A GDPR privacy policy template is a pre-structured document that covers every disclosure required under the General Data Protection Regulation, including lawful basis for processing, data retention periods, user rights, cookie usage, international transfers, and breach notification procedures. It applies to any website or app that collects personal data from UK or EU residents.
What Is a GDPR Privacy Policy?
This free GDPR privacy policy template (formally called a privacy notice under the regulation) covers every section legally required to explain how your organisation collects, uses, stores, and shares personal data. Unlike a generic website privacy policy, a GDPR-compliant version must satisfy specific transparency obligations set out in Articles 13 and 14 of the General Data Protection Regulation.
Under GDPR, a privacy policy is not optional. If you collect any personal data from users in the EU or UK, including names, email addresses, IP addresses, or cookie identifiers, you are legally required to provide this information before or at the point of collection. A vague, copy-pasted template does not satisfy GDPR. The regulation demands specific disclosures written in plain, clear language.
The cost of non-compliance
Supervisory authorities can issue fines of up to €20 million (or £17.5 million under UK GDPR) or 4% of global annual turnover, whichever is higher, for serious GDPR infringements. GDPR enforcement fines across the EU exceeded €2.1 billion in 2023 alone, with organisations of every size receiving notices. Learn more about what happens without a privacy policy.
Does GDPR Apply to You?
GDPR has extraterritorial reach. It does not matter where your business is based. GDPR applies if any of the following are true:
You offer goods or services to individuals in the EU or UK (even if free)
You monitor the behaviour of individuals in the EU or UK via analytics, cookies, or tracking pixels
You process personal data on behalf of an organisation that falls under GDPR
You collect email addresses, run contact forms, or use live chat on your website
You operate a mobile app downloaded by users in the EU or UK
In practice, if your website is accessible to people in the UK or Europe and you use Google Analytics, Mailchimp, a contact form, or even a cookie consent banner, GDPR applies to you and you need a free GDPR-compliant privacy policy template structured around its requirements.
Did you know? A UK ecommerce store using Stripe for payments, Google Analytics for traffic data, and Mailchimp for email marketing collects personal data through all three services simultaneously. Under GDPR, it must disclose each tool in its privacy policy with the specific lawful basis for each (contract performance for Stripe, legitimate interests for Analytics, consent for Mailchimp), specify how long it retains each type of data, confirm it uses Standard Contractual Clauses for US data transfers, and tell customers exactly how to request deletion or access their data. A generic template copied from another site will not reflect this specific setup and will not be compliant.
Do I need a GDPR policy if I am based outside Europe?
Yes. If you target or collect data from EU or UK users, GDPR applies to you regardless of where your business is registered.
Can I copy a privacy policy from another website?
No. A copied policy describes another business's data practices, not yours. This actively misrepresents how you handle data and creates legal exposure rather than reducing it.
How long does it take to create a GDPR-compliant policy?
Under 60 seconds with a structured generator that asks about your specific tools, data types, and jurisdiction.
12 Required Sections of a GDPR-Compliant Privacy Policy
A generic or outdated privacy policy template will not meet GDPR standards. The regulation mandates specific disclosures in each of these areas. Every section below is required, and missing any one of them creates a compliance gap.
Identity and Contact Details of the Data Controller
Your privacy policy must clearly name who you are, the data controller making decisions about how data is processed. Include your full legal or trading name, registered address or country of operation, a dedicated privacy contact email address, and (if applicable) the name and contact details of your Data Protection Officer (DPO). A DPO is required if you process data at large scale or handle sensitive categories of data.
Purpose and Legal Basis for Processing
For every category of personal data you collect, you must state the specific purpose and which of the six GDPR lawful bases applies: Consent, Contract performance, Legal obligation, Vital interests, Public task, or Legitimate interests. You cannot simply state legitimate interests without identifying what those interests are. Vagueness here is one of the most common reasons regulators issue enforcement notices.
What Personal Data You Collect
Be specific about the categories of data you collect. Common categories include: identity data (name, date of birth), contact data (email, phone, address), technical data (IP address, browser type, device ID, cookie data), usage data (pages visited, time on site, referring URLs), transaction data (purchase history, payment information), and communications data (messages from contact forms, support tickets).
