What is a Privacy Policy?

The privacy policy of an organisation is a legal statement that states the purpose of collection and use of personal data by an organisation. The purpose of the privacy policy is to ensure transparency by disclosing certain information and to obtain the informed consent of the users whose personal data is being collected.

The importance of a privacy policy

The right to privacy and data protection is the hallmark of a democratic society.

Ever since GDPR came into force, organisations are becoming more aware of the rights of individuals. Businesses that collect and use personal data need to be clear about their motives.

The privacy policy is an essential requirement within an organisation. Organisations are now required to ensure that their data collection practices are compliant under GDPR.

An organisation with no privacy policy is non-compliant with Article 13 and 14 of the GDPR; hence, it could face legal action.

gdpr policy

Why do you need a privacy policy?

Nowadays, organisations collect a whole range of personal information, both personal and non-personal.

The data items, for example, names, addresses, email addresses, contact information etc. satisfy the definition of personal data and hence fall under the scope of GDPR.

If you are operating your business within the EU and have clients, users or members in the EU, you must comply with provisions of the GDPR to avoid violations of the law.

The GDPR requires companies to be transparent. They must ensure what they do with this data, how the data is gathered and make sure that it is processed in a fair and transparent manner.

It is imperative to publish a privacy policy so that visitors and users of the website can make an informed decision while providing their personal data.

What should a GDPR compliant privacy policy cover on a website?

The GDPR has created a whole range of privacy rights and protections for individuals and consequently organisations are obliged to become compliant or face legal action.

What, When and How of such policy


You need to assess your data processing operations and decide on the following crucial factors forming the heart of a privacy policy as laid out in Article 13 and 14 of the GDPR.

  1. The identity and contact details of your organisation
  2. The identity and contact details of your Data Protection Officer, if you have one
  3. The categories of personal data involved
  4. The purpose of processing each category of personal data
  5. The legal bases for each stated legal purpose
  6. If you rely on “legitimate interest” as the lawful basis of processing, clearly state those legitimate interests.
  7. The fact that you share or intend to share personal data with other entities, or affiliate organisations in your group
  8. The likely retention period of the data
  9. The existence of the rights of data subjects and how they can exercise their rights
  10. If you rely on “consent” as the legal basis of processing, the existence of the right to withdraw consent at any time
  11. Whether you use personal data for profiling and automated decision making. Provide detailed reasons behind such processes, and their importance and consequences.
  12. The clarity in the personal data of children, how the consent will be taken.
  13. Explicitly state the use of third-party website links.
  14. The detail information regarding cookies, in case used on your website. How it works and what information is extracted.
  15. Clear advice to the data subjects about the “right to complain” to the Data Protection Authority.
gdpr policy


Article 13(1) and (2) of the GDPR states that the data controllers must publish the necessary information at the time the data is collect.

In the case of a website, the visitors must be able to easily access and comprehend the privacy policy before you ask them to provide any personal information.

You need to regularly update your privacy policy if any change happens in the scope and extent of your data processing activity, for example:

  • Categories of personal data expand to include more data items and/or include the gathering of special categories of personal data.
  • If you find out that the information is in use for an unanticipated, unintended purpose
  • You intend to share data with third-party users
  • You intend to transfer personal data outside the EU
  • You employ a third party data processor


Organisations should understand the importance of having a privacy policy:

  • Transparency
  • Easy to understand
  • Concise and clear use of language
  • Easily accessible
  • Free of charge
  • Adopting a clear strategy for communication between parties
  • Avoiding the use of false or misleading information

What to do now?

  • Firstly, Organisations should understand the importance of having a privacy policy.
  • Secondly, If you do not have a privacy policy, we strongly advice you to put one in place. Evaluate your data processing operations and draw up a GDPR compliant privacy policy.
  • Thirdly, If you have a privacy policy, review and update it accordingly.
  • Fourthly, Ensure that you are compliant with the requirements of Article 12, 13 and 14 of the GDPR.
  • Refer to “What, When and How” section of this article for detailed guidance.

Seers also provides expert advice, GDPR consultation and guidance in drafting custom privacy policies. So, If you need assistance in this regard then feel free to contact us.