in step 2, select the most appropriate lawful basis from the six options in Article 6. Document your reasoning in an internal record of processing activities (ROPA) — the privacy policy should state the basis, but the ROPA should contain your full justification.","Default to legitimate interests for analytics and fraud prevention, contract for service delivery, and legal obligation for tax and accounting records — reserve consent for email marketing and non-essential cookies.",{"step":358,"title":359,"description":360,"tip":361},4,"Name your third-party processors and data-sharing arrangements","List every service provider, analytics platform, payment processor, and cloud host that receives personal data. For each, state the purpose of the transfer and confirm a data processing agreement is in place.","Check your software stack against your data map — SaaS tools embedded in your workflow often process personal data without your team realising it.",{"step":363,"title":364,"description":365,"tip":366},5,"Document international transfers and their safeguards","Identify whether any processor or data recipient is based outside the EEA. For each non-EEA transfer, state the legal mechanism — adequacy decision (e.g., UK, Japan, Canada) or standard contractual clauses — and link to or reference the relevant decision.","US-based SaaS providers processing EU data must rely on SCCs since the invalidation of Privacy Shield in 2020 — verify each provider's transfer mechanism is current.",{"step":368,"title":369,"description":370,"tip":371},6,"Set specific retention periods for each data category","Define a concrete retention period for every category of data — do not use 'as long as necessary' without a qualifier. Cross-reference statutory retention obligations (tax: typically 6–7 years, employment: varies by jurisdiction) to set defensible minimums and maximums.","Build a retention schedule as a separate internal document and reference it in the privacy policy — this also satisfies Article 30 ROPA requirements.",{"step":373,"title":374,"description":375,"tip":376},7,"Describe the data subject rights process","Confirm the email address or web form users should contact to exercise rights, and state the 30-day response deadline. Include the name and website of the relevant supervisory authority — for UK organisations, the ICO; for EU organisations, your lead supervisory authority under the one-stop-shop mechanism.","Set up a dedicated privacy inbox (e.g., privacy@yourdomain.com) so rights requests are never missed in a general enquiries inbox.",{"step":378,"title":379,"description":380,"tip":381},8,"Add the last-updated date and version number","Enter the current date as the 'last updated' date and add a version number (e.g., v1.0, v2.3) to the footer of the document. Update both whenever you make a material change to the policy.","Archive each previous version with its effective date — regulators sometimes request historical privacy policies when investigating complaints about practices from a prior period.",[383,387,391,395,399,403],{"mistake":384,"why_it_matters":385,"fix":386},"Citing consent as the lawful basis for everything","If consent is your stated basis but you continue processing after a user withdraws it, you are in breach. Consent is also harder to obtain and maintain than legitimate interests or contract.","Map each processing activity to the most legally appropriate basis. Use consent only for email marketing and non-essential cookies where it is genuinely the right basis.",{"mistake":388,"why_it_matters":389,"fix":390},"Vague or absent retention periods","Stating 'we keep data as long as necessary' without specifying periods fails GDPR Article 13(2)(a) and leaves you unable to defend a deletion request or a regulator's audit.","Define a specific retention period for every data category — e.g., '7 years for financial records per [APPLICABLE TAX LAW]' — and build a corresponding data deletion schedule.",{"mistake":392,"why_it_matters":393,"fix":394},"Omitting the right to complain to a supervisory authority","GDPR Article 13(2)(d) explicitly requires this disclosure. Omitting it is a straightforward compliance failure that regulators check for during routine reviews.","Add a dedicated paragraph naming the relevant supervisory authority (e.g., the ICO for UK organisations, your lead DPA for EU operations) with a link to their complaints page.",{"mistake":396,"why_it_matters":397,"fix":398},"Copying a competitor's privacy policy verbatim","Their policy reflects their data practices, not yours. Claiming to collect only what they collect — or disclosing processors you don't use while omitting ones you do — creates an inaccurate and potentially misleading notice.","Start from your own data audit. Use a template as a structural guide, but every factual claim in the policy must reflect your actual processing activities.",{"mistake":400,"why_it_matters":401,"fix":402},"Publishing the privacy policy without updating it after adding new tools","Adding a new analytics platform, CRM, or marketing tool typically adds new processing activities and processors — none of which are disclosed in the original policy, leaving users uninformed.","Build a process that triggers a privacy policy review whenever a new data-processing tool is adopted. Assign this responsibility to a named owner in your compliance workflow.",{"mistake":404,"why_it_matters":405,"fix":406},"Mislabelling advertising cookies as analytics cookies","Using retargeting or behavioural advertising cookies under a consent banner that only describes 'analytics' means consent was not validly obtained for the actual purpose — a priority enforcement area for EU data protection authorities.","Categorise each cookie by its actual function. Advertising and retargeting cookies require their own consent category, separate from analytics.",[408,411,414,417,420,423,426,429,432],{"question":409,"answer":410},"What is a GDPR privacy policy?","A GDPR privacy policy is a public-facing document that explains how an organisation collects, uses, stores, and shares personal data belonging to individuals in the European Economic Area. It must be provided at the point of data collection, written in plain language, and cover the lawful basis for processing, data subject rights, retention periods, and contact details for privacy enquiries. It satisfies the transparency obligations in GDPR Articles 13 and 14.