Privacy policy

What is a privacy policy?

A privacy policy is a central element of data protection governance and plays a decisive role in meeting the requirements of the General Data Protection Regulation (GDPR). It enables individuals whose personal data are processed to understand the purposes of the processing and, beyond meeting a legal requirement, it can build trust by demonstrating transparency in the organisation’s data processing.

Flat icons of a padlock, shield, document and raised hand representing a website privacy policy for data protection, security and user consent.

What does a privacy policy contain?

The primary purpose of a privacy policy is to inform individuals, clearly and accessibly, how their personal data are processed by the organisation. This includes which categories of personal data are collected, how they are used, stored and protected, and the rights available to data subjects.

 

The privacy policy provides visibility over the organisation’s processing activities—for example, the purposes for which personal data collected via a contact form or cookies are used. It clarifies the purposes of processing and the legal basis for each purpose. By providing this information, individuals gain insight into how their data are used.

 

Internally, the privacy policy also serves as guidance. It supports adherence to established data processing procedures, reducing the risk of inadvertent breaches of data protection law and helping to foster a culture of data protection across the organisation.

Continuous improvement

Common mistakes when drafting a privacy policy

A privacy policy must meet a range of requirements under GDPR. Deficiencies in design can lead to legal risk such as administrative fines, complaints from data subjects or regulatory scrutiny. Regular, systematic review and improvement of the privacy policy is a sound way to reduce risks linked to poor data protection. A proactive and structured review makes it possible to identify and remedy potential shortcomings before they result in compliance issues, claims for damages or reputational harm.

By integrating the policy into day-to-day data protection work, the organisation strengthens its resilience to regulatory and operational risk and ensures that personal data are processed in line with applicable law and good practice. Below are common mistakes to avoid:

Overly complex language

Using legal or technical terms without adapting to the audience, making the policy difficult to understand.

Lack of clarity about purposes

Failing to clearly set out the purposes of collecting and processing personal data.

Incomplete information about rights

Omitting key information on data subject rights under GDPR, for example the right to erasure.

No stated contact point

Not clearly providing contact details for the person or unit responsible for data protection matters.

Infrequent updates

Failing to review the policy regularly so that it reflects actual processing and current practice and law.

Unclear retention periods

Not specifying how long personal data are kept, which not only breaches transparency requirements but can also lead to excessive storage periods.

Illustration of a legal advisor reviewing a privacy policy for a financial institution, focusing on data protection, regulatory compliance and secure information handling.

Design and implementation of a privacy policy

A GDPR lawyer from Morling Consulting can help organisations design and implement a privacy policy (also referred to as an integrity policy) that balances legal accuracy with readability and practical application.

A privacy policy is therefore more than a legal document. It is also:

  • A key component of an organisation’s data protection programme,
  • A tool for building trust with stakeholders, and
  • A guide to responsible data processing.

Data are a valuable asset, and by publishing a transparent website privacy policy organisations demonstrate their commitment to privacy. That commitment can be a competitive advantage in a market where consumers and partners increasingly value responsible data management.

Frequently asked questions on privacy policy

All organisations and businesses that process personal data need a privacy policy, regardless of size or sector. This applies to companies, public bodies and non-profits if they collect information about individuals—such as customers, employees, users or other individuals. A website privacy policy is essential whenever data are collected online.

Without a clear and up-to-date privacy policy, an organisation risks failing to meet GDPR requirements. Consequences include reduced trust from customers, partners and employees, and increased risk of administrative fines in the event of supervision by the Data Protection Agency.

A correctly designed privacy policy should include, among other things:

  • Which personal data are collected.
  • The purposes of the processing.
  • The legal basis for each processing activity.
  • How long the data are retained.
  • Who will have access to the data.
  • Information about data subject rights.
  • Contact details for the controller and the Data Protection Officer (where applicable).

The policy should be reviewed regularly—at least annually—or when there are significant changes in the business, such as launching new services that involve personal data processing or changes in legal requirements. A privacy policy GDPR review cadence helps sustain compliance.

We provide legal advice to:

  • Develop or update a privacy policy tailored to your operations.
  • Ensure the policy meets the requirements of GDPR and the ePrivacy Directive.
  • Translate the policy into internal procedures and training.

In practice, the terms are often used interchangeably. Both inform individuals how their personal data are processed. The term “privacy policy” is more legal in tone, while “integrity policy” may be perceived as more user-friendly. Regardless of terminology, the content must satisfy GDPR. A concise small business privacy policy template can be a starting point, but tailoring is crucial.

Yes. It must be easily accessible to individuals whose data are processed. Publishing the policy on the website is common practice, especially where personal data are collected via, for example, contact forms, newsletters or cookies. Your website privacy policy should be prominent and written in plain language.

Organisations operating in several countries should adapt their privacy policy to:

  • Applicable national laws in addition to GDPR.
  • The language and expectations of data subjects in each country.
  • Processing activities specific to different regions.

Morling Consulting’s GDPR lawyers have experience supporting international companies to align their privacy policy GDPR controls in a compliant and practical way.

Situations where advice on privacy policies may be relevant include:

  • Launching a new digital service and reviewing how personal data are collected and communicated to users.
  • Harmonising data protection policies across multiple countries to meet both GDPR and local requirements.
  • Changing internal procedures for handling personal data and needing support on how to communicate those changes to users, including how to write a privacy policy that is clear and actionable.

In short, if you are asking “do I need a privacy policy on my website” or “does my website need a privacy policy”, the answer is yes—and it should be specific to your processing rather than relying solely on a generic small business privacy policy template.

Contact

Felix Morling

Contact us

If you prefer phone, please feel free to contact Felix Morling at +46 70 444 42 85

"*" indicates required fields