What Is GDPR?
The General Data Protection Regulation (GDPR) is Europe's comprehensive privacy law that took effect on May 25, 2018. It applies to any organization that collects or processes personal data of EU residents, regardless of where the company is located.
GDPR establishes strict requirements for transparency, consent, and individual rights. Non-compliance can result in fines up to €20 million or 4% of annual global turnover.
Required Privacy Policy Disclosures
Under GDPR, your privacy policy must include:
GDPR Privacy Policy Checklist
- Identity of the data controller - Who is collecting the data (name, address, contact)
- Data Protection Officer contact - If applicable
- Purpose of processing - Why you collect data
- Legal basis for processing - Consent, contract, legitimate interest, etc.
- Data recipients - Third parties who receive data
- International transfers - If data leaves the EU
- Retention periods - How long data is kept
- User rights - All GDPR rights explained
- Right to withdraw consent - How to withdraw at any time
- Right to lodge complaint - With supervisory authority
- Cookie information - All cookie usage explained
Legal Bases for Processing
GDPR requires you to identify the legal basis for each type of data processing:
1. Consent
User has given clear consent. Must be:
- Freely given
- Specific and informed
- Unambiguous
- Easily withdrawable
2. Contract
Processing necessary for a contract with the individual.
3. Legal Obligation
Processing necessary to comply with the law.
4. Vital Interests
Processing necessary to protect someone's life.
5. Public Task
Processing necessary for official functions.
6. Legitimate Interests
Balancing test required. Must not override individual rights.
User Rights Under GDPR
Your privacy policy must explain these rights:
The 8 GDPR Rights
- Right to be informed - Transparency about data practices
- Right of access - Request copies of personal data
- Right to rectification - Correct inaccurate data
- Right to erasure - "Right to be forgotten"
- Right to restrict processing - Limit how data is used
- Right to data portability - Receive data in usable format
- Right to object - Stop certain processing
- Rights related to automated decision-making - Human intervention option
Cookie Consent Requirements
GDPR requires specific consent for cookies:
- No pre-checked boxes
- Clear explanation of cookie purposes
- Easy withdrawal of consent
- Separate consent for non-essential cookies
Analyze Your GDPR Compliance
Use PolicyLens to check if a privacy policy meets GDPR requirements.
Check Privacy Policy