A GDPR-compliant privacy policy must disclose roughly a dozen specific things under Articles 12 to 14. These include your identity, what you collect, and why. They also cover your legal basis, who else gets the data, how long you keep it, and six data subject rights. Below is each requirement with its exact Article citation, plus the plain-language rules Article 12 sets for how you write it.
What Are GDPR Privacy Policy Requirements?
GDPR privacy policy requirements are the mandatory disclosures Articles 13 and 14 say a privacy notice must contain. They are written in the form Article 12 demands. The controller must name itself, state why it processes personal data, and give a legal basis for each purpose. It must also tell the data subject their rights. GDPR itself calls this document a privacy notice, not a privacy policy, though the two terms are used interchangeably in practice.
Article 13 sets the baseline for data you collect directly from the person, across its paragraphs (1) and (2). Article 14 reuses those items and adds the categories and source of the data when you obtain it some other way. Every disclosure must be concise, transparent, and in plain language under Article 12. For the broader concept, see what a privacy policy is.
Privacy Policy vs Privacy Notice: Which Term Does GDPR Use?
GDPR never uses the phrase privacy policy. The regulation requires a privacy notice instead. That is the public-facing document that satisfies the Article 13 or Article 14 disclosure duty. In practice, privacy policy and privacy notice describe the same document and are used interchangeably.
Some organizations also keep an internal "privacy policy" (an internal governance document for staff) separate from the public notice. That internal document is not what Articles 12 to 14 require. This guide covers the public-facing notice, the one your website visitors actually read.
What You Need Before You Start
Before you can disclose your processing, you need to know it yourself. Build a simple inventory first. List the data you collect, your legal basis for each purpose, who else touches the data, and how long you keep it. A generator cannot invent these facts for you.
Gather the following before drafting.
- A list of the personal data you collect (names, emails, IP addresses, payment details, cookies)
- The legal basis you rely on for each processing purpose (consent, contract, legitimate interests, and so on)
- Every processor and third party that receives the data (hosting provider, analytics tool, payment processor, email platform)
- A retention period, or the criteria you use to set one, for each data category
- Whether any data leaves the EU or UK, and to where
- Whether you use automated decision-making or profiling with legal or similarly significant effects
A cookie scanner can help you find trackers and cookies you did not know you were setting. A privacy policy generator can help you assemble the disclosures below into a formatted document. Neither tool decides your legal basis, your retention period, or who your recipients are, since those are facts about your own business.
The GDPR Privacy Policy Checklist (Mandatory Disclosures at a Glance)
Ten disclosures cover most sites; the statutory-requirement note, automated decision-making, and the Article 14 source disclosure apply only where relevant. The table below lists each one against its Article and when it applies.
| Disclosure | GDPR Article | Applies when |
|---|---|---|
| Identity and contact details of the controller | Art 13(1)(a) | Always |
| Contact details of the DPO | Art 13(1)(b) | If you have appointed a DPO |
| Purposes of processing and legal basis | Art 13(1)(c) | Always |
| Legitimate interests pursued | Art 13(1)(d) | If the legal basis is Art 6(1)(f) |
| Recipients or categories of recipients | Art 13(1)(e) | If you share data with anyone |
| Third-country transfer details and safeguards | Art 13(1)(f) | If data leaves the EU or UK |
| Retention period or the criteria to set it | Art 13(2)(a) | Always |
| The six data subject rights | Art 13(2)(b) | Always |
| Right to withdraw consent | Art 13(2)(c) | If the legal basis is consent |
| Right to complain to a supervisory authority | Art 13(2)(d) | Always |
| Whether the data is a statutory or contractual requirement | Art 13(2)(e) | If you collect data directly and it is required to enter a contract |
| Automated decision-making and profiling | Art 13(2)(f) | If you use it |
| Categories of data and its source | Art 14(1)(d), 14(2)(f) | If data was not collected from the subject |
Requirement 1: Identity and Contact Details of the Controller (and DPO)
State your organization's legal name and a real contact route, not just an email address. Article 13(1)(a) requires the identity and contact details of the controller and, where applicable, its EU representative.
Give the legal name of the entity or the natural person acting as controller, plus a real servable address, not just a PO box. If you are based outside the EU but monitor or offer services to people in it, name your EU representative and how to reach them. Where your organization has appointed a Data Protection Officer, Article 13(1)(b) requires their contact details too. Most organizations publish a role or title, such as "contact our DPO", plus an email address. That satisfies the requirement without naming a specific person.
Requirement 2: The Purposes and Legal Basis for Each Processing Activity
For every reason you process personal data, state the purpose and the legal basis behind it. Article 13(1)(c) requires both together, not just one.
