Privacy Policy for Websites: What GDPR Requires and How to Create One
Complete guide to creating a GDPR-compliant privacy policy. Covers Art. 13/14 mandatory disclosures, common mistakes, third-party services, international transfers, and generator tool comparison.
A privacy policy is not a legal formality you can copy from another website and forget about. Under the GDPR, it is a mandatory transparency instrument with specific content requirements defined in Articles 13 and 14. An incomplete, outdated, or inaccurate privacy policy is itself a GDPR violation — and one that DPAs actively enforce.
This guide explains exactly what your privacy policy must contain, identifies the most common mistakes, discusses dynamic vs. static approaches, and compares the available generator tools.
What Articles 13 and 14 Require
Article 13 applies when you collect personal data directly from the data subject (e.g., forms, cookies, account creation). Article 14 applies when you obtain data from other sources (e.g., data brokers, publicly available databases). Most websites primarily deal with Article 13.
Mandatory Disclosures: Complete Reference Table
| Disclosure | Article | Example |
|---|---|---|
| Identity of the controller | 13(1)(a) | Company name, registered address |
| Contact details of the controller | 13(1)(a) | Email, postal address |
| DPO contact details (if applicable) | 13(1)(b) | Email of the Data Protection Officer |
| Purposes of processing | 13(1)(c) | Website analytics, order processing, marketing |
| Legal basis for each purpose | 13(1)(c) | Consent (Art. 6(1)(a)), contract (Art. 6(1)(b)), legitimate interest (Art. 6(1)(f)) |
| Legitimate interests pursued | 13(1)(d) | Security, fraud prevention, service improvement |
| Recipients or categories of recipients | 13(1)(e) | Payment processors, analytics providers, hosting |
| International transfers + safeguards | 13(1)(f) | SCCs, adequacy decision, binding corporate rules |
| Retention period or criteria | 13(2)(a) | “12 months after account deletion” or “as required by tax law” |
| Data subject rights | 13(2)(b) | Access, rectification, erasure, restriction, portability, objection |
| Right to withdraw consent | 13(2)(c) | “You can withdraw consent at any time via our cookie settings” |
| Right to lodge a complaint | 13(2)(d) | Name and contact of the relevant supervisory authority |
| Statutory/contractual necessity | 13(2)(e) | “Providing your email is required for account creation” |
| Automated decision-making | 13(2)(f) | Profiling logic, significance, envisaged consequences |
| Source of data (Art. 14 only) | 14(2)(f) | “Data obtained from public business registries” |
The Plain Language Requirement
Article 12(1) requires that information be provided “in a concise, transparent, intelligible and easily accessible form, using clear and plain language.” This is not optional guidance — it is a legal obligation.
In practice, this means:
- Avoid legal jargon where possible
- Use short sentences and active voice
- Structure the document with clear headings
- Consider a layered approach: summary first, full details below
Common Mistakes in Privacy Policies
1. Copy-Pasting From Another Website
Every privacy policy must accurately reflect the specific data processing activities of the controller. A copied policy will inevitably:
- List services you do not use (creating false expectations)
- Omit services you do use (violating Art. 13)
- Reference the wrong controller entity
- Cite incorrect legal bases
2. Listing Services Without Legal Basis
Many privacy policies describe what data they collect and which third-party services they use, but fail to state the legal basis for each processing activity. Article 13(1)(c) explicitly requires both the purpose and the legal basis.
Incorrect: “We use Google Analytics to analyze website traffic.” Correct: “We use Google Analytics to analyze website traffic. The legal basis is your consent (Art. 6(1)(a) GDPR). You can withdraw consent at any time via our cookie settings.”
3. Vague Retention Periods
”We store your data as long as necessary” is not a valid retention disclosure. Article 13(2)(a) requires either:
- A specific retention period (“24 months after your last login”), or
- The criteria used to determine the period (“for the duration of the contractual relationship plus the statutory retention period of 10 years under tax law”)
4. Missing Third-Party Disclosures
Every third-party service that processes personal data on your behalf must be disclosed. Common omissions include:
- CDN providers (they process IP addresses)
- Font loading services (Google Fonts, Adobe Fonts)
- Chat widgets (Intercom, Drift, LiveChat)
- Error tracking (Sentry, Bugsnag)
- A/B testing tools (Optimizely, VWO)
- Heatmap/session recording (Hotjar, FullStory)
5. Not Updating After Changes
Adding a new analytics tool, switching payment providers, or integrating a marketing platform all require privacy policy updates. An outdated policy that omits active services is a violation.
