What is a GDPR compliant privacy policy?

What is a GDPR compliant privacy policy?

As you may be aware, there has recently been a significant development in privacy law with the introduction of the General Data Protection Requirements (GDPR) in May 2018. We have received an overwhelming number of inquiries regarding the applicability of the GDPR to businesses collecting ‘personal data’, particularly from those who may be collecting personal data from individuals in the European Union.

Recently, France’s data protection regulator, CNIL, has issued Google a €50 million fine for failing to comply with its GDPR obligations.  Accordingly, it may be a good idea for your business to consider conducting a review of privacy policy and data handling practices.

What is a GDPR privacy policy?

Article 24 of the GDPR states that data controllers must implement “appropriate technical and organisational measures to ensure and be able to demonstrate that processing is performed in accordance with this Regulation”, which “shall include the implementation of appropriate data protection policies by the controller”.

This legal requirement means that every organisation bound by the GDPR and which processes personal data should have a data protection policy that complies with the rules set out in the GDPR.

Having a GDPR compliant privacy policy is essential to demonstrate to your customers, and to the authorities, that you take data protection seriously.

What does a GDPR compliant privacy policy say?

Under the GDPR, your business is required to have a comprehensive yet easy-to-understand privacy policy and make it accessible to your customers.

Article 5 of the GDPR contains six guiding principles by which all personal data must be processed:

  1. Lawfulness, transparency and fairness;
  2. Purpose limitation (data should be collected for specified, explicit and legitimate purposes only);
  3. Data limitation (collection of personal data should be limited to what is necessary);
  4. Accuracy (every reasonable step must be taken to ensure that personal data that are inaccurate are erased or rectified without delay);
  5. Storage limitation (storage of personal data should be no longer than is necessary);
  6. Integrity and confidentiality (protection against unauthorised or unlawful processing and against accidental loss, destruction or damage of personal data).


A GDPR compliant privacy policy should therefore set out how your business will comply with these principles. There is, unfortunately, no one size fits all approach. The GDPR privacy policy used by your business needs to be specifically tailored to your businesses circumstances, the types of personal data you collect and risk assessments.

As a starting point, we recommend that your privacy policy should be a high-level document which includes the following sections:

  • topics covered by the privacy policy;
  • the types of personal data you collect;
  • how you collect and use personal data (or sensitive information if relevant);
  • how you share or disclose personal data;
  • how you retain and destroy personal data;
  • how your customers can manage their personal data;
  • how you deal with data security, data transfers and third-party links;
  • how you administer changes to the privacy policy;
  • how your customers can contact you to give feedback or submit complaints (including details of your business’ Data Protection Officer), and how you deal with any such complaint.


Final point about consent

The GDPR requires businesses to give a legal basis for processing their customers’ personal data. Consent is one of the six legal bases for processing personal data as provided by the GDPR.

A customer’s consent to your business’ processing of their personal data “should be freely given, specific, informed and unambiguous”, noting that “silence, pre-ticked boxes or inactivity should not constitute consent” (GDPR Recital 32). This means in order to obtain freely given consent, it must be given by the customer on a voluntary basis. Google incurred the fine from CNIL because it failed to provide enough information to users about its data consent policies and did not give them enough control over how their information is used.

We recommend that you use robust checkboxes, active ‘Agree’ buttons and clickwrap to help make sure you get adequate affirmative consent from customers, bearing in mind that you must include reference to your customers’ right to withdraw consent in the privacy policy.

If you are unsure whether your privacy policy is GDPR compliant, or require a thorough review of your data handling practices, our team can assist.

This article was written by Commercial and Tech Lawyer Zuong Dang.

marshalls+dent+wilmoth lawyers can assist you to navigate the changing business and technology landscape. Please do not hesitate to contact us on (03) 9670 5000.

DISCLAIMER: We accept no responsibility for any action taken after reading this article. This is a guide to give you a better understanding of the GDPR only and is not a substitute for the expert legal advice you can get from marshalls+dent+wilmoth and other relevant experts.