the art of being legal

What do I need to include in my website's privacy policy?

Your privacy policy is your way to fulfill your obligation to let your data subjects know that you are collecting personal data about them, how it will be used, and what their rights are.  We agree to them (or not) almost every time we enter and use a website (particularly since the General Data Protection Regulation (GDPR) came into force in May 2018). However, the idea of creating one's own privacy policy can be daunting.  Keep reading as we explain what your privacy policy must include and how it must be written (according to Articles 12, 13, and 14 of the GDPR).

Abigail Sked-circulo-1Written by Abigail Sked


More information


Your privacy policy must be easily understandable

First, bear in mind the style in which you write your privacy policy. It must be “concise, transparent, intelligible, and easily accessible”. You must make sure that your data subjects will be able to understand the policy, for example, by avoiding overly technical vocabulary and by using lists or tables to facilitate comprehension.

Also, think about the language your data subjects speak. How can you best communicate this information to them?

If your content or service is directed at children, you must adapt your language appropriately.

Similarly, the privacy policy should be easy to find, so you’ll want to create a specific web page just for your policy. Don’t distract from the content of the policy with adverts or with images that might interfere with access on some browsers.


If you are unsure of what counts as ‘personal data’ and who ‘data subjects’ are, check out our post about the GDPR and what it means for you, and then come back. 

Your privacy policy must include

  1. the identity and the contact details of the controller and, where applicable, of the controller’s representative

This includes name, address, email address and phone number of the company or of its representatives. If the data controller is not established in the European Union, a representative in the Union must be designated and indicated here.

  1. the contact details of the data protection officer, where applicable

If you are a public authority/body or if you process particularly personal data or carry out systematic monitoring on a large scale, you’ll have a data protection officer, whose information should also be included. 

  1. the legal basis for the processing of data

You must choose at least one of the legal bases for the collection and processing of data outlined in the GDPR which legitimises your actions. Note that you will need additional bases for legitimation if you are processing one of the special categories of data (health, religion, etc.) or data about crimes and criminal offences.

The 6 general legal bases are:

  1. the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
  2. processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
  3. processing is necessary for compliance with a legal obligation to which the controller is subject;
  4. processing is necessary in order to protect the vital interests of the data subject or of another natural person;
  5. processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
  6. processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
  7. The purposes of the processing

Here, you have to outline the objectives. Why are you collecting and processing this personal data?

It’s a good idea here to set out all of the different ways that you and your website collect data. For example:

  • contact or feedback forms
  • registering online or signing up to the email list
  • data entry fields (such as when a client inputs their payment details)
  • third party content (e.g. social media)
  • cookies

Three purposes that you have no doubt seen being used are analysis of user behaviour for website optimisation, for the designing of more personalised content or for marketing purposes.

Note that if you have chosen ‘legitimate interests’ as your legal basis for processing, you should specify what these legitimate interests at this point and check that you are meanwhile protecting the interests and fundamental rights of the user.

  1. the recipients or categories of recipients of the personal data

If you send the personal data that you collect to third parties or third countries, you must make that clear at this point. For example, if you use online payment platforms or external contractors who receive personal data about your data subjects, this will apply to you.

Don’t forget cookies, social buttons and plugins.  In the case of cookies, you must get user consent before you use any cookies except those which are strictly necessary and you must make your data subjects aware of the types of data the cookies track and what the purpose is of collecting that data. 

If you will be transferring data to a third country or international organisation, you will need to outline the existence or absence of an adequacy decision by the European Commission or make reference to the appropriate safeguards put in place and where to find them.

  1. the data retention period

How long will you store the data? The time frame cannot be infinite, it has to be reasonable taking into consideration your purposes.

If you can’t give an exact time frame, refer to the criteria used to determine the time frame. For example, do you have any data that is automatically set to delete after a certain period of time? Is a certain type of data only stored and processed under a certain condition?

  1. The rights of the data subject

Those people whose personal data you are collecting have a collection of rights themselves and these must be made clear. For example, they have rights to request that the controller give them access to the personal data about them, or rectify or erase that data. They can restrict the processing of their data, object to it or request that the data be transferred to someone else. If they have consented to data processing, they can withdraw that consent at any time and they have the right to lodge a complaint with a supervisory authority.

  1. The statutory or contractual necessity to collect data (if applicable)

If the provision of personal data is a statutory or contractual requirement, or is necessary in order to enter into a contract, that must be referred to here, outlining whether the data subject is obliged to provide that data and what the possible consequences would be if they didn’t provide that data.

  1. The use of automated decision-making, including profiling

In the case of the existence of automated decision-making, meaningful information must be provided about the logic involved in that decision-making and about the significance and envisaged consequences of that processing. Bear in mind that, pursuant to Article 22 of the GDPR, data subjects have the right to not be subject to such decision-making unless to do so is necessary for a contract between them and the data controller, is authorised by the EU or the Member State whose law the controller is subject to, or is based on the data subject’s explicit consent.


Bonus tip:

You will also want to bear in mind that, according to Article 21 of Ley 34/2002, de 11 de julio, de servicios de la sociedad de la información y de comercio electrónico, electronically sending advertising or promotional communications that have not previously been requested or expressly authorized by the recipients thereof is prohibited.  There is an exception if you have a contractual relationship with the data subject.  Nonetheless, the service/good being promoted must be sufficiently similar to that of the original contract and the data subject must be given the opportunity to oppose such promotion both when the data is first collected and each time promotional communications are sent.


Your privacy policy is an excellent opportunity for you to make clear both to yourself and to your clients/users exactly what data you are processing and why you are processing it, as well as what your obligations are and what your data subjects rights are. This fosters a more transparent and trusting relationship between yourself and your clients/users, and protects all of our personal data more generally.


If after reading this article, you still feel a little overwhelmed by the concept of the GDPR and its resulting obligations, we can help you.  We offer advice on how to implement the GDPR in Spain.

Get in touch here: 


Abigail Sked



Date published: 26 July 2023

Last updated: 23 April 2024