\n",{"question":412,"answer":413},"Do I need a GDPR privacy policy if my business is outside the EU?","Yes — if your website, app, or service collects personal data from individuals located in the EEA, GDPR applies regardless of where your business is incorporated. This includes US, UK, Australian, and Canadian businesses that target or monitor EU residents. The determining factor is the location of the data subject, not the data controller. Failure to comply exposes non-EU businesses to the same fines as EU-based entities.\n",{"question":415,"answer":416},"What is the difference between a privacy policy and a privacy notice?","The terms are often used interchangeably, but technically a privacy notice is directed at data subjects (users, customers, employees) to inform them of their rights and your practices — it is the public-facing document. A privacy policy is an internal governance document describing how the organisation manages personal data. For most small to mid-size organisations, a single document serves both functions and is referred to as a privacy policy or privacy notice.\n",{"question":418,"answer":419},"What are the six lawful bases under GDPR?","GDPR Article 6 sets out six lawful bases: (1) consent — the individual has given clear, specific agreement; (2) contract — processing is necessary to fulfil a contract with the individual; (3) legal obligation — processing is required by law; (4) vital interests — processing is necessary to protect someone's life; (5) public task — processing is needed to perform an official function; and (6) legitimate interests — the controller's interest is proportionate and does not override the individual's rights. Most businesses rely primarily on consent, contract, legal obligation, and legitimate interests.\n",{"question":421,"answer":422},"What happens if my privacy policy is not GDPR compliant?","Non-compliance with GDPR transparency obligations can result in fines of up to €10 million or 2% of global annual turnover (whichever is higher) under Article 83(4), or up to €20 million / 4% of turnover for more serious violations. Regulators also issue public reprimands, require corrective action, and can impose temporary bans on processing. Beyond fines, data subjects can seek compensation for material or non-material damage caused by the violation.\n",{"question":424,"answer":425},"How often should I update my GDPR privacy policy?","Review the policy whenever you make a material change to your data processing — adding a new tool, changing a processor, entering a new market, or introducing a new product feature that collects additional data. At minimum, conduct a formal annual review against your current data processing activities. Notify users of material changes at least 30 days before they take effect and update the 'last updated' date every time you publish a revision.\n",{"question":427,"answer":428},"Do cookies count as personal data under GDPR?","Yes. Cookie identifiers, IP addresses, and device fingerprints are considered personal data under GDPR when they can be linked to an identifiable individual — which is the case for most analytics and advertising cookies. Non-essential cookies therefore require valid consent before being set, and your privacy policy must disclose which cookies are used, their purpose, duration, and the provider.\n",{"question":430,"answer":431},"When do I need a Data Protection Officer (DPO)?","GDPR Article 37 requires a DPO for: public authorities and bodies; organisations whose core activities involve large-scale, systematic monitoring of data subjects; and organisations that process special category data (health, biometric, criminal records) on a large scale. Even if not mandatory, many organisations appoint a DPO or a privacy lead voluntarily. If you have one, their contact details must be included in the privacy policy.\n",{"question":433,"answer":434},"Can I use a free privacy policy generator instead of this template?","Generic generators produce boilerplate text that rarely maps to your actual processing activities. They typically omit retention periods, use vague lawful basis language, and fail to name your specific processors. This template gives you a structured starting point that you populate with the facts from your own data audit, producing a policy that accurately reflects what you actually do — which is what GDPR requires and what regulators check.\n",[436,440,444,448,452,455],{"industry":437,"icon_asset_id":438,"specifics":439},"SaaS / Technology","industry-saas","Must disclose sub-processor chains (cloud hosts, analytics, support tools), handle data processor versus controller distinctions carefully, and address standard contractual clauses for US-based infrastructure.",{"industry":441,"icon_asset_id":442,"specifics":443},"E-commerce / Retail","industry-ecommerce","Payment processor disclosure, cookie consent for advertising retargeting, and 7-year retention of transaction records for tax compliance are the key requirements.",{"industry":445,"icon_asset_id":446,"specifics":447},"Healthcare / MedTech","industry-healthtech","Processing health data triggers Article 9 special category rules, requiring an explicit consent basis, a data protection impact assessment, and enhanced security disclosures.",{"industry":449,"icon_asset_id":450,"specifics":451},"Professional Services","industry-professional-services","Client data processed during engagements requires disclosure of retention tied to professional indemnity and statutory