Privacy Policy

A privacy policy is a document that informs data subjects about how your organisation collects, processes and protects their personal data. It is your primary tool for fulfilling the transparency obligation under the GDPR.

Back to Dictionary

What is a privacy policy?

A privacy policy (also called a data protection notice or privacy notice) is your most important communication tool towards data subjects. It fulfils your transparency obligation under GDPR Articles 13 and 14.

The GDPR does not specifically require a document called a "privacy policy", but you must inform data subjects about your data processing in a "concise, transparent, intelligible and easily accessible" manner. A privacy policy is the most practical way to achieve this.

Most organisations have a general privacy policy on their website, supplemented with specific notices at collection points (forms, sign-ups, etc.).

What must it contain?

Based on GDPR Articles 13 and 14, your privacy policy must as a minimum cover:

The identity and contact details of the data controller
Contact details for the DPO (if you have one)
The purpose of each type of processing and the legal basis
Where legitimate interest applies: the specific interest
Categories of personal data and recipients
Transfers to third countries and the transfer basis
Retention periods or the criteria for determining them
Data subject rights: access, rectification, erasure, restriction, portability, objection
The right to withdraw consent
The right to lodge a complaint with the Data Protection Agency
Whether profiling or automated decision-making is used

How to write a good privacy policy

GDPR Article 12 sets requirements for the form. Follow these principles:

Clear language: Avoid legal jargon. Write so that your target audience can understand it. Use direct address.
Structured: Use headings, paragraphs and bullet points. Make it easy to navigate.
Specific: Avoid vague wording such as "we may share your data with third parties". State who and why.
Accessible: The policy must be easy to find. Place links prominently in the footer, next to forms and in confirmation emails.
Layered notices: Combine a short summary at each collection point with a link to the full policy.

A good privacy policy is not merely a legal document, but a trust-building communication tool. It demonstrates that you take data protection seriously.

Maintenance and updates

Your privacy policy must reflect your current practices. Update it when:

You add new processing activities
You change data processors or add new ones
You change legal bases
You begin transferring data to new third countries
Legislation changes

Review the policy at least once a year as part of your GDPR maintenance. Inform data subjects of material changes, for example via email or a prominent notice on your website.

Ensure consistency between your privacy policy and your record of processing activities. The two documents should tell the same story.

Frequently Asked Questions about Privacy Policy

What is a privacy policy?

A privacy policy is a document that informs data subjects about how you collect, process and protect their personal data. It is your primary means of fulfilling the transparency obligation in GDPR Articles 13 and 14.

Is a privacy policy legally required?

The GDPR does not specifically require a document called a 'privacy policy', but you must fulfil the transparency obligation in Articles 13-14. In practice, a privacy policy is the most widely used way to do so. All organisations that process personal data must inform data subjects.

What must a privacy policy contain?

It must include the identity of the data controller, DPO contact details, the purpose and legal basis for processing, recipients, third-country transfers, retention periods, data subject rights and complaint options.

How often should the privacy policy be updated?

You must update it whenever your processing activities, legal bases, recipients or other circumstances described in the policy change. Review it at least annually and inform data subjects of material changes.

Can you have more than one privacy policy?

Yes. Many organisations have a general policy on their website supplemented with specific notices for employees, job applicants, newsletter subscribers and other groups. The key is that each data subject receives the information relevant to them.