Privacy policy
A privacy policy transparently informs website visitors, in a concise and easily accessible form, which personal data is processed for which purposes, on which legal basis and for how long, and which rights the data subjects can exercise.
The privacy policy is the central instrument through which a controller fulfils its information obligations under Articles 13 and 14 GDPR towards data subjects. It must be provided at the time data is collected, in a concise, transparent, intelligible and easily accessible form, using clear and plain language (Art. 12(1) GDPR). On a website this is typically achieved through a permanently available link reachable from every subpage, which must not be hidden behind several clicks or a consent banner.
Mandatory content includes the name and contact details of the controller, where applicable the contact details of the data protection officer, the purposes and the respective legal basis of each processing activity (Art. 6 GDPR), the specific legitimate interest where processing relies on it, the recipients or categories of recipients, any third-country transfers together with the safeguards, the storage period or the criteria for it, and a complete explanation of data subject rights (access, rectification, erasure, restriction, data portability, objection and the right to lodge a complaint with a supervisory authority). It must also address cookies and tracking, whether providing the data is mandatory or voluntary, and any automated decision-making including profiling.
A compliant privacy policy is not a static document but must reflect the actual processing activities and be updated whenever the services used, processors engaged or purposes change. It should be structured by processing activity and correspond to the record of processing activities. Incorrect, incomplete or outdated policies constitute a breach of the transparency and information obligations, which is subject to fines under Art. 83(5) GDPR and can also regularly be the subject of unfair-competition warnings.
Legal Basis
Art. 12, Art. 13 and Art. 14 GDPR (in conjunction with Art. 5(1)(a) and Art. 6 GDPR); for cookies and access to terminal equipment additionally Section 25 TDDDG (German Telecommunications Digital Services Data Protection Act)
Practical Example
A mid-sized company relaunches its website and newly integrates a contact form, Google Analytics and a newsletter service from a US provider. The data protection coordinator reconciles each of these processing activities with the record of processing activities and extends the privacy policy to cover the respective purposes, legal bases (consent for analytics and newsletter, legitimate interest for the form), retention periods, the third-country transfer with standard contractual clauses, and a complete explanation of data subject rights. Before go-live they verify that the footer link is reachable from every page and accessible before any non-essential cookies are set.