How You Use Personal Data
Map each data category to its specific use case and lawful basis. For example: We use your email address (a) to send order confirmations under contract performance, (b) to send marketing emails where you have opted in under consent, and (c) to detect fraudulent activity under legitimate interests. This mapping is what separates a GDPR-compliant privacy policy from a generic template.
Third-Party Data Sharing and Processors
List all third parties that receive personal data, grouped by category: service providers (hosting, payment processors, email platforms), analytics tools (Google Analytics, Hotjar, Clarity), advertising platforms (Meta Pixel, Google Ads), and professional advisers. For each category, describe what data is shared and under what legal framework. Where you use data processors, you must have a Data Processing Agreement in place with each one.
International Data Transfers
If data is transferred outside the UK or EU, including to US-based services like Google Analytics, AWS, Mailchimp, or Stripe, you must disclose this and the safeguard used: UK adequacy regulations, EU adequacy decisions, Standard Contractual Clauses (SCCs), or Binding Corporate Rules (BCRs). In the UK, the International Data Transfer Agreement (IDTA) is the standard mechanism replacing EU SCCs.
Data Retention Periods
State how long you keep each category of data. Phrases like as long as necessary are not GDPR-compliant on their own. You must specify timeframes and the reason for each. Retention should be limited to what is genuinely necessary for the stated purpose. See the retention table in the template preview section below for concrete examples.
User Rights under GDPR (All 8 Rights)
Detail all eight rights and explain how individuals can exercise each one, including your response timeframe (typically 30 days from request): Right of access (Subject Access Request), right to rectification, right to erasure (right to be forgotten), right to restriction of processing, right to data portability, right to object, rights related to automated decision-making and profiling, and right to withdraw consent at any time.
Cookies and Tracking Technologies
A separate cookie policy is often advisable, but your privacy policy must at minimum reference your use of cookies, categorise them (essential, functional, analytics, marketing), explain what they do, and direct users to your cookie consent mechanism. If you use advertising cookies or tracking pixels, these require explicit opt-in consent under GDPR. Pre-ticked boxes are not valid consent.
See full cookie policy requirementsData Security Measures
Describe the technical and organisational measures protecting personal data: encryption of data in transit (SSL/TLS) and at rest, access controls and role-based authentication, regular security assessments and penetration testing, staff training on data protection, and incident response procedures. You do not need to expose implementation details. A high-level description is both sufficient and safer.
Data Breach Notification
Under GDPR, you must notify the relevant supervisory authority of certain personal data breaches within 72 hours of becoming aware. Where a breach is likely to cause high risk to individuals, you must also notify those individuals without undue delay. Your privacy policy should acknowledge this obligation and reference your internal breach response procedure.
What happens when you have no policy during a breachContact Details and Right to Lodge a Complaint
Include a clear privacy contact email address and inform users of their right to lodge a complaint with the supervisory authority. In the UK, that is the Information Commissioner's Office (ICO) at ico.org.uk. In the EU, individuals should be directed to their national data protection authority. Providing this information is an explicit Article 13/14 requirement.
UK GDPR vs EU GDPR: Key Differences for Your Privacy Policy Template
Following Brexit, the UK enacted its own version of GDPR ("UK GDPR") retained in domestic law alongside the Data Protection Act 2018. If you serve both UK and EU/EEA residents, you technically operate under two parallel frameworks. In practice they are closely aligned, and a single well-drafted privacy policy can cover both.
| Area | UK GDPR | EU GDPR |
|---|---|---|
| Regulator | ICO (ico.org.uk) | National DPAs (e.g. CNIL, BfDI) |
| Maximum fine | £17.5m or 4% turnover | €20m or 4% turnover |
| Transfer mechanism | IDTA (International Data Transfer Agreement) | Standard Contractual Clauses (SCCs) |
| Adequacy status | UK has EU adequacy (subject to review) | EEA, no transfer safeguard needed within EEA |
| EU Representative | Required if targeting EU users from outside EU | Required if no EU establishment but targeting EU users |
| Language requirement | Clear, plain English | Plain language for each member state audience |
For most small websites targeting UK users, referencing UK GDPR and the ICO is sufficient. If you actively target EU users, reference both frameworks and ensure you have an EU Representative if your business is not established in the EU. Not sure which applies to your site? See the small business guide.
