NAALA | Not An Average Legal Advisor

How to write a privacy statement?

By: Sofie Geurts – Graduate intern at NAALA 

Published on 22 June, 2023

How to write a privacy statement?


Sofie Geurts

Graduate intern at NAALA

Published on 22 June, 2023

If you’re running a website or an app that collects personal data from your users, you need to pay attention to how you handle their information. In this guide, we’ll show you how to write a GDPR privacy statement that covers all the bases and boosts your credibility. A clear and comprehensive privacy statement is essential for any online service.

Why Do You Need a Privacy Statement?

Imagine this: You’ve created a brilliant solution, your website or app is live, and users are flocking to it. But do you know what personal data you’re collecting and what you’re doing with it? A privacy statement is your way of telling your users how you respect and protect their information. It builds trust, prevents legal troubles, and improves your reputation. Let’s explore the elements and best practices of a GDPR-friendly privacy statement.

Elements of a GDPR Privacy Statement

The following elements should be covered in your GDPR privacy statement:

  • Identity: Identify yourself as the data controller and provide your name and contact details. If you have a representative or a data protection officer, provide their name and contact details as well.
  • Data Collection and Usage: Explain what data you collect, why you collect it, and how you use it. Be transparent about the purpose, duration, and legal basis for processing personal data. If you rely on legitimate interests or consent as your legal basis, specify what they are and how users can withdraw consent.
  • Retention period: Inform users how long you keep their personal data and the criteria you use to determine the retention period. If you cannot specify a fixed period, explain the factors that influence your decision.
  • User Rights: Inform users of their rights regarding their personal data. Tell them how they can access, correct, and delete their information, as well as withdraw consent, object to processing, restrict processing, and request data portability. Make it easy for them to exercise these rights.
  • Filing a Complaint: Inform users of their right to lodge a complaint with a supervisory authority if they are unhappy with how you handle their personal data. Provide the contact details of the relevant authority or authorities.
  • Consequences of Not Providing Personal Data: If you require users to provide personal data by law or contract, or as a condition of using your service, inform them of this and the possible consequences of not providing it.
  • Third-Party Sharing: If you share data with third parties, disclose who they are and why you share it. Indicate if any data is transferred internationally and ensure compliance with cross-border data transfer rules.
  • Transfer to Third Countries: If you transfer personal data to countries outside the European Economic Area (EEA), inform users of this and the safeguards you have in place to protect their data. For example, if you rely on adequacy decisions, standard contractual clauses, binding corporate rules, or derogations.
  • Automated Decision-Making: If you use automated decision-making or profiling that has legal or significant effects on users, inform them of this and the logic and consequences involved. Provide them with a way to request human intervention or challenge the decision.
  • Source of Personal Data: If you obtain personal data from sources other than the users themselves, inform them of this and the categories of data you collect. Also inform them when you obtained the data and from which source.
  • Personal Data of Children: If you collect personal data from children under 16 years old (or a lower age limit depending on the member state), inform them of this and obtain verifiable parental consent. Provide privacy information in a way that children can understand.
  • Cookies: If you use cookies or similar technologies on your website or app, inform users of this and obtain their consent. Provide them with information on how to manage their cookie preferences and opt out.
  • Privacy Statement Updates: Inform users when you update your privacy statement and how they can access the latest version. Notify them of any significant changes that affect their rights or interests.

Best Practices for Writing an Effective Privacy Statement

  • Plain Language: Avoid legal jargon and technical terms. Use simple, clear, and user-friendly language that anyone can understand. Your users shouldn’t need a lawyer to read your privacy statement.
  • Tailor to Your Service: Customize your privacy statement to reflect your unique data practices and service model. Cookie usage, analytics, marketing communications—cover all aspects relevant to your website or app.
  • Readability and Accessibility: Structure your privacy statement into sections with descriptive headings. Use bullet points, subheadings, and formatting to improve readability. Ensure it is easily accessible on your website or within your app.

Common Mistakes to Avoid

  • Neglecting Updates: Your privacy statement should evolve as your service changes. Regularly – e.g., once a year – review and update it to reflect changes in your data practices or legal requirements.
  • Lack of Consent Mechanisms: Obtain explicit consent for processing personal data, especially when dealing with sensitive information. Avoid pre-ticked checkboxes and ensure consent is freely given.
  • Ignoring Third-Party Plugins: If you use third-party plugins or tools on your website or app, ensure they align with your privacy practices. Assess their data handling policies and disclose their presence in your privacy statement.

Ready to strengthen your data protection? Contact us today for a free 15-minute consultation. Our experts will help you navigate the complexities of GDPR compliance and provide you with a privacy statement template.

Questions? We are happy to discuss your specific case.

The Verzamelwet Gegevens-bescherming, or the Data Protection Collection Act, is a new Dutch law that amends existing data protection regulations to better align them with the European Union’s General Data Protection Regulation (GDPR). 

Under the GDPR, children deserve specific protection regarding their personal data. Practice shows that developers of digital health solutions wouldn’t touch children’s solutions with a ten-foot pole, as it seems impossible to comply with privacy legislation. Is this justified?


As you may know, all data subjects (the natural persons you process data of) deserve protection of their personal information and have rights related to their personal data.  These requirements result in a set of documentation that needs to be in place. We make a distinction between ‘internal’ and ‘external’ documentation. 

Please note that all details and listings do not claim to be complete, are without guarantee and are for information purposes only. Changes in legal or regulatory requirements may occur at short notice, which we cannot reflect on a daily basis.