skip to Main Content

GDPR Privacy Policy

How to compose a Privacy Policy:

  • Say what you do…

  • …And do what you say.

  • Keep it simple.

  • Be complete.

  • Find the right balance.


The Privacy Policy is at the heart of your organization’s privacy practices. First, because it is legally required as an information provision to the people you process data from. But even more important, it is the core document that ties all privacy practices together. This is where you let people know what data you collect, why and how.

A Privacy Policy is a public statement, visible for website visitors, (potential) customers, partners and employees. A Privacy Policy or privacy statement is not to be confused with another needed document: the internal strategy document, describing the way you, as organization, want to deal with privacy, including directions for employees (code of conduct).


The Privacy Policy is directly visible to customers and authorities. So, you better make sure it lets them know your processing activities are compliant. At the same time, set realistic expectations and don’t promise something you cannot deliver.


Did you know the GDPR actually dictates that the privacy policy is concise, intelligible, and written in clear and plain language? Skip the lengthy and difficult-to-read legal statements, and inform your data subjects in an easy and transparent way. Be specific about what you do with the personal data of the people that entrust it to you, and make sure they understand.


Although the Privacy Policy should be easy to understand, it must also include all information that is required by the GDPR. The precise contents depend on your activities, but may include:

  • The identity and contact details of your organization and data protection officer,
  • Purposes for processing personal data,
  • The legal grounds for processing
  • Who can access data and who receives it
  • If data is transferred to another country, and if this is safe
  • How long data is retained
  • Information about the rights people have (for example their right of access, rectification and erasure of their data).


Your Privacy Policy should be simple, yet complete. It should be compliant, yet realistic. This makes it important to have a balanced Policy that is carefully crafted.

A best practice is to start with a short but complete high-level statement. For people interested in more details (and to add all the mandatory items of GDPR) a second part is constructed and published.

Information about processing personal data of employees is mostly published separately on  internal media (like an intranet) and combined with an awareness program.

A publicly visible privacy policy is also a way of communication. It is a perfect way to communicate your message to customers interested in privacy (and those numbers are increasing). Not only to express the way you deal with their precious personal data. A good privacy policy represents the way in which you take care of them.

So a good privacy policy is concise, complies to the law, gives your website visitors and customers trust, and can also help to increase your business.

Feel free to contact us for help: the first consultation is free.

What’s next

Start creating your own Privacy Policy. We are happy to help. Just let us know below.


Your first question is free of charge.


    Pivot Park Oss


    Visiting address:
    Pivot Park
    Kloosterstraat 9
    5349 AB Oss, The Netherlands

    Postal address:
    PO Box 228
    5340 AE Oss, The Netherlands


    Office: +31 (0)88 8483 100

    Vivenics Privacy Policy

    Back To Top