Which organisations need a privacy policy?

We support companies, public bodies and non-profits of all sizes that process personal data to develop a privacy policy that reflects their activities, whether data are collected via a website, internal systems or other channels.

What information must a privacy policy include?

We help you structure a privacy policy that clearly explains which personal data are collected, for which purposes, on what legal basis, how long the data are retained, who can access them, which rights data subjects have and how to contact the controller or Data Protection Officer.

How can Morling Consulting help with our privacy policy?

We analyse your data processing, draft or update your privacy policy so that it meets GDPR and ePrivacy requirements, and translate it into internal procedures and training to ensure that the policy works in practice.

Privacy policy

Our GDPR lawyers draft a privacy policy tailored to the business’s processing activities

CONTACT US

What is a privacy policy?

A privacy policy is a central element of data protection governance and plays a decisive role in meeting the requirements of the General Data Protection Regulation (GDPR). It enables individuals whose personal data are processed to understand the purposes of the processing and, beyond meeting a legal requirement, it can build trust by demonstrating transparency in the organisation’s data processing.

How do we create a privacy policy?

We start by identifying which processing activities the policy should reflect and which audiences it should inform. This sets a clear framework for what to include and what belongs in other documents.
We then structure the GDPR information requirements around your actual data flows, focusing on clarity for data subjects and reducing the risk of gaps. We also identify common pitfalls such as unclear purposes, hard-to-understand language, and weak contact routes.
We produce a draft policy with a balanced level of detail per area and prioritise what needs to be especially concrete—such as legal basis, retention, and rights. The result is a document you can quality-check internally before final wording is refined.
The policy is linked to practical routines so it matches how personal data is actually handled, for example in web forms and cookie usage. At the same time, we ensure publication, ownership, and internal contact routes so it works in day-to-day operations.
Finally, we set a simple model for ongoing review so the policy stays updated when processing activities, systems, or ways of working change. This reduces the risk of the document falling behind and becoming a weak point if data subjects raise questions or in supervisory reviews.

Top-down view of a tidy workspace with a laptop, notebook, and two suited hands framing a blank sheet of paper to signal scope and clear objectives for legal counsel.

We start by identifying which processing activities the policy should reflect and which audiences it should inform. This sets a clear framework for what to include and what belongs in other documents.

Close-up of a whiteboard with simple arrows and neutral markers representing data flows, as legal counsel places a marker.

We then structure the GDPR information requirements around your actual data flows, focusing on clarity for data subjects and reducing the risk of gaps. We also identify common pitfalls such as unclear purposes, hard-to-understand language, and weak contact routes.

Calm meeting table with three neutral document stacks and a pen indicating prioritization; two gender-neutral legal counsel in the background with simplified, faceless features.

We produce a draft policy with a balanced level of detail per area and prioritise what needs to be especially concrete—such as legal basis, retention, and rights. The result is a document you can quality-check internally before final wording is refined.

Legal counsel reviewing a tabbed binder beside an open laptop and a checked box on a blank form, signaling implementation and documentation.

The policy is linked to practical routines so it matches how personal data is actually handled, for example in web forms and cookie usage. At the same time, we ensure publication, ownership, and internal contact routes so it works in day-to-day operations.

Legal counsel places a neutral token on a stack of folders with a blank calendar in the background, symbolising governance and recurring follow-up.

Finally, we set a simple model for ongoing review so the policy stays updated when processing activities, systems, or ways of working change. This reduces the risk of the document falling behind and becoming a weak point if data subjects raise questions or in supervisory reviews.

Policy that matches reality

A policy only adds value when it aligns with your actual routines and can be followed up. Ensure the content matches your records and storage so documents do not say one thing while the business does another. Click through to connect policy work with practical compliance.

Privacy Counsel

Data retention

Personal data breach

GDPR training

Flat icons of a padlock, shield, document and raised hand representing a website privacy policy for data protection, security and user consent.

What does a privacy policy contain?

The primary purpose of a privacy policy is to inform individuals, clearly and accessibly, how their personal data are processed by the organisation. This includes which categories of personal data are collected, how they are used, stored and protected, and the rights available to data subjects.

The privacy policy provides visibility over the organisation’s processing activities—for example, the purposes for which personal data collected via a contact form or cookies are used. It clarifies the purposes of processing and the legal basis for each purpose. By providing this information, individuals gain insight into how their data are used.

Internally, the privacy policy also serves as guidance. It supports adherence to established data processing procedures, reducing the risk of inadvertent breaches of data protection law and helping to foster a culture of data protection across the organisation.

