Examples of GDPR privacy notice

Apr 16, 2025

The General Data Protection Regulation (GDPR), implemented in May 2018, revolutionized how organizations handle personal data within the European Union (EU) and for EU residents. A key requirement under GDPR is the provision of a clear, transparent, and accessible privacy notice. This document informs individuals about how their personal data is collected, processed, stored, and protected. Crafting an effective GDPR-compliant privacy notice is critical for organizations to demonstrate compliance and build trust with users.

This article explores the components of a GDPR privacy notice, provides practical examples across different industries, and offers guidance on best practices. By examining real-world-inspired examples, organizations can better understand how to tailor their privacy notices to meet GDPR standards while maintaining clarity for their audience.

What is a GDPR Privacy Notice?

A GDPR privacy notice is a public-facing document that outlines an organization’s data processing activities. According to Article 13 and Article 14 of the GDPR, organizations must provide specific information to data subjects when collecting their personal data, whether directly or indirectly. The notice must be concise, written in plain language, and easily accessible.

Key elements of a GDPR privacy notice include:

  • Identity and contact details of the data controller (and, if applicable, the data protection officer).
  • Purpose of processing and the legal basis for it.
  • Categories of personal data collected.
  • Recipients of the personal data.
  • Data retention periods or criteria for determining retention.
  • Rights of data subjects, such as access, rectification, erasure, and portability.
  • Details of international data transfers and safeguards.
  • Information about automated decision-making, if applicable.

Below, we present three fictional but realistic examples of GDPR privacy notices tailored to different sectors: an e-commerce platform, a healthcare provider, and a non-profit organization. Each example incorporates GDPR requirements while reflecting the unique needs of the industry.

Example 1: E-Commerce Platform – ShopEasy

Privacy Notice for ShopEasy

Last Updated: April 16, 2025

At ShopEasy, we value your privacy and are committed to protecting your personal data. This privacy notice explains how we collect, use, and safeguard your information when you use our website (www.shopeasy.eu) or mobile app. ShopEasy Limited is the data controller responsible for your personal data.

1. Data We Collect

We collect the following categories of personal data:

  • Identity and Contact Data: Name, email address, phone number, billing and shipping addresses.
  • Transaction Data: Purchase history, payment details (processed via secure third-party providers).
  • Technical Data: IP address, browser type, device information, and cookies (see our Cookie Policy).
  • Usage Data: Pages visited, products viewed, and interactions with our marketing emails.
  • Marketing Preferences: Your choices regarding promotional communications.

2. How We Collect Data

We collect data:

  • When you create an account, place an order, or contact customer support.
  • Automatically via cookies and analytics tools when you browse our website or app.
  • From third parties, such as payment processors or marketing partners, with your consent.

3. Purposes and Legal Basis

We process your data for the following purposes:

  • To fulfill your orders (contractual necessity): Process payments, deliver products, and manage returns.
  • To improve our services (legitimate interest): Analyze website usage and personalize your shopping experience.
  • To send marketing communications (consent): Share promotions and product recommendations if you opt in.
  • To comply with legal obligations (legal obligation): Maintain records for tax purposes and respond to regulatory requests.

4. Sharing Your Data

We share your data with:

  • Service Providers: Delivery companies, payment processors, and IT providers acting as data processors.
  • Marketing Partners: Only with your explicit consent for targeted advertising.
  • Authorities: When required by law, such as for tax or fraud prevention purposes.

5. International Transfers

If you are in the EU, your data is primarily processed within the European Economic Area (EEA). In cases where data is transferred outside the EEA (e.g., to our U.S.-based analytics provider), we ensure safeguards like Standard Contractual Clauses (SCCs) are in place.

6. Data Retention

  • Account data is retained for as long as your account is active. Inactive accounts are deleted after 5 years.
  • Transaction data is kept for 7 years to comply with tax laws.
  • Marketing data is retained until you withdraw consent.

7. Your Rights

Under GDPR, you have the right to:

  • Access your personal data.
  • Request correction or erasure of your data.
  • Restrict or object to processing.
  • Request data portability.
  • Withdraw consent for marketing at any time.

To exercise these rights, contact us at privacy@shopeasy.eu. You may also lodge a complaint with your local data protection authority.

8. Security

We use encryption, firewalls, and secure payment gateways to protect your data. Regular security audits ensure ongoing protection.

