Free GDPR Privacy Policy (Notice) Template + Customization Tips
A privacy notice is your public-facing GDPR transparency obligation under Articles 13–14 — it tells people how you use their data. This free template covers everything a regulator expects. Tailor the [Customize] points and publish it on your website.
Any organization that processes personal data of people in the EU/EEA — websites, SaaS products, employers. It's one of the most visible signs of GDPR compliance.
Template
Privacy Notice
GDPR — Articles 13–14
1. Who we are
✎ Company Name ("we") is the data controller for the personal data described in this notice. You can contact us at ✎ contact email. ✎ if applicable, name your Data Protection Officer and contact details.
2. What data we collect
We collect: ✎ list categories, e.g. name, email, account details, usage data, payment information. We collect it when you ✎ e.g. create an account, contact us, use our service.
3. Why we use it and our lawful basis
We use your data to ✎ e.g. provide and secure our service, handle billing, respond to enquiries. Our lawful bases are ✎ e.g. performance of a contract, legitimate interests, consent, depending on the purpose.
4. Sharing and international transfers
We share data only with service providers needed to run our service (e.g. ✎ hosting, payment processing). Where data is transferred outside the EU/EEA, we use appropriate safeguards such as Standard Contractual Clauses. We do not sell your data.
5. Retention
We keep personal data only as long as necessary for the purposes above and to meet legal obligations: ✎ summarise key retention periods. We then delete or anonymise it.
6. Your rights
You have the right to access, rectify, erase, restrict and port your data, and to object to certain processing. To exercise these rights contact us at ✎ contact email. You may also complain to your local supervisory authority (in Ireland, the Data Protection Commission).
✎ Highlighted items are placeholders — replace them with your organization's details.
Generate a tailored Privacy Notice instantly with CompliWiseAI
Skip the placeholders — get a version written for your company's industry, size, country and risk level, ready to review and export.
How to customize this template
- Be specific and truthful about the data you collect and why — vague notices erode trust and fail audits.
- State the correct lawful basis per purpose; don't default everything to 'consent'.
- List your real sub-processors (hosting, analytics, payments) and keep the list current.
- Give a concrete way to exercise rights and respond within statutory timeframes (usually one month).
- Keep it in plain language — Article 12 requires it to be concise and intelligible.
What an auditor looks for
- •Does the notice cover all Article 13–14 elements (identity, purposes, lawful basis, recipients, transfers, retention, rights)?
- •Is it written in plain, accessible language?
- •Is it easy to find (e.g. linked in the website footer)?
- •Does it match your actual processing (the ROPA)?
Frequently asked questions
What's the difference between a privacy policy and a privacy notice?+
They're used interchangeably. Under GDPR the formal term is a 'privacy notice' — the transparency information you give data subjects under Articles 13–14.
Do I need a DPO?+
Only in specific cases (public authority, large-scale monitoring, or large-scale special-category processing). If it applies, name the DPO in the notice.
Is a privacy notice enough for GDPR compliance?+
No — it's the public part. You also need internal records (a ROPA), a data subject rights process, a breach procedure and a retention policy.