Uber was recently fined €10 million by the Dutch Data Protection Authority (AP) for failing to disclose how long it retains its drivers’ personal data or which specific security measures it takes when sending this information to entities in countries outside the EEA in its privacy terms and conditions, among other GDPR infringements.

The European Union’s General Data Protection Regulation (GDPR) is all about transparency — making sure EU citizens know who is collecting their personal data and why. That’s why a privacy policy and privacy notice are such key steps in becoming compliant with GDPR.

In this article, we explain how to write an effective privacy policy that helps your team stay compliant and a privacy notice that meets GDPR requirements — plus, we’ll explain the difference between these two terms. We also share examples of privacy policies to help you write your own.

What is a GDPR privacy policy?

A privacy policy is an internal document, outlining how personal data is handled and protected to be compliant with applicable laws. It helps employees understand what their roles and responsibilities are when it comes to handling personal data.

Do I need a GDPR privacy policy?

The GDPR does not require a formal internal privacy policy that dictates how your team handles personal data. However, the data protection law does require organizations to put safeguards in place to protect personal data.

For that reason, it’s a good idea to have a privacy policy in place to clarify for your employees exactly what their roles and responsibilities are around personal data and data privacy. An internal GDPR privacy policy establishes a written record for things like the lawful basis of processing, who your data protection officer (DPO) is and what their responsibilities are, your data processing activities, processes for data retention and transfers of personal data, and more.

A privacy policy may also be referred to as “privacy notice.” Since neither terms actually appear in the text of the GDPR, they are often used interchangeably by companies. However, technically, a GDPR privacy policy refers to an internal document and a privacy notice refers to a public document in which an organization describes its data processing activities. Let’s take a closer look at the definition of a privacy notice below.

What is a privacy notice in GDPR?

Whereas a privacy policy is an internal document created for the benefit of your employees and organization as a whole, a privacy notice is an external document that explains to users and customers how your company collects their private personal data, how you process it, who you share it with, and for what purposes. It helps your customers make informed decisions about whether to consent to data collection.

GDPR, like CCPA, requires a privacy notice that explains an organization’s privacy practices in plain language. A common practice is to have this privacy statement publicly available on your website. It must also give users the option to opt out of processing of personal data.

The table below explains the key difference between a GDPR privacy policy vs GDPR privacy notice.

What to include in a GDPR privacy policy

Also referred to as a Data Protection Policy, an internal privacy policy explains how the organization processes and protects personal data in a way that upholds GDPR requirements. It also explains the specific purpose for collecting this information — for example, to process customer orders, create user accounts or profiles, send marketing campaigns, or conduct surveys. 

There are no legal requirements for how you have to structure your internal privacy policy or what it needs to include. However, an effective privacy policy usually includes the following information:

• What type of data you collect from users, whether it’s contact information, payment information, demographic data, etc. 
• Why you collect personal data 
• Where you store personal data, for how long, and how you dispose of it
• Whether you share personal data with any third parties, such as service providers, advertising partners, or business affiliates
• How you ensure the data you collect is accurate and sufficiently protected
• How your team should respond in the event of a data breach
• What kinds of rights data subjects have over their personal data and how your team is expected to respond to consumer requests
• How often the privacy policy should be reviewed and updated, and by whom
• Who within the organization is responsible for overseeing data protection 

It’s best practice to review your privacy policy at least annually and make sure it’s easily accessible to employees. Consider including it in your internal knowledge base and ensure employees are notified whenever changes are made. 

What information is included in a GDPR privacy notice?

A typical privacy notice includes a few common elements. It usually covers: 

• What categories of personal data you’re collecting 
• Why you’re collecting personal user data (your legal basis or lawful basis under GDPR)
• How you’re collecting personal data, including whether you’re the data controller or data processor (or both)
• How you will use the personal data you collect (i.e., for marketing purposes), how long it will be kept, and how you’ll dispose of it
• How users can opt-out and/or request erasure of their personal data, including a phone number or address they can use to contact you
• What rights data subjects have, including right to lodge a complaint with a supervisory authority
• If personal data is transferred to a third country and what safeguards are taken
• If an automated decision-making system exists and information about how it’s been set up and what its significance is

Now that you understand what information should be included in a privacy notice, let’s discuss how you should present this information.

How to meet GDPR’s transparency requirements

Article 12 of GDPR states that data controllers must provide information related to data processing “in a concise, transparent, intelligible and easily accessible form, using clear and plain language.”

To help you write a GDPR compliant privacy notice, we’ll break down each of these terms below using the European Commission’s guidelines on meeting transparency obligations under GDPR. 

“Concise and transparent”

This requirement means the information should be:

• Presented precisely and in a manner that is easily understandable in order to avoid information fatigue
• Clearly differentiated from other non-privacy related information such as general terms of use
• Easy to navigate in an online context

For example, companies will often provide a layered privacy statement online that allows data subjects to jump to a particular section. That way, they get immediate access to the information they care about instead of having to scroll through large amounts of text.

“Intelligible”

This requirement means that information should be understood by members of the intended audience. This will vary by audience. Organizations should use what they know about their unique audience to determine what they would likely understand.

