How to write your privacy policy

Most companies collect and store personal data about other people. If you do this then you need a privacy policy. Read this guide to learn more about how to draft a privacy policy.

Disclaimer (16 October 2020): The information on this page is not intended as legal advice and shouldn’t be considered as such. We strongly recommend that you seek legal advice if you’re unsure as to how to become compliant. Please also keep in mind that this guide is not exhaustive and that more requirements might be applicable.

A how-to guide for writing your privacy policy

The majority of websites in the EU have a privacy policy on their websites. The reason is that almost all companies - no matter their size - have data about other people, e.g., their name and email. If your company has this type of information, you need a privacy policy. Read this guide to learn more about how to draft a privacy policy, and what you need to include.

Privacy policy guide agenda

In the following guide, you can learn about how to draft your privacy policy. However, in light of this legal document's importance, we recommend that you either get help from your attorney or find a solution that can help you.

We will cover the following topics in this guide:

What is a privacy policy

The privacy policy is also often referred to as a "privacy notice" or "privacy information". Here we use the term "privacy policy". All of these documents refer to information about why you need people's personal data, what you are using it for, how long you're going to keep it for, and whether you'll share it with anyone else.

Can I copy a privacy policy from somewhere else?

Copying a privacy policy from another website isn't a good idea.

The reason is that the privacy policy is an essential document. The document describes to your website visitors, users, customers, etc., how you process their personal information, for what purposes, for how long, and what security measures you have in place.

You are legally required to tell your users about how you process their personal information. When you copy the document from some else, the privacy policy is unlikely to match how you handle data - and make you in violation of the GDPR.

Therefore, you should spend some time on this to make sure that you get it right.

What you need to include in a privacy policy

Before you begin drafting your privacy policy, start by figuring out the following:

1. Who do you collect data about?

Here you need to think about each of the types of people you collect data from. For example, your website visitors aren't providing the same data as your customers. There is a difference, and you need to make sure that you have an overview of each of these groups. Many companies have the following groups they collect data from:

  • website visitors
  • customers, users, clients
  • candidates

2. What data do you collect about the groups?

You need to find out what data you collect about the different types of people.

As an example, normally, you would collect the following information in regards to your customers: name, email, telephone number, address, country, title, when they signed up for your service, what company they are working for, etc.

For website visitors, you could, e.g., collect this type of data: the computer's Internet Protocol (IP) address, the user's browser type and version, the user agent, the pages the user visited, the time and date of their visit, the time spent on each page, and other details.

3. What do you use the data for?

You are probably using personal data for many different things. It's very important that you look at how data flows in your company and think about what you use it for.

Here you also need to remember that you use the different group's data for different things. The data you collect when people visit your website is used for different things compared to when they contact your support team. So take some time describing the different purposes.

Here's an example of what you could write in regards to the purposes of data collected about your customers:

"If you contact our support team, we'll also collect the data you provide us when you contact us, e.g., what's wrong, how we can help you, and when a complaint was filed. We do that in order to, handle your complaint and provide you with support."

4. Your legal grounds for processing the personal data

This section should be about the lawful bases you rely on for the processing of the personal data. The different types of lawful bases are described in the General Data Protection Regulation (GDPR).

Here are some examples:

  • your consent
  • we are contractually obligated
  • we need to perform a public task
  • we have a legitimate interest
  • to defend us against legal claims

Remember, if you are processing data on the basis of consent, you also need to tell people that they can withdraw their consent and also explain how they can do this.

5. For how long do you keep the data?

You need a data retention policy for all personal data you collect. This means that you need to have an overview of how long you are keeping the different data. This overview is called a data retention policy. Your privacy policy should contain information about the data retention of the types of data that you mention in your privacy policy.

Additionally, the GDPR outlines that you can only keep data for as long as there is a "need to have" it, a "nice to have" is not enough.

6. How do you keep the data safe and secure?

Safety and security of the personal data that you process needs to be described in your policy. So tell how you are storing the data and how you intend to securely destroy or dispose of it.

You can consider describing your security practices in a security white paper or a data practices & security document. This white paper should be placed on your website so your users can read about your security and data practices.

7. Who do you share the data with?

You need to include information about who you share the data with in the privacy policy

8. The data protection rights

The privacy policy also has to include information about people’s rights.

These rights include:

  • the right to access
  • the right to restriction of the data processing
  • the right to rectification / edits
  • the right to data portability

Remember that you need to respond to the user within a month.

9. Who can people complain to?

Your privacy policy has to contain information about how people can complain about the data processing activities.

This section needs to include information about how they can contact you and also which data protection agency that they can complain to. The information about the data protection agency should be with both their address, phone number and a link to the agency’s website.

10. Include your contact details

You should insert your business’ contact details. This includes your company, address, email address, phone number and web address.

11. The date your privacy policy was drafted

You need to include the date you completed the privacy notice.

Privacy policy checklist

  • Your company name, address, email, and other contact details as data controller
  • When did you complete your privacy policy (date stamp)
  • Who do you collect personal data about
  • What personal data is collected from your users (the purposes) and what you are using this data for
  • The legal grounds for processing the personal data
  • Who you are sharing the data with
  • Your security measures
  • The data retention periods for the specific data collected
  • How to file a complaint and to whom
  • How the user can exercise their right to request:
  1. data access,
  2. data deletion, and
  3. data edits.

Also remember that you need to:

  • Make sure your privacy policy is accessible when collecting your users information
  • Make sure your privacy policy is easy to read and understand
  • Make sure you can prove that you gave your users / customers the option to read the privacy policy through when their consent was given

An example of a link to a privacy policy in Openli's consent solution:

Email consent form

Where do you need to include your privacy policy

Your company's privacy policy should be available on your website. You need to make sure that it is available in all the places where you collect personal data, e.g., sign-up forms, newsletter pop-ups, etc.

Privacy policy proof

You need to be able to prove that you gave your users the option to read the privacy policy through when their consent was given.

Further reading

Want to learn more about GDPR and compliance? We have compiled an in-depth article about website compliance, where you can find out more about the compliance elements and legislation you need to comply with as a website owner.