How to write a GDPR privacy notice – with template example

Updated 8 November 2018. This blog was originally published before the GDPR took effect in May 2018.

An integral part of EU GDPR (General Data Protection Regulation) compliance is producing appropriate documentation.

If you are classified as a data controller under the GDPR, this includes creating a privacy notice that informs data subjects of your corporate privacy policy.

For all processing activities, you must decide how data subjects will be informed of your privacy policy.

When should you provide a GDPR privacy notice?

Article 13 of the GDPR states that:

  • When you collect personal data directly from data subjects, you must provide a privacy notice at the time of collection.
  • When you get personal data from another source, you must provide a privacy notice without undue delay, and within a month. This must be done the first time you communicate with the data subject, or when their personal data is first shared with another recipient, such as a data processor.

Privacy notices can be issued in stages, but it is often easiest to direct data subjects to your privacy policy on your website.

If you don’t have a website, you might need to make a physical copy of your privacy policy available.

These obligations do not apply if the data subject already has the information, if providing this information is impossible or would involve a disproportionate effort, if you are obliged to obtain or disclose the data by law, or if the personal data must remain confidential, subject to an obligation of professional secrecy.

How do you write a GDPR privacy policy?

Your privacy policy should address the following:

  • Who is collecting the data?
  • What data is being collected?
  • What is the legal basis for processing the data?
  • Will the data be shared with any third parties?
  • How will the information be used?
  • How long will the data be stored for?
  • What rights does the data subject have?
  • How can the data subject raise a complaint?

How does a privacy policy differ from a data protection policy?

A privacy policy is a public statement of how your organisation applies the GDPR’s data protection principles to processing data. It should be a clear and concise document that is accessible by data subjects.

A data protection policy, on the other hand, is an internal document that goes into detail about the organisation’s data protection objectives and responsibilities, and how to handle violations.

Read our blog How to write a GDPR data protection policy for more information.

GDPR privacy notice

Articles 12, 13 and 14 of the GDPR outline the requirements for giving privacy information to data subjects.

The GDPR says that the information you provide must be:

  • Concise, transparent, intelligible and easily accessible;
  • Written in clear and plain language, particularly if addressed to a child; and
  • Free of charge.

Sample GDPR privacy notice template

Below is an example of a customisable privacy notice template available from IT Governance.

GDPR Privacy Notice Template - Example from the EU GDPR Documentation Toolkit

Example of IT Governance’s GDPR privacy notice template.

Not sure where to start? We can help

We’ve made it easy for you to create a GDPR-compliant privacy notice in minutes with our bestselling EU General Data Protection Regulation (GDPR) Privacy Notice Template >>

If you need a complete set of GDPR templates to help with your compliance project, you might be interested in our market-leading EU GDPR Documentation Toolkit.

Designed and developed by expert GDPR practitioners, it has been used by thousands of organisations worldwide. It includes:

  • A complete set of easy-to-use and customisable documentation templates, which will save you time and money and ensure GDPR compliance;
  • Helpful dashboards and project tools to ensure complete GDPR coverage;
  • Direction and guidance from expert GDPR practitioners; and
  • Two licences for the GDPR Staff Awareness E-learning Course.

Watch this quick demonstration video to find out how the toolkit works >>

Buy the toolkit >> 

Take a free trial >>