The General Data Protection Regulation (GDPR), enforced since May 25, 2018, has significantly reshaped how organizations collect, use, store, and protect personal data within the European Union (EU) and beyond. Whether you are building a privacy policy, reviewing contracts with third parties, or simply ensuring compliance, understanding key GDPR clauses is essential.
In this article, we’ll explore the best GDPR clause examples that businesses can incorporate into their privacy policies, data processing agreements (DPAs), and contracts. Each clause example will include an explanation, real-life wording, and best practice advice to help you stay compliant.
1. Lawful Basis for Data Processing Clause
Why It Matters
Under Article 6 of the GDPR, organizations must have a valid lawful basis for processing personal data. This clause ensures transparency and legality in data collection and usage.
Sample Clause
“Legal Basis for Processing:
We process your personal data based on the following legal grounds:
- Your consent (Article 6(1)(a))
- The performance of a contract with you (Article 6(1)(b))
- Compliance with legal obligations (Article 6(1)(c))
- Our legitimate interests, provided your fundamental rights do not override them (Article 6(1)(f))”
Best Practice
Include only the bases that apply to your specific processing activities. If consent is used, ensure it’s obtained in a GDPR-compliant manner—freely given, specific, informed, and unambiguous.
2. Data Subject Rights Clause
Why It Matters
GDPR provides individuals with specific rights regarding their personal data (Articles 12–23). This clause must inform users of their rights clearly and concisely.
Sample Clause
“Your Rights Under the GDPR:
As a data subject, you have the following rights:
- Right to access your data
- Right to rectify inaccurate or incomplete data
- Right to erasure (‘right to be forgotten’)
- Right to restrict processing
- Right to data portability
- Right to object to processing
- Right not to be subject to automated decision-making, including profiling
To exercise these rights, please contact us at [email address].”
Best Practice
Make this section easy to read. Use bullet points and plain language. Include a simple contact method to exercise these rights, such as an email address or online form.
3. International Data Transfers Clause
Why It Matters
If your company transfers personal data outside the EU/EEA, this clause explains how such transfers are safeguarded, as required under Chapter V of the GDPR.
Sample Clause
“International Transfers of Your Data:
Some of our service providers are located outside the European Economic Area (EEA). When we transfer personal data internationally, we ensure appropriate safeguards are in place, such as:
- Standard Contractual Clauses approved by the European Commission
- Transfers to countries deemed to provide an adequate level of protection
- Binding Corporate Rules for internal group transfers”
Best Practice
Be specific. Mention the countries or regions involved and which safeguard you use. Avoid vague language like “we ensure safety.”
4. Retention Period Clause
Why It Matters
The GDPR requires that personal data not be retained longer than necessary (Article 5(1)(e)). This clause informs users how long their data will be stored.
Sample Clause
“Data Retention:
We retain your personal data only as long as necessary for the purposes for which it was collected. Generally, this means:
- Customer data: retained for 5 years after the last transaction
- Email subscribers: retained until you unsubscribe
- Job applicant data: deleted 12 months after the recruitment process ends
We may keep data longer if required by legal obligations.”
Best Practice
Tailor the retention period to each data type and processing purpose. Avoid blanket statements like “we keep your data indefinitely.”
5. Third-Party Sharing Clause
Why It Matters
Transparency about who else accesses the data is crucial. GDPR mandates informing users if their data is shared with third parties (Article 13(1)(e)).
Sample Clause
“Who We Share Your Data With:
We may share your data with trusted third-party partners who assist us in delivering our services. These include:
- Cloud storage providers (e.g., AWS, Google Cloud)
- Email marketing platforms (e.g., Mailchimp)
- Payment processors (e.g., Stripe, PayPal)
These partners are bound by data protection agreements and cannot use your data for other purposes.”
Best Practice
List the categories of third parties clearly. Include links to their privacy policies if possible.
6. Cookies and Tracking Technologies Clause
Why It Matters
GDPR (combined with the ePrivacy Directive) requires websites to inform users about cookies and obtain consent before storing or accessing data on a device.
Sample Clause
“Cookies and Tracking:
We use cookies and similar technologies to improve your experience on our site.
- Necessary cookies: for basic functionality
- Analytics cookies: to analyze site usage (e.g., Google Analytics)
- Marketing cookies: to show personalized ads
You can manage your cookie preferences through our Cookie Consent Banner.”
Best Practice
Implement a cookie banner that allows users to consent granularly (by category). Keep logs of consent choices.
