Privacy Policy: What Must Be in It and What Is Optional

Every website that collects personal data needs a privacy policy. That includes almost every website. If you have a contact form, analytics, a newsletter signup or even just server logs, you're collecting personal data.

But having a privacy policy isn't enough. GDPR Articles 13 and 14 list specific information you must include. Miss one of them and your privacy policy is incomplete. Incomplete means non-compliant.

Most privacy policies we scan are missing at least two required elements. The most commonly missing: data retention periods and the right to complain to a supervisory authority.

The 12 required elements under GDPR Article 13

When you collect personal data directly from people, through your contact form, checkout process or newsletter signup, Article 13 requires you to tell them all of the following.

1. Identity and contact details of the data controller

Who is responsible for the data? Your company name, address and a way to contact you. If you're a sole proprietor, that's your trade name and business address.

This isn't optional and it can't be vague. "Contact us through our website" doesn't count. An email address or phone number is the minimum.

2. Contact details of the data protection officer

If you have a DPO, you must list their contact details. Not their name necessarily, but a way to reach them.

Most small businesses don't need a DPO. You only need one if your core activities involve regular and systematic monitoring of individuals on a large scale, or if you process special category data on a large scale. A bakery with a website doesn't need a DPO. A health clinic with thousands of patient records might.

If you don't have a DPO, you can skip this element. But you should still provide a contact point for privacy questions.

3. Purposes of the data processing

What do you do with the data? Be specific. "We use your data to improve our services" is too vague. Instead:

• "We use your email address to respond to your contact form inquiry"
• "We use your name and email to send you our monthly newsletter"
• "We use analytics cookies to count website visitors and see which pages are popular"

List each purpose separately. Don't bundle everything into one paragraph.

4. Legal basis for each processing purpose

For each purpose, state which of the six GDPR legal bases you rely on:

• Consent for newsletters, marketing emails, non-essential cookies
• Contract performance for processing orders, delivering products
• Legal obligation for tax records, fraud prevention requirements
• Legitimate interest for basic website security, fraud prevention

You need to match each purpose to its legal basis. "We process your data based on GDPR Article 6" without specifying which sub-paragraph is not enough.

If you rely on legitimate interest, you must describe what that interest is. "Our legitimate interest in improving our services" is too vague. Be specific about what you're improving and why.

5. Recipients or categories of recipients

Who else gets the data? Name them or at least describe them:

• Your hosting provider
• Your email service provider
• Payment processors
• Analytics providers like Google
• Any other third parties who receive personal data

You don't need to list every sub-processor your cloud host uses. But you do need to mention the categories of companies you share data with and ideally name the major ones.

A compliance scan can help you identify which third parties your website shares data with. Many website owners don't realise their site connects to a dozen different services.

6. International data transfers

If personal data goes outside the European Economic Area, you must say so. This is relevant if you use:

• Google Analytics, Google Maps, YouTube
• Mailchimp, HubSpot or other US-based email tools
• Cloudflare, AWS or other cloud services with US infrastructure
• Facebook Pixel, LinkedIn Insight Tag or other US ad platforms

For each transfer, explain the legal mechanism. After the Schrems II ruling invalidated Privacy Shield, the main mechanisms are Standard Contractual Clauses and the EU-US Data Privacy Framework for certified US companies.

7. Data retention periods

How long do you keep the data? This is the element most privacy policies skip entirely.

You need specific timeframes, not "as long as necessary." Good examples:

• "Contact form messages: 12 months after last communication"
• "Customer order data: 7 years for tax compliance"
• "Newsletter subscribers: until you unsubscribe"
• "Analytics data: 14 months"

If you genuinely can't set a fixed period, explain the criteria you use to decide. But for most small business data processing, you can and should set clear retention periods.

8. Data subject rights

Your visitors have rights under GDPR. Your privacy policy must list them:

• Right of access to their personal data
• Right to rectification if data is inaccurate
• Right to erasure in certain circumstances
• Right to restrict processing
• Right to data portability
• Right to object to processing based on legitimate interest

Explain how people can exercise these rights. An email address is fine. Don't make them send a letter by post.

9. Right to withdraw consent

If any of your processing is based on consent, you must tell people they can withdraw that consent at any time. And withdrawing must be as easy as giving consent.

For newsletter subscriptions, the unsubscribe link in every email handles this. For cookie consent, a way to change cookie preferences from anywhere on the site.

