A privacy policy is one of those documents that most companies have — but which rarely serves its actual purpose. The most common scenario: the website owner copied a template from the internet, changed the company name, and published it. The document describes data processing that doesn’t exist in the company, omits processing that actually takes place, and is written in language only a lawyer can understand.
The Polish supervisory authority UODO increasingly verifies privacy policies during inspections — and increasingly finds that they do not meet the requirements of Articles 13 and 14 of the GDPR. The problem is not the absence of a document. It is the absence of substance.
What Is a Privacy Policy and Who Needs One
A privacy policy is the practical implementation of the information obligation under Article 13 GDPR — the obligation to inform a natural person about how their data is being processed, at the time of collection.
Every website that collects personal data — through a contact form, newsletter sign-up, shop, account registration, or analytics — has an obligation to fulfil this requirement. A privacy policy is the most convenient way to do so, but not the only one — the information obligation can also be fulfilled directly at each individual form.
What a Privacy Policy Must Contain — Mandatory Elements
Article 13 GDPR specifies what information the controller must provide to the data subject when collecting their data:
1. Identity and contact details of the controller — full company name, registered address, contact details. If a DPO has been appointed — their contact details.
2. Purposes and legal bases for processing — for each purpose separately. It is not sufficient to state generally that “data is processed for marketing purposes” — each specific purpose and legal basis under Article 6 GDPR must be identified (consent, contract performance, legal obligation, legitimate interest).
3. Legitimate interests — if the legal basis is the legitimate interest of the controller (Article 6(1)(f) GDPR), those interests must be specified.
4. Recipients of data — to whom data is transferred or who has access to it. Individual names are not required — categories of recipients are sufficient (e.g. IT service providers, accounting firm, courier company).
5. Transfers outside the EEA — if data is transferred to third countries (e.g. through Google Analytics, Facebook Pixel, or SaaS tools with servers outside the EU) — this must be stated along with the applicable transfer mechanism.
6. Retention period — how long data will be stored, or the criteria used to determine that period.
7. Rights of data subjects — right of access, rectification, erasure, restriction of processing, data portability, objection, and — where consent is the legal basis — the right to withdraw consent at any time.
8. Right to lodge a complaint — information about the right to lodge a complaint with the supervisory authority (in Poland: the President of the UODO).
9. Voluntariness of providing data — whether providing data is a contractual or statutory requirement, whether it is voluntary, and what the consequences of not providing it are.
10. Automated decision-making and profiling — if the controller uses profiling or automated decision-making with legal effects, this must be disclosed.
Most Common Mistakes in Privacy Policies
A template that does not reflect reality. A privacy policy must describe the actual data processing activities in the specific organisation — not a generic description of what might occur. If the company uses Mailchimp, Google Analytics, and a CRM system — the policy should reflect this.
Missing specific legal bases. Stating that “data is processed in accordance with the GDPR” is not sufficient to fulfil the information obligation. For each purpose, a specific legal basis under Article 6 GDPR must be identified.
No mention of transfers outside the EEA. Most websites use tools whose servers are outside the European Union — Google, Meta, HubSpot, Mailchimp, Stripe. Each such transfer must be described in the privacy policy.
Unrealistic retention periods. Stating that “data is stored for the period necessary to fulfil the purposes” without any further specification does not meet the requirements of Article 13. A specific period or the criteria for determining it must be stated.
Legal language incomprehensible to the average user. The GDPR requires that information be provided in a concise, transparent, and intelligible form — using clear and plain language. A policy written in impenetrable legal jargon does not fulfil this requirement.
Failure to update. A privacy policy must be kept up to date — whenever the scope of processing changes, a new vendor is added, or the purpose or legal basis changes.
How to Write a Good Privacy Policy — Practical Tips
Start by mapping reality. Before writing the policy, answer these questions: what data do you collect and through which forms? What external tools do you use? To whom do you transfer data? How long do you store it? The policy should describe reality — not a template.
Write for the user, not the lawyer. Instead of “processing takes place on the basis of Article 6(1)(b) of Regulation 2016/679”, write “we process your data to fulfil the order you placed”. Both versions can be legally correct — but only one is intelligible.
Structure by processing purpose. Instead of one long list of mandatory elements — describe each processing purpose separately: what you collect, why, on what basis, for how long, to whom you transfer it. This is much easier to understand and verify.
Address cookies separately. A privacy policy and a cookie policy are two separate documents — or at least two separate sections. Cookies have their own specifics and their own legal requirements.
Update regularly. Establish who in the organisation is responsible for updating the policy and when it should be reviewed — e.g. whenever tools change, or as a standard annual review.
Where to Place the Privacy Policy
The privacy policy should be easily accessible — a link in the website footer is the minimum. At every form collecting data there should be a reference to the privacy policy or a direct information notice.
Under GDPR, the information must be provided before or at the time of data collection — not afterwards.
Summary
A privacy policy is the implementation of the information obligation under Article 13 GDPR — not a box-ticking exercise. It must describe the actual data processing in the specific organisation, be written in clear language, and be updated when the scope of processing changes. Key elements: controller identity, purposes and legal bases for each purpose separately, recipients, transfers outside the EEA, retention periods, rights of data subjects.
FAQ
There is no provision that specifically requires a document called a “privacy policy” — but Article 13 GDPR imposes an information obligation that must be fulfilled. A privacy policy is the most practical way to fulfil this obligation on a website.
Technically possible — but in practice, a policy copied from another website describes the processing of a different organisation, not yours. Such a policy does not fulfil the information obligation and risks misleading users.
Whenever there is a change that affects the scope of processing — a new tool, a new purpose, a new processor. As a minimum — review once a year.
If the website targets users from other EU countries — yes, the information obligation should be fulfilled in the language of the data subject.
A privacy policy fulfils the information obligation under Article 13 GDPR regarding all personal data. A cookie policy describes in detail which cookies are used, for what purpose, and by whom. In practice, they are often combined in a single document.
Information notices for every processing activity — in one system
iGDPR generates information notices based on data from the record of processing activities. Change a process — update the notice. No copying templates. See how it works in practice.
START FREE TRIAL