7. Data Protection Officer (DPO) Clause
Why It Matters
Organizations that process large amounts of sensitive data or data on a large scale must appoint a DPO (Article 37). This clause identifies the DPO and their contact details.
Sample Clause
“Our Data Protection Officer:
We have appointed a Data Protection Officer to oversee compliance with data protection laws.
Contact:
Jane Doe
Email: dpo@companyname.com“
Best Practice
Even if you’re not required to appoint a DPO, having a point of contact for privacy concerns shows commitment to compliance.
8. Security Measures Clause
Why It Matters
GDPR Article 32 requires appropriate technical and organizational measures to secure data. This clause informs users of the protections you have in place.
Sample Clause
“How We Protect Your Data:
We use a range of security measures, including:
- SSL encryption
- Two-factor authentication for admin access
- Regular security audits
- Staff training on data protection
- Access controls and role-based permissions”
Best Practice
Don’t list every single tool but provide enough detail to assure users that data protection is taken seriously.
9. Children’s Privacy Clause
Why It Matters
GDPR includes specific provisions regarding the collection of children’s data (Article 8). If your service is directed to children under 16, parental consent is required.
Sample Clause
“Children’s Privacy:
Our services are not intended for children under the age of 16. We do not knowingly collect personal data from children without verifiable parental consent. If we become aware that a child has provided us with personal data, we will delete such information immediately.”
Best Practice
If your platform is child-focused, ensure your consent mechanisms are GDPR-compliant and localized (some EU countries set the age threshold at 13).
10. Right to Withdraw Consent Clause
Why It Matters
Users have the right to withdraw their consent at any time, as per Article 7(3).
Sample Clause
“Withdrawal of Consent:
Where our processing is based on your consent, you may withdraw it at any time by clicking ‘unsubscribe’ in emails or contacting us at [email]. This will not affect the lawfulness of processing based on consent before its withdrawal.”
Best Practice
Clearly explain how to withdraw consent and what will happen afterward. Make the process easy and immediate.
11. Automated Decision-Making Clause
Why It Matters
GDPR restricts decisions made solely through automated processing, including profiling, if those decisions have legal or similarly significant effects (Article 22).
Sample Clause
“Automated Decision-Making:
We do not use your personal data for decisions based solely on automated processing, including profiling, that produce legal effects or significantly affect you.”
Best Practice
If you do use such systems (e.g., for credit scoring or job applications), explain the logic involved and the user’s right to contest the decision.
12. Complaint & Supervisory Authority Clause
Why It Matters
Individuals have the right to lodge a complaint with a supervisory authority under Article 77.
Sample Clause
“Lodging a Complaint:
If you believe that your data protection rights have been violated, you have the right to lodge a complaint with your local Data Protection Authority. For EU residents, you can find the contact details at [link to official EU DPA list].”
Best Practice
Always provide contact details or links to make it easier for users to file a complaint, even if you believe your practices are solid.
13. Changes to This Policy Clause
Why It Matters
Transparency requires that users be informed when the privacy policy changes.
Sample Clause
“Changes to This Privacy Policy:
We may update this privacy policy from time to time. We will notify you of significant changes by email or through a prominent notice on our website. The date of the last update is always shown at the top of this page.”
Best Practice
Let users know how they’ll be informed. Include a “last updated” date at the top or bottom of the document.
Final Tips for Crafting GDPR-Compliant Clauses
1. Use Clear and Simple Language
GDPR encourages transparency. Avoid legalese and ensure the average person can understand what they’re consenting to.
2. Be Specific, Not Generic
Don’t copy-paste vague templates. Tailor your clauses to your specific business operations, tools, and data flow.
3. Keep Your Privacy Policy Accessible
Always include a link to your privacy policy in user-facing areas like sign-up forms, footers, and account settings.
4. Update Regularly
As your business or legal obligations evolve, your clauses should be revised to reflect new technologies, partnerships, or legal requirements.
Conclusion
GDPR compliance is not just about ticking a box—it’s about building trust. These clause examples are your foundation. By clearly communicating how you handle personal data, you create transparency, minimize legal risks, and demonstrate ethical responsibility to your users and stakeholders.
Use this guide as a blueprint for your privacy documentation, whether you’re launching a startup, updating your SaaS privacy policy, or entering into contracts with data processors. A well-written GDPR clause isn’t just compliant—it’s a signal of integrity in the data-driven economy.