Privacy Policy Checklist in GDPR

Privacy Policy Checklist in GDPR

By Safwana

Published on 27th Feb 2019|Last updated on 10th Nov 2020

What is GDPR?

Since May 25th, 2018, every organization that has a user base in any of the member states of the EU, has to abide by the strict privacy regulations of the GDPR. The law aims to protect the personal data and privacy of users and the organizations have to take steps to ensure that the users’ personal data and privacy are protected.

Complying with GDPR is necessary even if your organization is not based out of the European Union and if you are in any way collecting the data of a European Union citizen. Non-compliance to the regulations can potentially cause a fine of up t0 €20 million or 4% of the annual turnover of the previous financial year or whichever is higher. Read more about the GDPR here.

One of the key principles of the GDPR is lawfulness, fairness, and transparency. The organizations are now expected to be transparent about the personal data that they collect of the users. This is done by most websites using their privacy policy page.

What is a Privacy Policy?

The GDPR requires that the users be informed about all the data that you collect, so privacy policy is the way to go. It is the documentation that details how the website operates, and how the data is collected and what it is used for, etc. Most of the countries around the world legally mandate a privacy policy on a website. And from a user perspective, the privacy policies help build trust among the users.

What are the Things to be Included in the Privacy Policy Page?


The policy document should contain the name of the data controller in the organization and how they can be contacted. Information on how they can be contacted should be provided for the users.

If the organization is required to have a Data Protection Officer in your Organization, then include the details of the Data Protection Officer. The details should contain the name and contact information of the DPO. The contact details can be used by the users to reach out to the DPO with their queries and concerns regarding the processing of their personal data.

Details about the personal data collected

The privacy policy of a website must include the details about what personal data is collected and how they are collected. There are multiple ways in which data can be collected on a website like contact forms, cookies, etc.

When informing the users about the data collected, the details should include the types of personal data collected, why the data are collected, how the data is collected, for how long will the data be stored, whom the data is shared with, what security measures have been taken to safeguard the data, etc.

Personal data can be defined as any data that can directly or indirectly identify an identifiable person. This can be the name, address, credit card information, IP address, a cookie identifier, etc related to the user. Read more about what is personal data in GDPR in this article.

Transferring Personal Data Outside the European Economic Area (EEA)

Your organization might require transferring of the data different vendors or related organizations outside of the European Union. If your organization does so, it must be clearly stated in the privacy policy, whether the personal data will be shared outside the EEA and what are the safeguards in place to secure the data.

How to Opt-out

According to GDPR, users should be able to reverse the consent that they have given so that there is no more data collected by the website. The idea is to present the users with a real choice regarding the collection of their personal data. So there should be a mechanism in place for the users to reverse the consent and it should be made clear in the privacy policy how the users can revoke their consent.

The purpose and lawful basis for data collection

The privacy statement should clearly indicate the lawful basis for data collection and processing. There are 6 lawful bases for data collection. They are the following.

  • Consent
    If the data is collected by the clear and informed consent of the individual.
  • Contract
    If the data processing is necessary for a contract you have with the individual.
  • Legal obligation
    If data processing is necessary to comply with the law.
  • Vital interest
    If data processing is necessary to protect someone’s life.
  • Public task
    If the data is processing is necessary to perform a task in the public interest.
  • Legitimate interest
    If you are processing the personal data on the legal basis of your or a third-parties “legitimate interests”,  you must include those legitimate interests in the privacy policy.

Sources of the Data

The privacy policy should contain the sources from where you obtained the data. If the data was collected from other sources, inform the source of the data and state whether or not those sources include public sources of personal data.

Rights of the Individual

Many times even the users are not aware of their rights and how they can implement their rights. The privacy policy should acknowledge the existence of such rights and how they can exercise them.

There are certain rights that the GDPR gives the users. They are the following.

  • The right to be informed
  • The right to access
  • The right to erasure
  • The right to rectification
  • The right to object
  • The right to restrict processing
  • The right to data portability
  • Rights related to automated decision making including profiling

Make the users aware of their rights and inform them how they can exercise their rights. The user can invoke their rights verbally or in a written form and the request should be responded to within a month.

The Language of the Policy

It is very important in GDPR that the users be informed of all the data that are collected. So it is necessary that the privacy policy be concise, transparent, intelligible, easily accessible and written in a clear and plain language.

Crafting a privacy policy that is filled with legal or technical jargon will not be of any help to a common user in understanding all the details properly. The information should be structured in such a way, using simple language, as much as possible, so that it is easy for any user to understand what happens to their data when they are using the website.

Lodge a complaint to the Supervisory authority

The users should be informed that they have the right to lodge a complaint to the supervisory authority. If the users’ complaint is not resolved by your organization, then they can lodge a complaint to the relevant data protection authority.

Automated Decision Making or Profiling

If there is automated processing done on the user data using an algorithm, then the users should be made aware of such processing and the logic and reasons behind the processing.

When to provide the privacy policy

It is recommended that the privacy information is provided at the first point of contact. The minimum amount of time within which the users should be provided with the required information within 1 month of the data collection.

The privacy policy must be available to the users from every page of the website. The link to the privacy policy should be placed in an obvious manner, that is easily accessible. Usually, most websites keep the link to their privacy policy on the footer of the website.

There are certain circumstances where it is not required to provide users with privacy information. In cases where privacy information has been already provided to the users or it would require a disproportionate effort to provide it to them.

From the above checklist, make sure that they are covered in your privacy policy, not necessarily in the same order. After you have prepared the privacy policy, it must be frequently updated on a regular basis to reflect the latest changes.

Create the perfect privacy policy for your website using CookieYes Privacy Policy Generator in less than two minutes!

Disclaimer: This content should not be treated as legal advice and the article is not written by a lawyer. The website owners should seek legal advice if needed to know what is best for their website or app depending on which further actions may be required to fully comply with the law.

Make Your Website GDPR Compliant With CookieYes

CookieYes is a new and easy solution to make your website comply with the GDPR Cookie Law from Cookie Law Info. Join the 1 Million+ website using our solutions now!


Safwana is a Content Marketer for Cookie Law Info. She's passionate about writing and promoting content that is helpful to readers.