9. Automated Decision-Making

We use automated systems to recommend products based on your browsing history. You can object to this by contacting us.

10. Contact Us

For questions, contact our Data Protection Officer at:

  • Email: dpo@shopeasy.eu
  • Address: ShopEasy Limited, 123 Commerce Street, Dublin, Ireland

This notice is reviewed annually or when significant changes occur. Check www.shopeasy.eu/privacy for updates.

Analysis of ShopEasy’s Privacy Notice

ShopEasy’s notice is tailored to an e-commerce context, addressing common activities like order processing, marketing, and analytics. It uses clear headings and bullet points for readability, ensuring users can quickly find relevant information. The notice specifies legal bases for processing, which is critical for GDPR compliance, and includes details about international transfers, reflecting the global nature of e-commerce. The inclusion of a cookie policy link addresses the overlap between GDPR and ePrivacy regulations.

Example 2: Healthcare Provider – HealthCare Plus

Privacy Notice for HealthCare Plus

Last Updated: April 16, 2025

HealthCare Plus, a network of medical clinics, is committed to safeguarding your personal data. This privacy notice explains how we handle your information when you visit our clinics, use our patient portal, or engage with our services. HealthCare Plus GmbH is the data controller.

1. Data We Collect

We process the following personal data:

  • Personal and Contact Data: Name, date of birth, address, email, and phone number.
  • Health Data: Medical history, diagnoses, test results, and treatment plans.
  • Payment Data: Insurance details or payment information for services.
  • Appointment Data: Dates, times, and reasons for visits.
  • Technical Data: IP address and login details for our patient portal.

2. How We Collect Data

We collect data:

  • When you register as a patient, book appointments, or use our portal.
  • During consultations, diagnostic tests, or treatments.
  • From third parties, such as referring doctors or insurance providers, with your consent.

3. Purposes and Legal Basis

We process your data:

  • To provide medical care (contractual necessity and vital interests): Diagnose, treat, and manage your health.
  • To manage appointments (contractual necessity): Schedule and confirm visits.
  • To bill for services (legal obligation): Process payments or insurance claims.
  • To improve our services.Concurrent (legitimate interest): Analyze patient feedback anonymously.
  • For research (consent): Use anonymized data for medical studies, with your explicit permission.

4. Sharing Your Data

We share data with:

  • Healthcare Professionals: Doctors, labs, or pharmacies involved in your care, with your consent.
  • Insurers: For billing purposes, where applicable.
  • Processors: IT providers managing our patient portal, bound by GDPR-compliant contracts.
  • Authorities: When required by law, such as for public health reporting.

5. International Transfers

Your data is processed within the EEA. If transferred outside (e.g., to a research partner), we use safeguards like SCCs or Binding Corporate Rules (BCRs).

6. Data Retention

  • Medical records are retained for 10 years after your last visit, as required by healthcare regulations.
  • Billing data is kept for 7 years for tax purposes.
  • Portal login data is deleted 2 years after account inactivity.

7. Your Rights

You have the right to:

  • Access your medical records.
  • Request corrections to inaccurate data.
  • Restrict processing in certain cases.
  • Object to processing for research purposes.
  • Request data portability for transferable records.

Contact our Data Protection Officer at dpo@healthcareplus.de to exercise these rights. You can also complain to your supervisory authority.

8. Security

We use encrypted databases, access controls, and regular staff training to protect your sensitive data.

9. Automated Decision-Making

We do not use automated decision-making that significantly affects you.

10. Contact Us

Reach our Data Protection Officer at:

  • Email: dpo@healthcareplus.de
  • Address: HealthCare Plus GmbH, 456 Wellness Road, Berlin, Germany

Updates to this notice are posted at www.healthcareplus.de/privacy.

Analysis of HealthCare Plus’s Privacy Notice

HealthCare Plus’s notice addresses the sensitive nature of health data, emphasizing consent and legal obligations. It clearly outlines the processing of special category data (health data) under GDPR Article 9, which requires additional safeguards. The notice avoids jargon, making it accessible to patients, and highlights retention periods tied to healthcare regulations. The absence of automated decision-making reassures patients about the human oversight in medical decisions.

Example 3: Non-Profit Organization – GreenFuture

Privacy Notice for GreenFuture

Last Updated: April 16, 2025

GreenFuture, a non-profit dedicated to environmental sustainability, respects your privacy. This notice explains how we process your personal data when you visit www.greenfuture.org, donate, or participate in our campaigns. GreenFuture NGO is the data controller.

