GDPR

How to Write a GDPR-Compliant Privacy Notice

5 min readUpdated 20 May 2026

A GDPR privacy notice is not a legal formality to be filed and forgotten. It is a live document that must accurately describe how you process personal data — and it must be readable by the people it is written for. Most privacy notices fail on at least one of these dimensions.

This article covers exactly what must be in a GDPR-compliant privacy notice, and how to write one that works.

What a Privacy Notice Must Include

GDPR Articles 13 and 14 specify the required content. Article 13 covers data collected directly from the individual (web forms, accounts, purchases). Article 14 covers data obtained from third parties (purchased lists, data brokers, social media).

For most companies, Article 13 is the primary obligation.

Required Elements

1. Identity and contact details of the controller Your company name, registered address, and how to contact you. If you have a DPO, include their contact details separately.

2. Purposes and legal bases for processing For each processing purpose, state:

  • What the purpose is ("to fulfil your order", "to send you marketing emails", "to detect fraud")
  • The lawful basis under Article 6 (consent, contract, legitimate interest, legal obligation, etc.)
  • If you rely on legitimate interest, describe what that interest is

3. Categories of personal data processed What data you collect — names, email addresses, payment details, browsing data, location data, etc. Be specific enough to be meaningful.

4. Recipients or categories of recipients Who you share data with. This includes: payment processors, email marketing providers, analytics tools, cloud hosting providers, customer support platforms. You can describe categories ("cloud service providers") rather than naming every vendor, but the description must be meaningful.

5. International transfers If personal data is transferred outside the EEA, state: which countries, and what mechanism ensures adequate protection (adequacy decision, standard contractual clauses, binding corporate rules). This must cover every US vendor you use (AWS, Google, Stripe, HubSpot, etc.).

6. Retention periods How long you keep each category of data, or the criteria used to determine retention. "We keep data for as long as necessary" is not compliant. Specific periods or specific criteria are required.

7. Data subject rights A clear statement of all rights:

  • Right to access
  • Right to rectification
  • Right to erasure
  • Right to restriction of processing
  • Right to data portability
  • Right to object
  • Right to withdraw consent (if consent is relied on)

And how to exercise each right.

8. Right to lodge a complaint Data subjects must be informed that they have the right to complain to a supervisory authority — with the supervisory authority identified (the DPA in your member state).

9. Automated decision-making (if applicable) If you make automated decisions with legal or significant effects, describe: that this happens, the logic involved, and the right to request human review.

Layered Privacy Notices

A single document covering all of the above elements will be long. The EDPB recommends a layered approach:

  • Layer 1 (short notice): Key information at the point of collection — usually a brief statement near a form with a link to the full notice
  • Layer 2 (full notice): Complete details covering all required elements

This keeps the user experience manageable while meeting legal requirements.

Common Privacy Notice Failures

Vague legal bases. "We process your data to improve our services" is not a lawful basis. The basis must be from Article 6 — and where legitimate interest is claimed, the interest must be described.

Missing transfer information. Many privacy notices omit international transfers entirely or describe them vaguely. Every SaaS company using US-based cloud services must address this specifically.

No retention periods. Generic statements about keeping data "as long as necessary" fail the requirement. Specific periods or criteria are required.

Wrong reading level. Supervisory authorities have fined companies for privacy notices that are deliberately complex or written in legalese. The notice must be written "in a concise, transparent, intelligible and easily accessible form, using clear and plain language."

Never updated. A privacy notice from 2021 that does not mention AI systems introduced in 2023, new sub-processors, or changed processing activities is inaccurate and non-compliant. Review it at minimum annually.

Privacy Notice Template Structure

Privacy Notice

Last updated: [date]

1. Who we are
[Company name], [address], [contact email]
DPO contact (if applicable): [email]

2. What data we collect and why
[Processing purpose] — [Data categories] — [Lawful basis]
[Processing purpose] — [Data categories] — [Lawful basis]
...

3. Who we share your data with
[Category of recipient] — [Purpose] — [Location / transfer mechanism]
...

4. International transfers
We transfer personal data to: [countries]. We do this using [SCCs / adequacy / DPF].

5. How long we keep your data
[Data type]: [retention period / deletion criteria]
...

6. Your rights
You have the right to: [list all rights]
To exercise your rights, contact: [email / link]

7. Complaints
You have the right to complain to [supervisory authority name] at [link].

8. Automated decision-making
[If applicable — describe logic and rights]

ComplyOne generates your GDPR documentation — RoPA, DPA, privacy notices, and gap assessment — in one workflow.

Run your GDPR gap check →

Related guides

Do You Need a DPO? GDPR Decision Tree for SMEs

Most SaaS companies don't need a Data Protection Officer — but the mandatory appointment criteria are broader than many founders realise. This guide explains when a DPO is required, what the role involves, and what to do instead.

GDPR Article 28 Explained for Startup Founders

Article 28 governs controller-processor relationships under GDPR. This guide explains what a Data Processing Agreement must contain, who needs one, and the common mistakes that cause compliance failures in enterprise deals.

GDPR Cookie Compliance in Germany (2026 Guide)

Germany has the strictest cookie compliance requirements in the EU. This guide covers the GDPR and TTDSG framework, what valid consent looks like, cookie banner requirements, and practical steps to comply.

View all guides in this module