Continuous improvement

Common mistakes when drafting a privacy policy

A privacy policy must meet a range of requirements under GDPR. Deficiencies in design can lead to legal risk such as administrative fines, complaints from data subjects or regulatory scrutiny. Regular, systematic review and improvement of the privacy policy is a sound way to reduce risks linked to poor data protection. A proactive and structured review makes it possible to identify and remedy potential shortcomings before they result in compliance issues, claims for damages or reputational harm.

By integrating the policy into day-to-day data protection work, the organisation strengthens its resilience to regulatory and operational risk and ensures that personal data are processed in line with applicable law and good practice. Below are common mistakes to avoid:

Overly complex language

Using legal or technical terms without adapting to the audience, making the policy difficult to understand.

Lack of clarity about purposes

Failing to clearly set out the purposes of collecting and processing personal data.

Incomplete information about rights

Omitting key information on data subject rights under GDPR, for example the right to erasure.

No stated contact point

Not clearly providing contact details for the person or unit responsible for data protection matters.

Infrequent updates

Failing to review the policy regularly so that it reflects actual processing and current practice and law.

Unclear retention periods

Not specifying how long personal data are kept, which not only breaches transparency requirements but can also lead to excessive storage periods.

Illustration of a legal advisor reviewing a privacy policy for a financial institution, focusing on data protection, regulatory compliance and secure information handling.

Design and implementation of a privacy policy

A GDPR lawyer from Morling Consulting can help organisations design and implement a privacy policy (also referred to as an integrity policy) that balances legal accuracy with readability and practical application.

A privacy policy is therefore more than a legal document. It is also:

A key component of an organisation’s data protection programme,
A tool for building trust with stakeholders, and
A guide to responsible data processing.

Data are a valuable asset, and by publishing a transparent website privacy policy organisations demonstrate their commitment to privacy. That commitment can be a competitive advantage in a market where consumers and partners increasingly value responsible data management.

All organisations and businesses that process personal data need a privacy policy, regardless of size or sector. This applies to companies, public bodies and non-profits if they collect information about individuals—such as customers, employees, users or other individuals. A website privacy policy is essential whenever data are collected online.

Without a clear and up-to-date privacy policy, an organisation risks failing to meet GDPR requirements. Consequences include reduced trust from customers, partners and employees, and increased risk of administrative fines in the event of supervision by the Data Protection Agency.

A correctly designed privacy policy should include, among other things:

Which personal data are collected.
The purposes of the processing.
The legal basis for each processing activity.
How long the data are retained.
Who will have access to the data.
Information about data subject rights.
Contact details for the controller and the Data Protection Officer (where applicable).

The policy should be reviewed regularly—at least annually—or when there are significant changes in the business, such as launching new services that involve personal data processing or changes in legal requirements. A privacy policy GDPR review cadence helps sustain compliance.

We provide legal advice to:

Develop or update a privacy policy tailored to your operations.
Ensure the policy meets the requirements of GDPR and the ePrivacy Directive.
Translate the policy into internal procedures and training.

In practice, the terms are often used interchangeably. Both inform individuals how their personal data are processed. The term “privacy policy” is more legal in tone, while “integrity policy” may be perceived as more user-friendly. Regardless of terminology, the content must satisfy GDPR. A concise small business privacy policy template can be a starting point, but tailoring is crucial.

Yes. It must be easily accessible to individuals whose data are processed. Publishing the policy on the website is common practice, especially where personal data are collected via, for example, contact forms, newsletters or cookies. Your website privacy policy should be prominent and written in plain language.

Organisations operating in several countries should adapt their privacy policy to:

Applicable national laws in addition to GDPR.
The language and expectations of data subjects in each country.
Processing activities specific to different regions.

Morling Consulting’s GDPR lawyers have experience supporting international companies to align their privacy policy GDPR controls in a compliant and practical way.

Situations where advice on privacy policies may be relevant include:

Launching a new digital service and reviewing how personal data are collected and communicated to users.
Harmonising data protection policies across multiple countries to meet both GDPR and local requirements.
Changing internal procedures for handling personal data and needing support on how to communicate those changes to users, including how to write a privacy policy that is clear and actionable.

In short, if you are asking “do I need a privacy policy on my website” or “does my website need a privacy policy”, the answer is yes—and it should be specific to your processing rather than relying solely on a generic small business privacy policy template.

Contact

Felix Morling

Speak to a GDPR lawyer

Do you need a privacy policy suited to the business? Contact us to discuss

"*" indicates required fields