10. Right to lodge a complaint with a supervisory authority

This is the second most commonly missing element. You must tell visitors they can complain to a data protection authority.

For the Netherlands, that's the Autoriteit Persoonsgegevens. For Belgium, the Gegevensbeschermingsautoriteit. For the UK, the Information Commissioner's Office.

Include the name and a link. You don't need to list every EU authority. List the one in your country of establishment.

11. Whether providing data is a statutory or contractual requirement

Tell visitors whether they're required to give you their data, or whether it's voluntary. And what happens if they don't.

For a contact form: providing your email is voluntary, but you won't be able to respond without it. For an online order: providing your address is necessary to deliver your purchase.

12. Automated decision-making and profiling

If you make automated decisions that significantly affect people, you must say so. This includes automated credit scoring, algorithmic hiring decisions or content personalization that affects what offers someone sees.

Most small business websites don't do this. If you don't use automated decision-making, you can state that clearly and move on.

What's optional but still recommended

These elements aren't strictly required by Article 13, but including them makes your privacy policy more useful.

Cookies section. GDPR doesn't require a separate cookies section in your privacy policy, but the ePrivacy Directive does require you to inform visitors about cookies. Most businesses include cookie information in their privacy policy or link to a separate cookie policy.

Last updated date. Not technically required, but regulators expect your privacy policy to be current. A visible "Last updated" date signals that you maintain it. It also helps you remember when you last reviewed it.

Plain language summary. GDPR Article 12 requires that privacy information be provided in "concise, transparent, intelligible and easily accessible form, using clear and plain language." A summary section at the top can help with this, especially if your full policy is long.

Common mistakes in privacy policies

Copy-pasting from another website. Every privacy policy should reflect your actual data processing. A restaurant doesn't process the same data as an online shop. Copy-pasting means you're either listing things you don't do or missing things you do.

Using a template without customizing it. Templates are a good starting point. But you need to fill in the specifics: your company name, your actual third-party services, your real retention periods. A template with [COMPANY NAME] placeholders still in it is worse than no privacy policy.

Hiding the privacy policy. It must be accessible from every page, typically in the footer. A privacy policy that only appears on the contact page or is buried three clicks deep doesn't meet the "easily accessible" requirement.

Not updating after changes. Added Google Analytics? Switched email providers? Started using a new CRM? Your privacy policy needs to reflect current processing. Review it whenever you add or change a tool that handles personal data.

Writing it in legal language. GDPR explicitly says the information must be in "clear and plain language." This is especially true when addressing children, but good practice for any audience. If your visitors need a law degree to understand your privacy policy, it fails the GDPR transparency requirement.

How our compliance scan checks your privacy policy

When you run a scan, we check your privacy policy for the presence of key required elements. The scan looks for:

• Data controller identity and contact information
• Mention of data subject rights
• Reference to a supervisory authority
• Data retention information
• Third-party data sharing disclosures
• Cookie information
• International transfer disclosures

The scan can't verify the accuracy of what your privacy policy says. But it can flag missing sections so you know what to add.

Common Questions

Do I need a privacy policy if my website doesn't have a contact form?

Almost certainly yes. If your website uses analytics, loads third-party resources like Google Fonts, or has any form of data collection including server logs, you're processing personal data. That requires a privacy policy.

Can I use a free privacy policy generator?

Generators can give you a decent starting point. But you need to review and customize the output. Make sure it accurately describes what your specific website does. A generic policy that doesn't match your actual data processing can create more problems than it solves.

How often should I update my privacy policy?

Review it whenever you add or remove a tool, service or feature that processes personal data. At minimum, review it once a year. Put the "last updated" date visibly on the page.

Does my privacy policy need to be in multiple languages?

If your website targets visitors in multiple countries with different languages, providing the privacy policy in those languages is best practice. GDPR requires information to be provided in an "intelligible" form. For a Dutch business targeting both Dutch and English-speaking customers, having both versions is recommended.

What's the penalty for not having a privacy policy?

GDPR fines for transparency violations fall under the Article 83 category. The maximum is 20 million euros or 4% of annual global turnover. In practice, small business fines are much lower. But a missing or incomplete privacy policy is one of the first things a supervisory authority checks during any investigation.

---

Check your website now Scan your website for missing privacy policy elements and other compliance issues, free in 2 minutes. Scan your website