GDPR Privacy Policy Checklist: 15 Things Your Policy Must Include (2026)

Your privacy policy must clearly state who is responsible for processing personal data. This means the full legal name of your organization, a physical address, and a reliable contact method (email or phone). If you operate through a subsidiary, you must identify the specific entity that acts as the data controller.

Avoid vague language like "we" or "the company" without first defining exactly who that refers to. Regulators expect transparency from the very first paragraph.

If your organization is required to appoint a Data Protection Officer (DPO), you must provide their contact details. A DPO is mandatory if you are a public authority, if your core activities involve large-scale systematic monitoring of individuals, or if you process special categories of data at scale (health data, biometric data, etc.).

Even if a DPO is not legally required, listing a dedicated privacy contact shows good faith and gives users a clear point of contact for data-related questions.

List every category of personal data you collect. Be specific. Instead of saying "we collect personal information," itemize the actual data: names, email addresses, IP addresses, device identifiers, location data, payment information, browsing history, etc.

Do not forget data collected indirectly. Server logs capture IP addresses. Analytics tools track page views and session data. Embedded fonts, videos, and social widgets send data to third parties. All of this must be disclosed.

For each type of data processing, you must state the legal basis under GDPR Article 6. The six lawful bases are: consent, contract performance, legal obligation, vital interests, public task, and legitimate interests.

Most websites rely on consent (for marketing emails, cookies) and legitimate interests (for basic analytics, security). If you rely on legitimate interests, you must describe what those interests are. Simply stating "legitimate interests" without explanation is insufficient.

Explain why you collect each type of data. Purposes might include: processing orders, sending newsletters, improving user experience, preventing fraud, personalizing content, or complying with legal obligations.

Each purpose must be linked to a specific legal basis. You cannot collect data "just in case" or for undefined future uses. The GDPR's data minimization principle requires you to collect only what is necessary for stated purposes.

State how long you keep each type of personal data, or the criteria used to determine retention periods. For example: "We retain account data for as long as your account is active and for 30 days after deletion. Transaction records are kept for 7 years to comply with tax regulations."

If you cannot specify exact periods, explain the criteria: "Data is retained for as long as necessary to fulfill the purposes described in this policy." However, the more specific you can be, the better.

Inform users that they have the right to request a copy of their personal data (access), correct inaccurate data (rectification), and request deletion of their data (erasure, also known as the "right to be forgotten").

Provide clear instructions on how to exercise these rights. Include a dedicated email address, a link to a request form, or a self-service dashboard. Specify your expected response time (the GDPR requires a response within 30 days).

Users have the right to receive their personal data in a structured, commonly used, and machine-readable format (such as CSV or JSON). They can also request that you transmit this data directly to another controller where technically feasible.

This right applies when processing is based on consent or contract performance and is carried out by automated means. Explain how users can request their data export.

Users can object to the processing of their personal data when processing is based on legitimate interests or performed for direct marketing purposes. When a user objects to direct marketing, you must stop processing immediately — there are no exceptions.

For legitimate-interest objections, you can continue processing only if you demonstrate compelling legitimate grounds that override the user's rights. Your privacy policy must inform users of this right clearly and separately from other rights.

If any of your processing activities rely on consent as the legal basis, you must tell users they can withdraw their consent at any time. Withdrawing consent must be as easy as giving it — if a user subscribed with one click, they should be able to unsubscribe with one click.

State clearly that withdrawing consent does not affect the lawfulness of processing carried out before the withdrawal.

If you use automated decision-making or profiling that produces legal effects or similarly significant effects on users, you must disclose this. Examples include automated credit scoring, algorithmic hiring decisions, or dynamic pricing based on user profiles.

Provide meaningful information about the logic involved, as well as the significance and envisaged consequences of such processing. Users have the right not to be subject to solely automated decisions and can request human intervention.

If personal data is transferred outside the European Economic Area (EEA), you must disclose this and explain the safeguards in place. Common mechanisms include EU-US Data Privacy Framework certification, Standard Contractual Clauses (SCCs), or Binding Corporate Rules (BCRs).

Name the countries or regions where data is transferred. If you use cloud hosting in the US (AWS, Google Cloud, Azure) or third-party tools based outside the EEA, these are international transfers that must be disclosed.

List the categories of third parties with whom you share personal data. This includes payment processors (Stripe, PayPal), analytics providers (Google Analytics), advertising networks, email service providers (Mailchimp, SendGrid), hosting providers, and customer support tools.

For each category, explain what data is shared, why it is shared, and the legal basis for sharing. If possible, name specific providers or link to their privacy policies.

Explain what cookies and similar tracking technologies your site uses. Categorize them: strictly necessary cookies, performance/analytics cookies, functionality cookies, and targeting/advertising cookies.

Under the ePrivacy Directive (which works alongside the GDPR), you must obtain consent before placing non-essential cookies. Your privacy policy should describe your cookie consent mechanism and how users can manage or withdraw cookie consent. You may include this as a separate cookie policy section or a standalone page linked from the main policy.

Every GDPR-compliant privacy policy must tell users they have the right to lodge a complaint with a data protection supervisory authority. This is typically the authority in the EU member state where the user resides, where they work, or where the alleged infringement occurred.

Best practice: name the specific authority relevant to your organization (e.g., the ICO in the UK, CNIL in France, BfDI in Germany) and provide a link to their complaint page. This demonstrates transparency and makes it easy for users to take action if needed.