Free GDPR Privacy Policy Templates: Notice, Consent, Cookie Policy

GDPR Fundamentals

The EU General Data Protection Regulation (GDPR) defines how personal data is handled. Core principles:

• Lawful, fair, transparent processing
• Accurate and up-to-date
• Specific, explicit, legitimate purposes
• Data minimization
• Storage only as long as necessary

Template 1: Privacy Notice (Short)

PRIVACY NOTICE

Data Controller: [Company Name]
Address: [Full address]
Phone: [Phone]
Email: [Email]
DPO email (if applicable): [DPO email]

1. DATA COLLECTED
While visiting our site and using our services, we process:
- Identity: name, surname
- Contact: email, phone, address
- Customer transactions: order history, payment info
- Security: IP, device information
- Marketing: cookies, preferences

2. PROCESSING PURPOSES
- Service delivery and customer relations
- Order and shipping processes
- Legal obligations
- Security measures
- Marketing (with explicit consent)

3. TRANSFERS
Shipping providers, payment processors, cloud vendors, and regulators
when legally required.

4. LAWFUL BASIS
GDPR Art. 6(1)(b) contract performance, (c) legal obligation, (f) legitimate interest.

5. YOUR RIGHTS (GDPR Art. 15-22)
Access, rectification, erasure, objection, portability, complaint to
supervisory authority.

Contact: [privacy email or web form]

Last updated: [DD/MM/YYYY]

Template 2: Marketing Consent

MARKETING CONSENT

I consent to [Company Name] processing my name, email, phone, purchase
history and cookie data for marketing activities (email newsletter, SMS
campaigns, personalized recommendations, cross-sell) and sharing this data
with digital marketing platforms and SMS providers for these purposes.

I understand I can withdraw consent anytime via [link / email / account
panel].

☐ I consent

Template 3: Cookie Policy

COOKIE POLICY

1. STRICTLY NECESSARY
Required for site function (session, cart, security). Cannot be disabled.
Examples: session_id, csrf_token, cart_id

2. ANALYTICS
Visitor behavior (Google Analytics). Examples: _ga (2 years), _gid (1 day)

3. MARKETING
Ad targeting and retargeting (Meta Pixel, Google Ads, TikTok).
Examples: _fbp (3 months), _gcl_au (3 months)

4. PREFERENCE
Language, currency, theme. Examples: locale, currency, theme

USER CONTROL
Block or delete cookies from browser settings. Use the "Cookie Settings"
link at the site footer for category-based opt-in/opt-out.

Last updated: [DD/MM/YYYY]

Template 4: Data Subject Request Form

DATA SUBJECT REQUEST FORM (GDPR Art. 15-22)

Name:
Address:
Phone:
Email:

Request Type:
☐ Confirmation of processing
☐ Access to personal data
☐ Rectification of inaccurate data
☐ Erasure (right to be forgotten)
☐ Restriction of processing
☐ Data portability (machine-readable export)
☐ Objection to processing
☐ Objection to automated decision-making

Additional details:

Date:
Signature:

Submit to [email / postal address]. Response within 30 days (extendable 60 days for complex requests).

Template 5: Retention and Destruction Policy — Outline

• Purpose and scope
• Definitions
• Responsibilities
• Retention period table (by data category with legal basis)
• Destruction methods (deletion, erasure, anonymization)
• Periodic destruction cycle (every 6 months)
• Review and audit cadence

Implementation Guidance

Adding to Your Site

1. Fill in company name, address, phone, email, DPO details
2. Limit data categories to what you actually collect — don''t over-declare
3. Link from footer AND from sign-up / checkout forms
4. Consent checkbox must not be pre-checked — GDPR violation
5. Record "last updated" date

Records of Processing Activities (ROPA)

GDPR Art. 30 requires most organizations to maintain processing records. Consult counsel for exemption eligibility.

Disclaimer

Templates are educational. Your processing is unique; always have a qualified privacy attorney review. GDPR fines reach €20M or 4% of global turnover.

Common Mistakes

1. Copy-pasted templates with only company name swapped
2. Pre-checked consent boxes
3. No notice at checkout
4. Loading marketing pixels without prior cookie consent
5. Forgetting the "last updated" date

FAQs

How much customization is needed?

At minimum: company details, processing purposes, data categories, transfer recipients. Beyond that, legal review.

GDPR vs CCPA — which applies to me?

GDPR: any site targeting EU residents. CCPA: sites processing California residents meeting specific thresholds. Many sites must comply with both.

What about bilingual sites?

Privacy notice in every serving language, localized (not literal translation).

When to update?

When processing purposes or data categories change, when adding new vendors, or when regulations update.

Next Step

Full GDPR/privacy audit for your site — book a consultation.