Privacy policy: what it must contain and how to write it

Table of contents

• What is a privacy policy
• Who is the data controller
• Purposes and legal bases of processing
• What personal data can be processed
• Recipients and disclosure of data
• Data retention period
• Rights of data subjects
• How to draft a privacy policy template

If you manage a website, an e-commerce platform, or even just collect information through contact forms, have you ever wondered whether your privacy policy truly complies with the European Regulation?

Many entrepreneurs and professionals underestimate this document, considering it a mere bureaucratic formality. In reality, a privacy policy is a fundamental safeguard for the protection of individuals and for transparency in the processing of personal data.

A well-written privacy policy not only helps avoid penalties but also strengthens user trust by clarifying who processes personal data, for what purposes of processing, under which legal bases, and for how long such data is retained.

In this article, we’ll explore in detail what a privacy policy is, what it must include, and how to create an effective and compliant privacy policy template in accordance with current regulations.

What is a privacy policy

The privacy policy is a document that every entity public or private must provide when it collects or processes personal data of users, clients, or employees. It is required by European Regulation 2016/679 (GDPR), which introduced new rules for the protection of natural persons with regard to data processing.

This document must explain clearly and understandably how personal data is collected, used, and stored by the data controller. Therefore, it is not a mere formal or technical text, but information that must ensure easy access, transparency, and clarity even for those unfamiliar with legal language.

The goal of a privacy policy is to allow the data subject to understand what happens to their data and to exercise the rights granted by the GDPR: access, rectification, erasure, restriction, and objection to the processing of personal data.

Who is the data controller

The data controller is the natural or legal person who determines how and why personal data is processed.

Example
If you manage a website, you yourself are the data controller, since you decide which data to collect (name, email, technical or profiling cookies) and for what purposes of processing.

The privacy policy must clearly specify:

• the name or company name of the controller;
• their contact details (email, address, phone number);
• and, where applicable, the data protection officer (DPO), if required by law.

The DPO is not mandatory for all organizations, but it must be appointed when the main activities involve regular and systematic monitoring on a large scale or the processing of special categories of data (such as health data).

Purposes and legal bases of processing

Every policy must specify the purposes of processing, meaning the reasons for which data is collected. For example:

• managing orders and shipments;
• sending newsletters or promotional content;
• analyzing website traffic;
• fulfilling legal or contractual obligations.

Alongside the purposes, the document must indicate the legal basis for processing, i.e., the reason why processing is lawful under the GDPR. The main legal bases include:

• consent of the data subject (e.g., to receive marketing communications);
• performance of a contract (e.g., managing an online purchase);
• legal obligation (e.g., retention of tax documents);
• legitimate interest of the controller (e.g., cyber security, fraud prevention).

Each privacy policy template must clearly specify the legal basis of processing for every purpose listed.

What personal data can be processed

Personal data refers to any information that identifies or makes an individual identifiable.

It may include common data (name, surname, email), special data (ethnic origin, political opinions, religious beliefs, genetic or biometric data), or data relating to minors.

A privacy policy must clearly state what data is collected and for what purpose. For instance:

“Our website collects the following data: name, surname, email address, IP address, and technical or analytics cookies.”

It is also important to specify whether the data is collected directly from the user or through third parties, such as analytics services, social networks, or payment platforms.

Recipients and disclosure of data

Every privacy policy must include a list or description of the categories of recipients to whom data may be disclosed.

Example
IT service providers, hosting companies, tax consultants, couriers, or public authorities in case of legal obligations.

The disclosure of data must always be limited to what is strictly necessary for the stated purposes and may only occur towards authorized entities or data processors acting on behalf of the controller.

In case of transfer to third parties located outside the European Economic Area, the privacy policy must specify which safeguards are in place (e.g., standard contractual clauses approved by the European Commission).

Data retention period

A key aspect concerns the retention period of personal data, meaning how long the data is kept.

The GDPR requires that data be retained only for as long as necessary to achieve the purposes for which it was collected.

For example:

• billing data: 10 years;
• newsletter subscription data: until consent is withdrawn;
• cyber security data: a few months.

The privacy policy template must therefore specify either the exact retention times or the criteria used to determine them.

Rights of data subjects

Every privacy policy must clearly explain the rights of the data subject. These include:

• the right to access their data;
• the right to rectify or delete it;
• the right to restrict processing;
• the right to data portability;
• the right to object.

It must also indicate how these rights can be exercised, specifying the email address or office responsible within the data controller’s organization.

How to draft a privacy policy template

A good privacy policy template must be:

• clear and concise, written in simple, understandable language;
• easily accessible, for example via a visible link in the website footer;
• complete, including all information required by the GDPR;
• updated, whenever regulatory or technical changes occur.

A basic structure might include:

• Identity of the data controller
• Contact details of the data protection officer (if applicable)
• Purposes and legal bases of processing
• Categories of recipients
• Data retention period
• Rights of the data subject
• How to exercise these rights
• Possible transfers to third countries
• Updates to the policy

Questions and answers

1. What is a privacy policy?
   It is the document that informs users how their personal data is collected and processed.
2. Who must provide a privacy policy?
   Any data controller who collects or processes data from natural persons.
3. What elements must a privacy policy include?
   Identity of the controller, purposes and legal bases of processing, recipients, retention period, and rights of the data subject.
4. What is meant by “data controller”?
   The person or entity that determines how and why personal data is processed.
5. Who is the data protection officer (DPO)?
   The person responsible for ensuring proper application of the GDPR within an organization.
6. What is the most common legal basis for processing personal data?
   Consent, contract, legal obligation, or legitimate interest.
7. Can data be shared with third parties?
   Yes, but only when necessary and in compliance with safeguards required by the European Regulation.
8. How long can personal data be kept?
   Only for as long as necessary to fulfill the purposes for which it was collected.
9. Where should a website’s privacy policy be published?
   In the footer or in a section easily accessible from every page.
10. What happens if a company lacks a proper privacy policy?
    It may face heavy fines and lose credibility in the eyes of customers.