GDPR recognizes six lawful bases under Article 6: consent, contract, legal obligation, vital interests, public task, and legitimate interests. Map each processing purpose to one of these. Server logs kept for security typically rely on legitimate interests, not consent. A newsletter signup typically relies on consent. Where the basis is legitimate interests, Article 13(1)(d) requires you to state what that interest actually is, not just name the basis.
Requirement 3: The Categories of Personal Data You Collect
List the categories of personal data your site collects, not just a vague reference to your information. GDPR's definition of personal data is broad. Identity data, contact data, technical data including IP addresses and cookie identifiers, and financial data all count.
An IP address or a cookie ID is personal data under GDPR, even when it looks anonymous, because it can single out a person. Group your disclosures into categories such as identity and contact details, technical and usage data (including cookies), and financial or transaction data where relevant. A cookie scanner is the practical way to find every tracker actually running on your site before you write this section. Listing cookies in your policy is separate from the consent banner itself; the banner rules live in what GDPR requires for cookie consent.
Requirement 4: Recipients or Categories of Recipients
Name who else receives the personal data, or at minimum the categories they fall into. Article 13(1)(e) covers processors acting on your behalf and any other organization you share data with.
Typical recipients include your hosting provider, analytics platform, email service, and payment processor. You can name the organizations directly or describe categories instead. Either way, the category must be specific enough that a reader understands who is actually involved, not a generic "third parties" catch-all.
Requirement 5: International Data Transfers and Safeguards
If personal data leaves the EU or UK, disclose the transfer and the safeguard protecting it. Article 13(1)(f) requires this whenever a transfer occurs.
State whether the destination country has an adequacy decision from the European Commission. If it does not, name the safeguard in place, most commonly Standard Contractual Clauses, and tell people how to get a copy of it. Skip this section entirely if your processing never sends data outside the EU or UK.
Requirement 6: How Long You Keep the Data (Retention)
State a retention period for each category of data, or the criteria you use to set one. Article 13(2)(a) requires one or the other, always.
A specific period ("account data is kept for three years after account closure") is clearer than a criteria-based rule, but both satisfy the requirement. What does not satisfy it is silence: omitting retention entirely is one of the most common privacy policy failures.
Requirement 7: The Data Subject Rights You Must List
List all six data subject rights, even the ones that do not apply to your specific processing. Article 13(2)(b) requires disclosure of the rights themselves, not just the ones you expect people to use.
The six rights are:
- Right of access
- Right to rectification
- Right to erasure (the right to be forgotten)
- Right to restriction of processing
- Right to data portability
- Right to object
A common mistake is dropping the right to object because a site does not rely on legitimate interests for most processing. The disclosure duty does not depend on whether a right is likely to be exercised. You must mention the right to object even where you rely on consent elsewhere. Explain how a reader actually exercises each right, not just that it exists. See the full breakdown of the right to be forgotten for that specific right.
Requirement 8: The Right to Withdraw Consent and to Complain to a Supervisory Authority
Where you rely on consent, state that it can be withdrawn at any time, as easily as it was given. Article 13(2)(c) requires this whenever consent is a legal basis.
Separately, and always, Article 13(2)(d) requires you to disclose the right to lodge a complaint with a supervisory authority. Name the authority your visitors are most likely to complain to. A UK-based site should name the ICO; an EU site should name its national data protection authority. Both disclosures are short but frequently missing from real privacy policies.
Requirement 9: Automated Decision-Making and Profiling
Disclose automated decision-making or profiling only if you actually use it, and only where it produces legal or similarly significant effects on a person. Article 13(2)(f) sets this requirement.
Most small sites can state plainly that they do not use automated decision-making with legal or significant effects. Where you do, for example an automated credit or eligibility decision, explain the logic involved and the likely consequences in plain terms, not technical jargon.
Requirement 10: Where the Data Came From (Article 14 Only)
If you obtained personal data from somewhere other than the person themselves, disclose the categories of data and its source. This is the key difference between Article 13 and Article 14.
Article 14 applies when data comes from data brokers, list purchases, enrichment services, referrals, or public sources rather than directly from the individual. Beyond the Article 13 disclosures, Article 14 additionally requires the categories of personal data obtained and the source. State explicitly if the source was publicly accessible. You must provide this information within a reasonable period, and at the latest within one month of obtaining the data. Article 14 drops one Article 13 item: whether providing data is a statutory or contractual requirement. That question does not apply when the data was never collected from the person in the first place.
How GDPR Requires the Policy to Be Written (Article 12: Clear, Plain, and Accessible)
Article 12 governs form, not content: your privacy notice must be concise, transparent, intelligible, and easily accessible, written in clear and plain language. A technically complete but jargon-heavy or buried policy still fails GDPR. The UK regulator's guidance on what privacy information you must provide sets the same bar.