Third-Party Services to Disclose
The following categories of third-party services are commonly found on websites and must be disclosed in your privacy policy:
Analytics and Tracking
| Service | Data Processed | Typical Legal Basis | Transfer Location |
|---|---|---|---|
| Google Analytics 4 | IP (anonymized), device data, behavior | Consent | US (DPF) |
| Matomo (self-hosted) | IP, device data, behavior | Legitimate interest (if anonymized) | Your server |
| Plausible | No personal data (privacy-focused) | Legitimate interest | EU |
| Hotjar | Session recordings, heatmaps, IP | Consent | EU/US |
Payment Processing
| Service | Data Processed | Typical Legal Basis | Transfer Location |
|---|---|---|---|
| Stripe | Payment data, name, email, IP | Contract performance | US (DPF) |
| PayPal | Payment data, name, email, IP | Contract performance | US (DPF) |
| Mollie | Payment data, name, email | Contract performance | Netherlands |
Marketing and Communication
| Service | Data Processed | Typical Legal Basis | Transfer Location |
|---|---|---|---|
| Mailchimp | Email, name, engagement data | Consent | US (DPF) |
| Brevo (Sendinblue) | Email, name, engagement data | Consent / Legitimate interest | EU |
| HubSpot | Contact data, behavior, engagement | Consent | US (DPF) |
Hosting and Infrastructure
| Service | Data Processed | Typical Legal Basis | Transfer Location |
|---|---|---|---|
| AWS | Server logs (IP, timestamps) | Legitimate interest | EU region available |
| Cloudflare | IP, request data | Legitimate interest | Global (DPF for US) |
| Hetzner | Server logs | Legitimate interest | Germany |
Dynamic vs. Static Privacy Policies
Static Privacy Policies
A static privacy policy is a manually written document. It is simple to create but requires manual updates whenever your data processing changes.
Best for: Small websites with stable, simple data processing.
Risk: Becomes outdated as services are added or changed, leading to inaccurate disclosures.
Dynamic Privacy Policies
A dynamic privacy policy is generated or updated automatically based on your actual website configuration. For example, a scan detects which cookies and trackers are active, and the privacy policy is updated to reflect them.
Best for: Websites that frequently change their tech stack, use multiple third-party services, or operate at scale.
Advantage: Reduces the gap between actual processing and documented processing.
International Data Transfers
Any third-party service that processes data outside the EEA triggers Chapter V obligations. Your privacy policy must:
- Identify the transfer destination (country or region)
- State the safeguard mechanism (adequacy decision, SCCs, binding corporate rules, etc.)
- Provide information on how to obtain a copy of the safeguards (or where they are available)
EU-US Data Privacy Framework
Since July 2023, transfers to US companies certified under the EU-US Data Privacy Framework (DPF) are covered by an adequacy decision. However:
- Only companies that have self-certified are covered (check the DPF list)
- The DPF could be challenged in court (as its predecessors Safe Harbor and Privacy Shield were)
- Best practice: use SCCs alongside the DPF as a fallback
Automated Decision-Making and Profiling
If your website uses automated decision-making that produces legal or similarly significant effects (Art. 22), your privacy policy must include:
- The existence of such processing
- Meaningful information about the logic involved
- The significance and envisaged consequences for the data subject
- The right to human intervention, to express their point of view, and to contest the decision
Common examples: credit scoring, automated loan decisions, algorithmic pricing based on user profiling.
How Often to Update
| Trigger | Action Required |
|---|---|
| Adding a new third-party service | Update privacy policy to disclose the service, data processed, and legal basis |
| Changing a processor or sub-processor | Update recipients/transfers section |
| New legal basis for existing processing | Update the relevant section |
| Regulatory changes (new DPA guidance, CJEU ruling) | Review and adjust as needed |
| Periodic review (recommended: quarterly) | Verify accuracy of all disclosures |
Privacy Policy Generator Comparison
| Tool | Free Tier | GDPR Art. 13/14 Coverage | Auto-Update | Cookie Scan Integration | Languages |
|---|---|---|---|---|---|
| Compliso | Yes (with plan) | Full | Yes (scan-based) | Built-in | DE, EN |
| iubenda | Limited | Full | Partial | Third-party | 10+ |
| Termly | Limited | Good | No | Third-party | EN, DE, FR |
| Datenschutz-Generator.de | Yes | Full (DE law) | No | No | DE only |
| PrivacyPolicies.com | Limited | Basic | No | No | EN |
Compliance Checklist
- Privacy policy contains all Art. 13 mandatory disclosures (see table above)
- Each processing activity states both purpose and legal basis
- All third-party services are disclosed with data types and transfer locations
- Retention periods are specific (not “as long as necessary”)
- International transfer safeguards are identified (SCCs, adequacy, DPF)
- Data subject rights are listed with instructions for exercising them
- Supervisory authority contact information is provided
- Privacy policy is accessible from every page (footer link)
- Language is clear and plain (Art. 12 requirement)
- Policy is reviewed and updated at least quarterly
- Cookie scan results are reflected in the privacy policy’s cookie section
- Automated decision-making disclosures are included (if applicable)
Generate Your Privacy Policy With Compliso
Compliso’s content generator creates privacy policies based on your actual website configuration. The scanner detects which cookies, trackers, and third-party services are active, and the generator produces a tailored policy that covers all Art. 13/14 requirements.
When your website changes — new services, updated processors, different cookies — rescan and regenerate. No manual editing, no outdated disclosures.
Scan your website to see what your privacy policy should include, or create your account to generate one now.
Make your website GDPR-compliant?
Compliso automatically checks your website for cookies, trackers, dark patterns, and accessibility issues.