GDPR privacy policy template

It’ll take some time for everyone to learn how to comply with GDPR regulations, but every step you take brings you closer to full compliance. So, if you haven’t yet created a complete and lawful GDPR privacy policy, you can do so now with this downloadable and editable GDPR privacy policy template. This template will help you better understand what you need to include.

Note: your privacy policy is a legal document, so you need to consult your attorney before finalizing and publishing it. This template just gives you a framework of what your GDPR privacy policy should look like and neither Workable not the author will assume any liability or responsibility coming from the use of this GDPR policy template.

You could build separate policies for every business function that handles personal data. This includes, for instance, recruitment, finance, HR, and other departments; but you can use this same GDPR privacy policy template for each. Also, if you’re involved in recruiting, check out our complete guide on GDPR for recruiting to learn more about what actions you need to take to be compliant.

Purpose of GDPR policy

Here, you will state your organization’s full name and details and set your policy’s purpose. For GRPR, the purpose would be to explain clearly how you collect, process and store data. Also, be clear about who the data controller is for the purpose of this policy (probably your company). If you’re based outside the European Union, you can include details about your appointed representative in the EU or Data Protection Officer (DPO) and how someone can reach them.

Data processors

For example, if you’re writing a privacy policy for recruitment, your data processor will be your applicant tracking system (ATS) provider. Explain how that data processor handles personal data.

How we collect data

List what personal data you collect. For example, you could say you collect names, IP addresses, etc. Also, mention what personal data you collect from other sources (e.g. social media, third-party services) and which those sources are.

How we use data

Explain your lawful basis for processing data. For example, this could be legitimate interest or consent if we’re talking about recruitment. Make sure to clearly state the purposes of processing data and whether there’s any possibility for automated decision-making or profiling.

How we disclose data

Be transparent about what other parties have access to personal data you collect.

How we store data

State how you ensure data security, where you store data (including whether you transfer it outside of the EU and how you ensure data is protected in this case), and for how long you store data.

The data subject’s rights

The data subject is the person whose data you process (for example, in the recruiting process, the job candidate is a data subject). GDPR provides that person with several rights (including the right to access, the right to be forgotten and the right to object). Explain all these rights and give data subject’s instructions about how to exercise them.

How to complain

Provide instructions about how to complain and mention the supervisory authority where you’re based.

Changes of privacy policy

Clearly state that you have a right to modify this policy as needed and how you will notify data subjects (e.g. via your website).

Contact

Simply add an email or phone number that people can use to ask questions about your privacy policy.

As an example, see this example of a GDPR privacy policy template built specifically for the recruiting function. Also, just to give you a further idea of what a GDPR privacy policy can look like, see Workable’s own policy.