In 2026, any business or organisation that collects personal data through its website is required to publish a privacy policy. The GDPR mandates it, and data protection authorities across Europe actively enforce it. Yet many privacy policies remain incomplete, vague, or purely decorative. A privacy policy that does not contain all the information required by Articles 13 and 14 of the GDPR is legally equivalent to having no privacy policy at all. To understand the full scope of risks involved, see our article on mandatory privacy policy: risks and fines.
This article details every element your privacy policy must contain to be GDPR-compliant in 2026.
Why every element matters
Articles 13 and 14 of the GDPR set out a precise list of information that the data controller must provide to data subjects. Article 12 adds that this information must be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language.
This is not guidance — it is a legal obligation. An incomplete privacy policy constitutes a breach of these articles, punishable under Article 83 of the GDPR with fines of up to 20 million euros or 4% of annual global turnover. Regulators across the EU have sanctioned organisations whose privacy policies existed but failed to include all mandatory elements. The argument “we had a privacy policy” offers no protection if the document is deficient.
To determine whether your organisation falls under these obligations, consult our GDPR: who is actually affected guide.
Mandatory elements of a privacy policy
Here are the 11 elements that every GDPR-compliant privacy policy must contain. Each corresponds to a specific requirement of Articles 13 or 14 of the regulation.
1. Identity and contact details of the data controller
Your policy must clearly identify who is responsible for processing personal data: full legal name of the company, registered address, contact email, and company registration number. If a Data Protection Officer (DPO) has been appointed, their contact details must also be included (Article 13.1.b).
2. Purposes and legal basis for each processing activity
For each data processing activity, you must state the purpose (why the data is collected) and the corresponding legal basis from the six grounds provided by Article 6 of the GDPR: consent, performance of a contract, legal obligation, vital interests, public interest, or legitimate interests. For example: “We collect your email address to send our newsletter (legal basis: consent)” or “We process your billing data to fulfil your order (legal basis: performance of a contract).“
3. Categories of personal data collected
List comprehensively the types of data you collect: identification data (name, email address), connection data (IP address, logs), payment data (card number, processed via payment provider), browsing data (pages visited, cookies), and location data where applicable. Transparency is essential: the user must know exactly what data you hold about them.
4. Recipients of the data
Identify all persons or entities that have access to the data: internal teams (customer service, marketing, IT), processors (hosting provider, payment processor, email platform), and any commercial partners. Article 13.1.e requires this information even when recipients are processors acting on your behalf.
5. Transfers outside the European Union
If any data is transferred to countries outside the EU — for example through the use of US-based cloud services — you must state this explicitly. You must indicate the countries concerned, the safeguard mechanism used (European Commission adequacy decision, Standard Contractual Clauses (SCCs), or Binding Corporate Rules), and how the user can obtain a copy of these safeguards (Article 13.1.f).
6. Data retention periods
For each category of data, specify the retention period or the criteria used to determine it (Article 13.2.a). For example: “Customer data: 3 years after the end of the business relationship. Billing data: 10 years (legal obligation). Browsing data: 13 months.” Avoid vague phrasing such as “as long as necessary” without further detail.
7. Rights of data subjects
The GDPR grants users a set of rights that your policy must list and explain clearly: right of access (Article 15), right to rectification (Article 16), right to erasure or “right to be forgotten” (Article 17), right to restriction of processing (Article 18), right to data portability (Article 20), and right to object (Article 21). Each right should be described in language that a non-lawyer can understand.
8. How to exercise these rights
Listing the rights is not sufficient: you must indicate concretely how to exercise them. Specify the dedicated email address (e.g. dpo@yoursite.com), a contact form if applicable, the postal address for written requests, and the response time (1 month maximum under Article 12.3 of the GDPR, extendable by 2 months in complex cases). Also mention any identity verification requirements for processing requests.
9. Right to lodge a complaint with a supervisory authority
Article 13.2.d requires you to inform the user of their right to lodge a complaint with a supervisory authority. In France this is the CNIL; in the UK the ICO; in Germany the relevant state-level authority (Landesdatenschutzbeauftragte). Include the authority’s name, postal address, and a link to its online complaint service. This element is frequently omitted but is mandatory.
10. Cookies and trackers
Even if you have a separate cookie policy, your privacy policy must mention the use of cookies and trackers, briefly summarise the categories of cookies used (essential, analytical, advertising), and link to your full cookie policy for detailed information and consent management.
11. Policy changes and versioning
Indicate how users will be notified of material changes to the policy: email notification, information banner on the site, visible last-updated date at the top or bottom of the document. State the current version date and ideally maintain an accessible version history or changelog.
Most common mistakes
Even with good intentions, certain errors recur frequently in privacy policies:
Overly vague wording. Phrases like “we use your data to improve our services” do not satisfy the transparency requirement. Each purpose must be described specifically and concretely.
Copy-pasting from a competitor. Every website has different data processing activities. A copied policy will inevitably be inaccurate for your business, and constitutes a compliance failure in itself.
Missing or incorrect legal basis. Stating a purpose without indicating the corresponding legal basis, or claiming consent when the processing actually relies on performance of a contract, constitutes non-compliance.
Missing DPO contact details. If your organisation is required to appoint a DPO (Article 37), their contact details must appear in the policy. Their absence is a separate compliance failure.
Outdated policy. A policy that mentions services you no longer use, or that does not cover new processing activities added since it was written, is no longer compliant. Regular updates are essential.
Inaccessible document. The policy must be accessible within 2 clicks from any page of the site. A link only in the footer of the homepage is insufficient if internal navigation does not carry it through.
How to obtain a complete privacy policy
Given the complexity of the requirements, several options exist:
Hire a specialist lawyer (200-500 euros): this is the most personalised solution, but the cost and lead time (several weeks) can be prohibitive, particularly for small businesses and freelancers.
Write it yourself (0 euros but risky): without legal expertise, the risk of omission or error is high. Articles 13 and 14 of the GDPR contain over 20 mandatory information points, and a single omission is enough to render the document non-compliant.
Use a generic AI tool (0 euros + lawyer review 150-300 euros): tools like ChatGPT can produce a first draft, but they do not know the specifics of your website and require legal review to ensure compliance.
Use a specialised legal tool (€14.90-19.90): solutions like WebLegal.ai guide you step by step through every mandatory element, ensuring nothing is missed. The document is generated in minutes, tailored to your business, and compliant with the latest GDPR requirements. For comprehensive protection, consider all 4 essential legal documents your website needs.
Conclusion
A GDPR-compliant privacy policy is not merely a legal text to tick off a compliance checklist: it is a transparency tool that protects both your users and your business. Each of the 11 elements detailed in this article corresponds to a specific regulatory requirement. Omitting even one exposes your organisation to sanctions of up to 20 million euros or 4% of your annual global turnover. In 2026, with regulators stepping up enforcement across Europe, leave nothing to chance — ensure your privacy policy is complete, up to date, and accessible.