top of page

Privacy policy: a practical guide

The privacy policy is one of your website's most important legal documents. A privacy policy is a document that indicates what personal data of your users is collected during the use of your website, why and how this data is kept confidential.

Every organization with a website must publish a Privacy Policy, and this must be accessible via a direct link from every web page. The Privacy Policy is distinct from general terms and conditions of sale, or general terms and conditions of use, which serve different purposes and meet different legal obligations of the website owner.

Why is the privacy policy important?

Even if you're just a small business or a website with no revenue, you still need a privacy policy. Every website that collects personal data requires a privacy policy that informs your users about it, in line with the European Data Protection Regulation (GDPR).

Cookies, are text files automatically stored in any user's browser when visiting a website. These text files generally contain personal data, making it necessary to document their existence and operation in a privacy and cookie policy.

The form of your Privacy Policy

Your privacy policy must be accessible to your users free of charge, at all times, and written in clear, readable language.

According to the GDPR, your privacy policy must meet the following requirements:

  • Be written in a concise, transparent, intelligible and easily accessible form.

  • Written in clear and simple language, especially for any information specifically addressed to a child.

  • Delivered in a timely manner/accessible at all times

  • Provided free of charge

Generally, a privacy policy will be provided in writing or electronically. In addition, if a website collects personal data online, the privacy notice or a link to it must be provided on the same page where the data collection takes place.

What should your privacy policy contain?

The GDPR details what information must be included in a privacy and cookie policy. The requirements may vary depending on the type of personal data processed or even the way in which personal data is processed.

In the case of a website, you will need to fill in the following information (non-exhaustive):

  • The identity and contact details of your company, its representative and its data protection officer, if any.

  • The purpose for which personal data is collected and processed, and the legal basis for such processing.

  • Your company's legitimate interests regarding the processing of personal data in the course of your business.

  • Any recipients or categories of recipients of personal data

  • Details of any transfer of personal data to a country outside the EU and the safeguards taken for such transfers of personal data

  • The retention period or the criteria used to determine the retention period of personal data

  • The personal data rights of each data subject

    • the right to withdraw consent at any time (if applicable)

    • the right to lodge a complaint with a competent authority.

Need help writing your privacy policy?

The MERCASAFE Privacy and Cookie Policy template is available in our Mercasafe Packages for your site and at prices tailored to small and medium-sized businesses.


bottom of page