Free GDPR Privacy Policy Template (Preview)
Below is a free GDPR privacy policy template covering the most critical sections. Replace bracketed placeholders with your specific details. A fully customised version, including all 12 sections, UK and EU-specific language, and your actual data practices, can be generated in under 60 seconds.
1. Who We Are (Data Controller)
[Your Company Name] ("we", "us", "our") is the data controller responsible for your personal data. We are registered in [Country/State] and operate the website [yourwebsite.com].
For privacy-related enquiries, please contact us at: [privacy@yourcompany.com]
2. Legal Basis for Processing Personal Data
We process your personal data based on the following lawful bases:
- Consent: You have given clear consent for a specific purpose (e.g., marketing emails, optional analytics).
- Contractual necessity: Processing is necessary to perform a contract with you (e.g., account creation, order processing).
- Legal obligation: Processing is necessary for compliance with a legal obligation (e.g., tax reporting, court orders).
- Legitimate interests: Processing is necessary for our legitimate interests (e.g., fraud prevention, security monitoring, service improvement), provided your rights do not override those interests.
3. Data Retention Periods
We retain personal data only for as long as necessary for its stated purpose:
| Data Category | Retention Period | Reason |
|---|---|---|
| Account data | Until deletion + 30 days | Service delivery |
| Transaction records | 7 years | Legal / tax obligation |
| Marketing opt-ins | Until consent withdrawn | Consent-based |
| Server / access logs | 90 days | Security monitoring |
| Support tickets | 3 years | Legitimate interests |
| Cookie data | Varies (see cookie policy) | Analytics / functionality |
4. Your Rights under GDPR
Under UK and EU GDPR, you have the following rights:
- Right of access: Request a copy of your personal data (Subject Access Request).
- Right to rectification: Request correction of inaccurate or incomplete data.
- Right to erasure: Request deletion of your data, subject to legal grounds for retention.
- Right to restrict processing: Request that we limit how we process your data in certain circumstances.
- Right to data portability: Receive your data in a structured, machine-readable format.
- Right to object: Object to processing based on legitimate interests or for direct marketing.
- Rights re automated decisions: Not be subject to solely automated decisions that produce significant effects.
- Right to withdraw consent: Withdraw consent at any time where consent is the lawful basis.
To exercise any right, contact us at [privacy@yourcompany.com]. We will respond within 30 days. You also have the right to lodge a complaint with the ICO (ico.org.uk) in the UK, or your national data protection authority in the EU.
5. International Data Transfers
Some of our service providers are based outside the UK and EU/EEA, including the United States. Where we transfer personal data internationally, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission, or the International Data Transfer Agreement (IDTA) approved by the UK ICO. Transfers to countries with an adequacy decision are permissible without additional safeguards.
A copy of the relevant safeguard is available on request by contacting [privacy@yourcompany.com].
6. Data Breach Notification
We have procedures in place to detect, investigate, and report personal data breaches. Where a breach is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay.
This is an educational preview. A complete, customised GDPR privacy policy requires tailoring every section to your specific data practices, jurisdiction, and business type. Not legal advice.
Where to Display Your GDPR Privacy Policy
GDPR requires that your privacy policy is easily accessible, not buried in a Terms and Conditions page or available only upon request. Here is where it must appear:
Website footer (all pages)
The most common placement. A persistent link in the footer ensures it is discoverable from every page on your site, which is a basic GDPR expectation.
Sign-up and registration forms
Wherever you collect an email address or personal information, include a link to your privacy policy and a clear disclosure such as: By signing up, you agree to our Privacy Policy.
Learn more about website form requirementsCheckout and payment screens
At the point of purchase, users must be informed how their transaction and payment data is processed. Your privacy policy link must be prominently visible.
E-commerce privacy policy requirementsCookie consent banner
Your cookie banner or Consent Management Platform (CMP) must link directly to your privacy policy or cookie policy. This is an ICO requirement.
Cookie policy guideEmail footers and marketing communications
Every marketing email must include a link to your privacy policy, an unsubscribe mechanism, and your registered address or contact details.
Mobile app settings screen
If you operate a mobile app, your privacy policy must be accessible within the app itself, typically in the Settings or About section, as well as on your app store listing.