1. Data We Collect

We collect:

  • Identity and Contact Data: Name, email, address, and phone number.
  • Donation Data: Payment details (processed securely via third-party platforms).
  • Engagement Data: Event participation, petition signatures, and campaign interactions.
  • Technical Data: IP address, browser type, and cookies (see our Cookie Policy).

2. How We Collect Data

We collect data:

  • When you sign up for newsletters, donate, or join campaigns.
  • Automatically via website analytics tools.
  • From partners, such as event organizers, with your consent.

3. Purposes and Legal Basis

We use your data:

  • To process donations (contractual necessity): Record and acknowledge contributions.
  • To communicate (consent): Send newsletters, campaign updates, or event invitations.
  • To improve our work (legitimate interest): Analyze engagement to optimize campaigns.
  • To comply with laws (legal obligation): Report donations for transparency.

4. Sharing Your Data

We share data with:

  • Service Providers: Payment processors, email platforms, and IT providers acting as processors.
  • Campaign Partners: Only with your consent for joint initiatives.
  • Regulators: As required for financial reporting.

5. International Transfers

Data is processed in the EEA. For transfers outside (e.g., to a global campaign partner), we use SCCs.

6. Data Retention

  • Donor data is kept for 7 years for financial reporting.
  • Newsletter subscriber data is retained until you unsubscribe.
  • Event data is deleted 1 year after the event.

7. Your Rights

You can:

  • Access your data.
  • Request corrections or deletion.
  • Restrict or object to processing.
  • Withdraw consent for communications.

Contact us at privacy@greenfuture.org or complain to your data protection authority.

8. Security

We use secure servers, encryption, and restricted access to protect your data.

9. Automated Decision-Making

We do not use automated decision-making.

10. Contact Us

Reach us at:

  • Email: privacy@greenfuture.org
  • Address: GreenFuture NGO, 789 Eco Lane, Amsterdam, Netherlands

Check www.greenfuture.org/privacy for updates.

Analysis of GreenFuture’s Privacy Notice

GreenFuture’s notice is concise yet comprehensive, reflecting the lean operations of a non-profit. It emphasizes consent for communications, aligning with GDPR’s focus on opt-in marketing. The notice is user-friendly, with short sections and clear language, making it accessible to a broad audience. It also addresses the organization’s global partnerships, ensuring transparency about international data transfers.

Best Practices for GDPR Privacy Notices

  1. Use Plain Language: Avoid legal jargon to ensure accessibility for all users.
  2. Structure Clearly: Use headings, bullet points, and short paragraphs for readability.
  3. Be Transparent: Clearly state purposes, legal bases, and third-party sharing.
  4. Highlight Rights: Make it easy for users to understand and exercise their GDPR rights.
  5. Update Regularly: Review and update the notice to reflect changes in processing or regulations.
  6. Ensure Accessibility: Provide the notice in multiple formats (e.g., website, app, PDF) and languages if targeting diverse audiences.
  7. Address Specific Contexts: Tailor the notice to the organization’s industry and data practices.

Common Pitfalls to Avoid

  • Overloading with Details: Too much information can overwhelm users. Focus on key points and link to supplementary policies (e.g., cookies).
  • Vague Language: Avoid terms like “we may share data” without specifying recipients or purposes.
  • Inaccessible Notices: Ensure the notice is easy to find on your website or app.
  • Ignoring Updates: Failing to revise the notice when practices change can lead to non-compliance.

Conclusion

A GDPR-compliant privacy notice is more than a legal requirement; it’s an opportunity to build trust with users by demonstrating transparency and accountability. The examples of ShopEasy, HealthCare Plus, and GreenFuture illustrate how organizations in different sectors can craft notices that meet GDPR standards while addressing their unique data processing activities. By following best practices and avoiding common pitfalls, organizations can create privacy notices that are clear, user-friendly, and compliant, fostering confidence among their audiences.

For organizations seeking to develop or refine their privacy notices, consulting with legal experts and reviewing guidance from data protection authorities (e.g., the European Data Protection Board) is advisable. A well-crafted privacy notice not only ensures compliance but also reinforces an organization’s commitment to protecting personal data in an increasingly data-driven world.