How to create a privacy policy
Every website needs a privacy policy. It fulfils the information obligations under Art. 13 GDPR and explains which data is processed for what purpose and on what legal basis.
Table of contents
Context: Why a privacy policy matters
Every website needs a privacy policy. It meets the information obligations under Art. 13 GDPR. The website operator uses it to inform visitors how personal data is collected, used, stored, and protected.
The privacy policy also states the purpose and legal basis for processing. It must also explain whether and how data is shared or transferred to a third country.
All services integrated on the website that process data must be included and described in detail. If a privacy policy is missing or inadequate, warning letters and substantial fines may follow.
Given the complexity and constantly changing factual and legal landscape, it is advisable to rely on tools or people with strong legal expertise when creating one.
What is meant by a privacy policy?
In the “privacy policy”, the website operator provides detailed information about how they handle personal data.
The name of the document can vary. Common alternatives include “data protection policy”, “data protection provisions”, “data protection and cookie policy”, or “Privacy Policy”.
Regardless of the name, the purpose remains the same: to inform about the processing of personal data.
Who needs a privacy policy?
Every website operator needs a privacy policy. This obligation arises from Art. 13 GDPR.
Even when a website is simply accessed, IP addresses are processed at minimum. Since IP addresses count as personal data, the obligation to provide a privacy policy therefore applies to every website operator.
The obligation applies not only to websites, but generally whenever personal data is processed.
What must a privacy policy include?
A privacy policy should be precise, transparent, easily accessible, and written in clear, plain language.
Typical mandatory information includes: the controller and contact details, the types and purposes of data processed, the legal basis, recipients of the data, retention periods, transfers to third countries, use of cookies/tracking technologies, the option to withdraw consent, and data subject rights (e.g. access, rectification, erasure).
How do I create a privacy policy for my website?
The complexity arises because the privacy policy must be tailored individually to all services and tools embedded on a website.
Practical approach: formulate mandatory information for the business, review the website’s functions and services, and create appropriate text blocks for each service (controller, purpose, legal basis, cookies, retention period, third-country transfer, recipients).
In addition: formulate data subject rights and ensure clear language.
It is important that the privacy policy always reflects the current legal situation and takes both case law and technological developments into account.
For non-experts, this is a demanding task; support from specialists or suitable tools is often worthwhile.
Example of a text block
Example (website builder): “We use the Website-Builder123 service to create our website. This service is provided by Website-Builder123 GmbH, Muster Straße 1, 12345 Musterstadt, Germany.”
“Website-Builder123 is a website builder platform. With this service, we can design our website according to our requirements.”
“Website-Builder123 uses cookies. These cookies are only set with consent and can be withdrawn at any time. The legal basis is Art. 6(1)(a) GDPR.”
“Otherwise, use is technically necessary to display our website. The legal basis is Art. 6(1)(f) GDPR.”
“Data is deleted as soon as it is no longer required for the purposes for which it was collected.”
Who may create a privacy policy?
There are generally no formal requirements regarding who may draft it.
In practice, creating one requires a high degree of accuracy, consideration of many factors, and an understanding of dynamic technical developments.
What happens if I do not have a privacy policy?
A missing or inadequate privacy policy can constitute a violation of applicable data protection rules and have serious consequences.
Fines of up to €20 million or 4% of worldwide annual turnover may be imposed – whichever is higher.
Conclusion
As soon as a website is operated, a privacy policy is required. It can in principle be created in-house, but it requires care and ongoing updates.
Using experts or automated solutions can provide legal certainty, save time, and reduce the risk of warnings and fines.
Author
Sebastian Schenk
Co-Founder & CEO
Lawyer and data protection officer. Drives product vision at simply Legal and ensures Dieter is sound legally and in practice.
This article reflects the position at the date of publication. We update our content when the law changes.
Related articles
Thursday, 11 September 2025
Technical and organisational measures
Technical and organisational measures (TOMs) are the backbone of data protection under the GDPR. They range from technical security safeguards to organisational processes and should be reviewed and adjusted regularly.
Thursday, 23 October 2025
6 answers on the data processing agreement (DPA)
A data processing agreement (DPA) is required under the GDPR as soon as an external service provider processes personal data on your behalf. It defines responsibilities and protects against fines and loss of trust.
Monday, 10 November 2025
Record of processing activities (ROPA) and data deletion concept
The ROPA and a data deletion concept are central building blocks of GDPR compliance: the ROPA documents processing activities; the deletion concept ensures storage limitation and compliant data erasure.