For example, if an organization’s intended audience is working professionals, then the organization can assume they have a higher level of understanding than an organization whose intended audience is children and present the information accordingly.

If an organization is unsure about its intended audience’s level of understanding and whether its information is being presented effectively, then it can use user panels, readability tests, or have discussions with industry groups, consumer advocacy groups, and regulatory bodies to find out.

“Easy Accessible”

This requirement means that data subjects should not have to actively search for the information. Instead, it should be immediately clear to them where and how this information can be accessed.

A common way to implement this requirement is to make a privacy notice publicly available on your website. You can link your privacy notice in a highly visible place, like the footer of your website plus anywhere you collect personal information like names and contact information. Other ways to implement it include:

• FAQs
• Contextual pop-ups that activate when a data subject fills in an online form
• Interactive digital interfaces like chatbots

“Clear and plain language”

Closely related to the intelligibility requirement, the requirement for clear and plain language means that information should be provided in as simple a manner as possible, using concrete and definitive language. Organizations should avoid:

• Complex sentence and language structures
• Abstract or ambivalent terms that leave room for interpretation
• Language qualifiers such as “may”, “might”, “some”, “often” and “possible”
• Passive form
• Overly legalistic, technical or specialist language or terminology

GDPR Privacy Notice Template

Use this customizable privacy notice template to explain how your organization processes and protects personal data. You can post it externally on your website. You can also share it internally with employees as a privacy policy, depending on how you customize it.

GDPR Privacy Notices Examples

Whenever you’re creating documentation for your business, it can be especially helpful to see examples of how other organizations have done it. Below we share a few examples of privacy notices you can use as inspiration for writing your own. 

Please note that some of the companies below refer to them as privacy policies. However, each are public documents that describe the organization’s data processing activities and therefore align with the purpose and typical elements found in a privacy notice.

1. Moss Adams

Moss Adams provides a clear, comprehensive privacy notice that other organizations can use as inspiration when getting started on their own. 

It clearly explains how the firm collects, uses, and discloses personal information and what rights users have in respect to their personal information. It meets other GDPR requirements, including cookie consent requirements, by detailing their legal basis for data processing, how they use cookies, and when they may disclose or transfer data, and by providing an email address for users to contact them regarding their privacy practices.

This information is broken down into sections and subsections that use headings and bulleted lists to make it easier to read.

2. Amazon.com

Amazon.com structures its privacy notice like an FAQ page, providing answers to commonly asked questions like “For what purposes does Amazon use your personal information?” and

“What about cookies and other identifiers?” Each question listed at the top of the notices is linked so that users can jump to a specific section, or scroll from the top

Since GDPR, like CCPA, was designed to provide consumers with greater insight into and control over how businesses collect and use their personal information, Amazon dedicates a section of its privacy notice to all the choices consumers have with respect to their information. They can adjust their customer communication preferences, adjust their advertising preferences, edit their browsing history, and more. 

3. The Walt Disney Company

The Walt Disney Company is famous for its level of personalization — whether you’re viewing one of its websites, browsing its streaming platform, or visiting its theme parks. Disney’s ability to create such detailed user experiences is based in large part on their ability to collect relevant data and tailor your experience based on your preferences and past behaviors. 

This is all explained in plain language in Disney’s comprehensive privacy notice, which includes sections on the types of personal data they collect and who they share it with. The privacy notice also includes a specific section explaining privacy protections for children and parents’ rights. 

Disney also goes the extra mile to make its privacy notice accessible to a general audience by linking legal terms like “data controller” and “personal information” and providing a simple definition.

4. Google

Whether you just use Google search once in a while or have a whole suite of Google apps and devices in your home, Google’s privacy notice is designed to help all levels of users understand how their personal data is collected and processed. 

Privacy policies can be daunting for uninitiated readers, and it’s clear that Google put some careful thought into helping users navigate and understand its privacy notice. It includes a table of contents so that readers can easily jump between sections, and links to other key policies including Google’s Terms of Service. 

Google also includes helpful video snippets throughout their privacy notice that quickly explain key concepts like what the privacy notice is, why Google collects user data, and what rights users have over their personal data.

5. Meta 

Meta’s privacy notice is similar to Google’s, with a Table of Contents for easy navigation and explanatory videos sprinkled throughout the page. Like Disney, it also includes pop-up links that answer key questions and explain core data privacy concepts in layman’s terms. 

This layout makes it easier for users to understand Meta’s overall approach to data privacy and quickly find answers to specific questions, while “Learn more” links let interested readers dive deeper into the specifics of Meta’s privacy practices.  

One thing Meta does particularly well is they include specific “Take control” callouts that make it easy for users to exercise their data privacy rights.

Get help verifying and maintaining GDPR compliance

Knowing that your policies and procedures are compliant with GDPR requirements can be tricky, especially when you’re trying to build them from scratch. 

With Secureframe, you’ll get access to a library of policy templates that have been vetted by former auditors and compliance experts. You’ll get GDPR training for employees, save time with automated evidence collection, and stay up to date with the latest GDPR requirements. Our team of experts will also notify you of any changes in regulation so you can stay compliant. 

To learn more, schedule a demo of our security and compliance automation platform.