Privacy policy for mobile appsHow to Customise Your GDPR Privacy Policy Template
A template is a starting point, not a finished document. Follow these steps to turn the template into a compliant privacy policy tailored to your business. If you want to skip the manual process, compare free vs paid generators to see which approach suits your situation.
Conduct a data mapping exercise
Before writing anything, list every type of personal data you collect, where it comes from, how you use it, where it is stored, and who has access. This is the foundation your policy must accurately reflect.
Identify your lawful basis for each data type
For every processing activity you identified, choose the appropriate GDPR lawful basis. If you rely on consent, make sure you have a proper consent mechanism. If you rely on legitimate interests, document a Legitimate Interests Assessment (LIA).
List all third-party tools and processors
Audit your tech stack: hosting, analytics, CRM, email marketing, payment processing, live chat, advertising. Every tool that touches personal data is a data processor that must be disclosed.
Set specific retention periods
Replace vague language like as long as necessary with concrete timeframes for each data category. Ground each period in a legitimate business or legal reason.
Write in plain, simple language
GDPR requires your policy to be written in clear, plain language, not legalese. If your average user cannot understand it, it does not meet the transparency standard. Use shorter sentences, active voice, and no unexplained jargon.
Add a last-updated date and review schedule
Include the date the policy was last updated. Set a calendar reminder to review it annually, and update it immediately whenever your data practices or the tools you use materially change.
Generate a Complete GDPR Privacy Policy
Answer a few questions about your website or app and get a fully customised, GDPR-compliant privacy policy covering all 12 required sections in under 60 seconds.
Structured around widely accepted GDPR and UK GDPR requirements. Not legal advice.
Frequently Asked Questions
Is a GDPR privacy policy template free?
Yes. This page provides a free GDPR privacy policy template preview covering the most critical sections. You can use it as a structural guide and starting point for your own website privacy policy. For a fully customised, ready-to-publish version tailored to your specific website or app, our generator produces a complete document for $4.99, covering all 12 required sections in plain, compliant language.
Does my small business need a GDPR-compliant privacy policy?
Yes, without exception. GDPR applies to any organisation that processes personal data of EU or UK residents regardless of business size, your location, or whether you charge for your product or service. There is no small business exemption under GDPR. See the small business privacy policy guide for a tailored walkthrough.
What happens if I do not have a GDPR privacy policy?
Operating without a GDPR-compliant privacy policy exposes you to enforcement action. In the UK, the ICO can issue fines up to £17.5 million or 4% of global annual turnover, whichever is higher, for serious transparency violations. Beyond financial penalties, you risk reputational damage, user complaints, and being reported to the ICO. Read the full breakdown of what happens without a privacy policy.
Can I use the same privacy policy for UK and EU users?
Yes, in most cases. UK GDPR and EU GDPR are substantively aligned. A well-drafted policy that references both frameworks, names the ICO as the UK supervisory authority, and notes the right to complain to the relevant EU data protection authority will typically satisfy both regimes. If your business is outside the EU but targets EU users, you may also need to name an EU Representative.
How often should I update my GDPR privacy policy?
Review your privacy policy whenever you start collecting new types of personal data, introduce new third-party tools or processors, relevant laws or ICO guidance change, or at minimum annually. When changes are material, notify existing users via a site notice or email. Always update the last updated date at the top of your policy.
Do I need a separate cookie policy under GDPR?
Not necessarily. Cookie information can be included within your main privacy policy. However, many sites publish a dedicated cookie policy for websites for clarity, especially where cookie usage is extensive or involves advertising trackers. Either way, your cookie consent banner must link clearly to where this information is published, and marketing or tracking cookies require explicit opt-in consent.
What is the difference between a privacy policy and a privacy notice?
GDPR uses the term privacy notice to describe the transparency document provided to individuals whose data you collect. Privacy policy is the widely used commercial and colloquial term for the same document. They refer to the same thing: a statement explaining what personal data you collect, why you collect it, how long you keep it, who you share it with, and what rights individuals have over it.
Related Resources
Privacy Policy for Websites
Complete website compliance guide
Cookie Policy for Websites
Cookie categories, consent, and GDPR rules
What Happens Without a Privacy Policy
Fines, platform bans, and legal exposure
CCPA Privacy Policy Example
California privacy rights and disclosures
Free vs Paid Generator
Compare tools and choose the right one
Policy Generator
Create your compliant privacy policy