Quick answer: Every website that processes personal data needs a privacy policy. This covers virtually every website — because even logging an IP address counts as data processing. Here are all the mandatory disclosures and a step-by-step guide.
Why Is a Privacy Policy Mandatory?
The GDPR requires in Articles 13 and 14 that every data controller informs data subjects about the processing of their personal data. This information obligation is typically fulfilled through a privacy policy on the website.
Important: A missing or incomplete privacy policy is not only a GDPR violation (fines up to €20 million), but also a competition law violationin many EU countries. Competitors can take legal action against you.
The 12 Mandatory Disclosures Under Art. 13 GDPR
Every privacy policy must include the following information:
| # | Required Disclosure | Legal Basis | Example |
|---|---|---|---|
| 1 | Name and contact details of the controller | Art. 13(1)(a) | Company name, address, email, phone |
| 2 | DPO contact details (if applicable) | Art. 13(1)(b) | privacy@company.com |
| 3 | Purposes of data processing | Art. 13(1)(c) | Website analytics, contact form, newsletter |
| 4 | Legal basis for each purpose | Art. 13(1)(c) | Art. 6(1)(a) consent, Art. 6(1)(f) legitimate interest |
| 5 | Legitimate interest (if applicable) | Art. 13(1)(d) | Website optimization, fraud prevention |
| 6 | Recipients of the data | Art. 13(1)(e) | Hosting provider, payment processor, Google |
| 7 | Third-country transfers | Art. 13(1)(f) | Transfer to the US via EU-US DPF |
| 8 | Retention periods | Art. 13(2)(a) | Log files: 30 days, customer data: 10 years |
| 9 | Data subject rights | Art. 13(2)(b) | Access, deletion, rectification, objection |
| 10 | Right to withdraw consent | Art. 13(2)(c) | Withdrawal possible at any time |
| 11 | Right to lodge a complaint with a DPA | Art. 13(2)(d) | Relevant supervisory authority |
| 12 | Automated decision-making / profiling | Art. 13(2)(f) | If AI-based decisions are made |
Additional Disclosures for Common Website Features
Hosting and Server Logs
Every web server records technical data on each request (IP address, browser, operating system, timestamp). This is a mandatory disclosure in your privacy policy, even if the data is only stored briefly.
Contact Forms
If your website has a contact form, you must state: what data is collected, on what legal basis, how long it is stored, and who has access.
Google Analytics / Tracking Services
- Name of the service and provider
- Type of data collected (cookie IDs, IP address, page views)
- Legal basis: Consent (Art. 6(1)(a))
- Note on IP anonymization (if enabled)
- Note on Google Consent Mode v2
- Note on the EU-US Data Privacy Framework
- Opt-out option (browser plugin)
Newsletter and Email Marketing
- Describe the double opt-in process
- Name the email service provider (e.g., Mailchimp, Brevo)
- Disclose tracking in emails (e.g., open rates)
- Unsubscribe option in every email
Social Media Plugins
- Which networks are embedded (Facebook, Instagram, LinkedIn)
- Whether a 2-click solution or Shariff is used
- Note on data sharing with the platform operator
When Do You Need a Data Protection Officer?
Under Art. 37 GDPR and national laws, a DPO is required when:
- Your core activity involves large-scale processing of personal data
- You process special categories of data (health, biometric, genetic data)
- You need to carry out a Data Protection Impact Assessment (DPIA)
- In Germany: at least 20 employees regularly process personal data (§ 38 BDSG)
Common Privacy Policy Mistakes
| Mistake | Why It's a Problem | Fix |
|---|---|---|
| Copy-paste from the internet | Doesn't match your actual data processing | Customize or use a generator |
| Outdated legal references | Citing Privacy Shield instead of EU-US DPF | Update regularly |
| Missing services | New plugin/tool not covered | Review after every website change |
| Wrong language | Must be in the language of the target audience | Provide localized versions |
| Not accessible | Must be reachable from every page | Add link in footer on every page |
| No legal notice linked | Legal notice (Impressum) and privacy policy are separate obligations | Link both in the footer |
Privacy Policy Checklist
- All 12 mandatory disclosures under Art. 13 GDPR included?
- All services and tools listed?
- Legal basis stated for each processing purpose?
- Current third-country transfer rules (EU-US DPF) mentioned?
- Data subject rights fully listed?
- Controller's contact details correct?
- DPO named (if required)?
- Retention periods stated for all data categories?
- Accessible from every page (max. 2 clicks)?
- Regular review scheduled (at least quarterly)?
Automated Checks with PrivacyChecker
Our free GDPR website scanner automatically detects whether your website has a privacy policy and checks its key components. The scan also verifies whether all embedded third-party services are mentioned in your privacy policy.
Frequently Asked Questions
Is a privacy policy generator sufficient?
A privacy policy generator (e.g., from Termly, iubenda, or eRecht24) is a goodstarting point, but not a guarantee of completeness. You must always adapt the generated text to your actual data processing activities and update it regularly.
What happens if my privacy policy is incomplete?
An incomplete privacy policy can result in a DPA fine (up to €20 million), a competition law injunction from competitors, or acompensation claim from affected users.
Does the privacy policy need to be in the local language?
If your website targets users in a specific country, the privacy policy should be available in that country's language. For international websites, a multilingual version is recommended. This requirement stems from the GDPR's transparency principle: information must be provided in clear and plain language.