limitation periods, typically 6–7 years post-engagement.",{"industry":453,"icon_asset_id":450,"specifics":454},"HR and Recruitment","Job applicant data retention is a common compliance gap — most organisations should keep unsuccessful candidate data for no more than 6–12 months unless explicit consent for longer retention is obtained.",{"industry":456,"icon_asset_id":457,"specifics":458},"Marketing and Advertising","industry-marketing","Consent management for email marketing, cookie categorisation for behavioural advertising, and profiling disclosures under Article 22 are the highest-risk areas for this sector.",[460,463,466,470],{"vs":135,"vs_template_id":461,"summary":462},"D{DATA_PROCESSING_AGREEMENT_ID}","A data processing agreement (DPA) is a contract between a data controller and a data processor governing how the processor handles personal data on the controller's behalf. A GDPR privacy policy is a public-facing transparency document directed at data subjects. Both are required under GDPR but serve entirely different purposes — the DPA is a B2B contract; the privacy policy is a user-facing disclosure.",{"vs":167,"vs_template_id":464,"summary":465},"D{COOKIE_POLICY_ID}","A cookie policy is a dedicated document focused solely on the types of cookies used, their purpose, duration, and how users can manage consent. A GDPR privacy policy covers all personal data processing, of which cookies are one component. Many organisations publish both — a comprehensive privacy policy and a shorter, standalone cookie policy linked from the consent banner.",{"vs":467,"vs_template_id":468,"summary":469},"Terms and Conditions","D{TERMS_AND_CONDITIONS_ID}","Terms and conditions set out the contractual rules governing use of a product or service — they are binding on both parties. A privacy policy discloses how personal data is processed and is not a contract. They are complementary documents: T&Cs govern the commercial relationship; the privacy policy governs data rights. Both should be linked from every website footer.",{"vs":251,"vs_template_id":471,"summary":472},"D{DATA_PROTECTION_POLICY_ID}","An internal data protection policy documents how the organisation's staff must handle personal data — governance procedures, breach response, access controls, and training requirements. A GDPR privacy policy is an external document for data subjects. The internal policy governs employee behaviour; the privacy policy informs users of their rights. Both are required for a complete GDPR compliance framework.",{"use_template":474,"template_plus_review":478,"custom_drafted":482},{"best_for":475,"cost":476,"time":477},"Small to mid-size businesses with standard data flows — website contact forms, email marketing, e-commerce transactions, and common SaaS tools","Free","2–4 hours including data audit",{"best_for":479,"cost":480,"time":481},"Organisations processing special category data, operating across multiple EU jurisdictions, or with complex processor chains","$500–$1,500 for a data protection consultant or privacy lawyer review","3–5 business days",{"best_for":483,"cost":484,"time":485},"Large enterprises, regulated sectors (healthcare, fintech, HR tech), or organisations subject to supervisory authority scrutiny","$2,000–$8,000+ for a full GDPR compliance engagement including ROPA and DPIAs","2–6 weeks",[487,488],"gdpr-lawful-basis-explained","data-mapping-and-ropa-basics",[490,491,492,241,493,494,248,495,496,497,498,499],"terms-and-conditions-D12667","website-service-agreement-terms-of-use-D840","non-disclosure-agreement-nda-D12692","policy-on-privacy-and-employee-monitoring-D724","information-security-policy-D13552","acceptable-use-policy-D12622","incident-response-plan-D13714","records-management-and-retention-policy-D13761","vendor-management-policy-D12802","remote-work-agreement-D13282",{"emit_how_to":501,"emit_defined_term":501},true,{"primary_folder":503,"secondary_folder":504,"document_type":505,"industry":506,"business_stage":507,"tags":508,"confidence":513},"software-technology","data-governance","policy","general","all-stages",[509,510,505,511,512],"data-protection","compliance","gdpr","privacy-policy",0.95,"\u003Ch2>What is a GDPR Privacy Policy?\u003C/h2>\n\u003Cp>A \u003Cstrong>GDPR Privacy Policy\u003C/strong> is a public-facing transparency document that tells individuals what personal data your organisation collects, why you collect it, what legal basis you rely on, who you share it with, how long you keep it, and what rights they have under the EU General Data Protection Regulation (Regulation 2016/679). It is not optional — Articles 13 and 14 of the GDPR require the information to be provided at the point of data collection, in plain language, free of charge. This free Word download gives you a structured, regulation-aligned starting point covering every mandatory disclosure element, which you can edit to match your actual data processing activities and publish directly to your website or app.\u003C/p>\n\u003Ch2>Why You Need This Document\u003C/h2>\n\u003Cp>Operating without a GDPR-compliant privacy policy exposes your organisation to fines of up to €20 million or 4% of global annual turnover under Article 83, whichever is higher — and data protection authorities across the EU and UK actively investigate complaints from users who cannot find adequate privacy information. Beyond fines, the absence of a policy undermines user trust at exactly the moment users are deciding whether to share their data with you, directly affecting conversion rates and customer retention. A correctly completed policy also protects you operationally: it forces you to audit what data you actually collect, identify every processor with access to that data, and set retention periods you can defend — the same information regulators request in the first 72 hours of an investigation. This template gives you the structure to get compliant quickly, without starting from a blank page.\u003C/p>\n",1781185937092]