The General Data Protection Regulation (GDPR) is the world’s most comprehensive data privacy law. It applies to any business that processes personal data of people in the EU or UK — regardless of where the business is based. If a single visitor from Germany lands on your website, GDPR applies to that interaction.

Getting your privacy policy wrong under GDPR is not a minor issue. Fines can reach €20 million or 4% of global annual turnover, whichever is higher. In 2025 alone, EU regulators issued over €2 billion in GDPR fines.

The GDPR Privacy Policy Checklist

Articles 13 and 14 of GDPR specify exactly what information must be provided to data subjects. Here is every mandatory element:

1. Identity and Contact Details of the Data Controller

Your privacy policy must clearly state who is responsible for the data. This means your business name, registered address, and contact information. If you have a Data Protection Officer (DPO), their contact details must also be included.

2. Types of Personal Data Collected

List every category of personal data you collect. Be specific and exhaustive:

Identity data: name, username, date of birth
Contact data: email address, phone number, address
Financial data: payment card details, bank account numbers
Technical data: IP address, browser type, device information, operating system
Usage data: pages visited, time spent, click patterns
Marketing data: communication preferences, responses to surveys

3. Purposes of Processing

For each type of data, explain why you collect it. GDPR requires that each purpose is specific and not vague. Good examples:

To process and fulfil your order
To send you service-related communications
To personalise your experience on our website based on your preferences
To comply with our legal obligations under UK tax law

Bad example: “To improve our services.” This is too vague and would not satisfy GDPR requirements.

4. Lawful Basis for Processing

GDPR requires a legal basis for every processing activity. The six lawful bases are:

Consent: The user explicitly agreed (e.g., newsletter signup)
Contract: Processing is necessary to fulfil a contract (e.g., delivering a purchased product)
Legal obligation: Required by law (e.g., tax records)
Vital interests: Protecting someone’s life (rarely applicable online)
Public task: For public authorities (rarely applicable to businesses)
Legitimate interests: Your business has a legitimate reason (e.g., fraud prevention, direct marketing to existing customers)

Your privacy policy must state which lawful basis applies to each processing purpose.

5. Third-Party Recipients

List all third parties that receive personal data. Common categories for small businesses include:

Payment processors (Stripe, PayPal)
Analytics providers (Google Analytics, Plausible)
Email marketing services (Mailchimp, ConvertKit)
Cloud hosting providers (AWS, Vercel, Cloudflare)
Customer support tools (Intercom, Zendesk)
Advertising platforms (Google Ads, Meta) if applicable

6. International Data Transfers

If personal data is transferred outside the EU/EEA, you must disclose this and explain the safeguards in place. For example, if you use US-based services like Stripe or AWS, mention the EU-US Data Privacy Framework or Standard Contractual Clauses (SCCs) that protect the data.

7. Data Retention Periods

GDPR requires you to specify how long you keep each type of data. Generic statements like “as long as necessary” are insufficient. Instead:

Account data: retained while the account is active, deleted within 30 days of account closure
Transaction records: retained for 6 years (UK tax law)
Analytics data: anonymised after 26 months
Marketing consent records: retained for 3 years

8. Data Subject Rights

GDPR grants individuals eight specific rights. Your policy must explain each one and how users can exercise them:

Right to be informed — This privacy policy itself
Right of access — Users can request a copy of their data
Right to rectification — Users can correct inaccurate data
Right to erasure — Users can request deletion of their data
Right to restrict processing — Users can limit how their data is used
Right to data portability — Users can receive their data in a portable format
Right to object — Users can object to certain types of processing
Rights related to automated decision-making — Users can request human review

9. Right to Withdraw Consent

Where you rely on consent as your lawful basis, users must be able to withdraw it easily. Your policy should explain how to opt out (e.g., unsubscribe link in emails, account settings page).

10. Right to Lodge a Complaint

You must inform users of their right to complain to a supervisory authority. In the UK, this is the Information Commissioner’s Office (ICO). In other EU countries, each has its own Data Protection Authority.

11. Whether Data Provision Is a Requirement

Explain whether providing personal data is a contractual or statutory requirement, and the consequences of not providing it (e.g., “If you do not provide your email address, we cannot create your account”).

12. Automated Decision-Making and Profiling

If you use any automated decision-making (including profiling that produces legal or significant effects), you must disclose the logic involved and the significance of the processing.

Common GDPR Privacy Policy Mistakes

Not listing a lawful basis for each processing purpose — this is a mandatory requirement
Using pre-ticked consent boxes — GDPR requires affirmative consent
Bundling consent — consent for marketing must be separate from consent for service
Not mentioning cookies — if you use analytics or marketing cookies, they need explicit consent
Making the policy hard to find — it should be linked from every page and available before data collection begins

How to Create a GDPR-Compliant Privacy Policy

Creating a privacy policy that ticks every GDPR box is not trivial. You need to audit every data touchpoint in your business, identify the lawful basis for each, and present it all in clear, plain language.

LegalForge automates this process. Answer questions about your business — what data you collect, which services you use, which regions you serve — and AI generates a GDPR-compliant privacy policy tailored to your specific situation. Plus Terms of Service and Cookie Policy, all for a one-time £19 payment.

GDPR Privacy Policy Requirements: The Complete Checklist