The requirement gets stricter when children are a likely audience, since plain language must be simpler still. Article 12 also requires the notice to be delivered free of charge. Where practical, it must be in writing or electronically, with an oral option available on request once identity is verified.
In practice, this means the following.
- The policy link is in the footer, not buried three clicks deep
- The language avoids dense legal jargon a general reader cannot follow
- The policy is provided at the time data is collected, not only on request
- Nothing about accessing the policy costs the reader money
A privacy notice that a real visitor cannot find, or cannot read in a reasonable amount of time, fails Article 12. This holds even if every disclosure listed above is technically present somewhere in the text.
Common GDPR Privacy Policy Mistakes to Avoid
The single most damaging mistake is copying another site's privacy policy. It discloses someone else's processing, not yours, which makes the resulting document both inaccurate and a legal liability rather than a protection.
Five more mistakes show up repeatedly in real privacy policies.
- Omitting rights you assume do not apply: a site that only relies on consent still has to disclose the right to object, because Article 13(2)(b) requires listing the rights, not just the ones a reader is likely to use. Fix: list all six rights every time.
- Stating no legal basis, or a vague claim about valuing privacy: this fails Article 13(1)(c) outright. Fix: map a specific legal basis to every processing purpose.
- No retention period anywhere in the document: this fails Article 13(2)(a). Fix: give a period, or the criteria used to set one, per data category.
- Burying the policy link or writing it in dense jargon: this fails Article 12's accessibility and plain-language requirements, and it is a real, recurring complaint from people trying to read privacy notices online. Fix: link it in the footer and write it in plain language.
- Never updating the policy when processing changes: a policy that describes tools you stopped using two years ago no longer describes your actual processing. Fix: review the policy every time you add a new tool, vendor, or purpose.
How Consently Helps You Build a GDPR Privacy Policy
Once you have gathered the facts above, Consently's privacy policy generator turns them into a formatted, publishable document. It works through a guided workflow, not a blank page.
Answer the guided questions with the disclosures you worked out in the sections above. The generator assembles a structured privacy policy you can edit in a rich-text editor. It embeds directly on your site and outputs in 10 or more languages. When your processing changes, a new vendor, a new purpose, or a new region, you can regenerate the policy. That beats rewriting it from scratch.
The generator structures and maintains the document once you supply your own legal bases, recipients, and retention periods. It is assistance, not legal certification, and it does not replace a lawyer for complex processing. Prefer to start from a fill-in document? A GDPR privacy policy template covers the same ground. For the full build process, see how to create a privacy policy.
FAQs
Is a privacy policy legally required under GDPR?
Yes. Any organization processing personal data of people in the EU or UK must provide the Article 13 or Article 14 disclosures. A public-facing privacy policy is the standard way to meet that duty.
What is the difference between a GDPR privacy policy and a privacy notice?
None in practice. GDPR's own text uses "privacy notice"; "privacy policy" describes the same public-facing document and the two terms are used interchangeably.
Does GDPR apply to my US or non-EU website?
Yes, if you offer goods or services to people in the EU or UK, or monitor their behavior, regardless of where your business is based. This extraterritorial reach is set out in Article 3.
Can I copy another website's GDPR privacy policy?
No. A copied policy discloses someone else's processing activities, not yours. That makes it both inaccurate and a liability rather than a protection if a regulator or a visitor relies on it.
Do I have to list every data subject right even if it does not apply to me?
Yes. Article 13(2)(b) requires disclosing the rights themselves, not only the ones you expect visitors to use. Omitting the right to object because you rely mostly on consent is a common, avoidable mistake.
Where should I put my privacy policy on my website?
In the footer, linked from every page, and specifically at any point where you collect personal data. Article 12 requires the policy to be easily accessible, and a buried or broken link fails that standard even if the content itself is complete.
What are the penalties for not having a GDPR-compliant privacy policy?
Transparency failures fall under Articles 12 to 22, which sit in GDPR's higher fine tier. That tier runs up to 20 million euros or 4 percent of global annual turnover, whichever is higher. Regulators also weigh whether a valid privacy notice existed when deciding how to enforce other violations.
How often do I need to update my GDPR privacy policy?
Update it whenever your processing changes: a new vendor, a new data category, a new purpose, or a new region you operate in. A policy that still describes tools you stopped using no longer reflects your actual processing.
Gather your disclosures using the checklist above, then let Consently's privacy policy generator assemble them into an embeddable, multi-language policy. Keep it current as your processing changes. Build your privacy policy with Consently's generator.

