P freeprivacypolicy.app
Guide

GDPR complete guide: privacy policy requirements

Everything you need to know about GDPR privacy policies — without reading 88 articles of legal text.

Generate GDPR-compliant policy Free · no signup · hosted public URL

What GDPR is, in one paragraph

The General Data Protection Regulation (Regulation (EU) 2016/679) is the EU's privacy law. It applies to any organisation — anywhere in the world — that processes personal data of people in the EU. It defines six legal bases for processing, eight data subject rights, transparency obligations, security duties, and a fines regime up to 4% of global turnover. It came into force on 25 May 2018 and remains the global benchmark for privacy law.

Who has to comply

Article 3 says GDPR applies to (a) any controller or processor established in the EU, regardless of where the data is processed, and (b) any controller or processor outside the EU that offers goods or services to people in the EU or monitors their behaviour. "Monitoring" includes analytics cookies, ad pixels, and behaviour-based recommendation engines.

The six legal bases (Article 6)

  1. Consent — opt-in, freely given, specific, informed, unambiguous
  2. Contract — necessary to perform a contract with the user
  3. Legal obligation — required by EU or member-state law
  4. Vital interests — protect life
  5. Public task — official authority of a government body
  6. Legitimate interests — your interest, balanced against the user's rights

Pick the right basis per processing purpose. Marketing emails → consent. Account login → contract. Server logs → legitimate interests. Tax records → legal obligation. The privacy policy must name the basis next to the purpose.

The eight data subject rights

  • Right of access (Article 15)
  • Right to rectification (Article 16)
  • Right to erasure / "right to be forgotten" (Article 17)
  • Right to restriction of processing (Article 18)
  • Right to data portability (Article 20)
  • Right to object (Article 21)
  • Rights related to automated decision-making (Article 22)
  • Right to withdraw consent (Article 7(3))

Your privacy policy must list each one and provide a contact channel. Response SLA is one month (Article 12(3)), extendable to three for complex requests.

International transfers after Schrems II

The Court of Justice of the European Union invalidated the EU-US Privacy Shield in 2020. The replacement — the EU-US Data Privacy Framework — was adopted by the European Commission in July 2023 and is currently the safest basis for US transfers. For non-DPF transfers, use the 2021 Standard Contractual Clauses with a Transfer Impact Assessment.

Fines and enforcement

Two tiers under Article 83. Tier 1 (up to €10M or 2% of turnover) covers documentation, security, and DPO requirements. Tier 2 (up to €20M or 4% of turnover) covers consent, lawful basis, transfers, and data subject rights. Notable fines: Meta €1.2B (2023), Amazon €746M (2021), TikTok €345M (2023). For small operators, enforcement starts with corrective orders, not fines.

Ready to publish?

Answer six questions, get a hosted public URL the App Store, Google Play, and ad networks accept. No credit card.

Generate GDPR-compliant policy

Frequently asked questions

Do I need a Data Protection Officer?
Required only if you (a) are a public authority, (b) carry out large-scale systematic monitoring, or (c) process special categories at scale. Most small SaaS do not need one.
How quickly must I respond to a data subject request?
One month from receipt, extendable to three months for complex requests. You must acknowledge the request within the first month either way.
When is a Data Protection Impact Assessment (DPIA) required?
For high-risk processing — large-scale profiling, special categories at scale, systematic monitoring of public spaces. Article 35 lists the triggers.

Related reading

Compliance

GDPR privacy policy generator

Generate a privacy policy that maps cleanly to GDPR Articles 13, 14, and 15 — for free.

Guide

CCPA complete guide: California Consumer Privacy Act

CCPA, CPRA, and the California Privacy Protection Agency — what they ask of every operator.

Tool

Free privacy policy generator for websites and apps

Build a compliant privacy policy in under two minutes — no signup, no credit card, no copy-paste.