The General Data Protection Regulation (GDPR) requires every website or app that collects personal data from EU residents to provide clear, accurate information about how that data is used. Failing to do so can result in significant fines — up to €20 million or 4% of annual global turnover, whichever is higher.

This guide walks you through exactly what your privacy policy must include under GDPR Article 13, with practical examples and plain-English explanations.

What is GDPR Article 13?

Article 13 of the GDPR specifies the information you must provide to data subjects (your users) at the point of data collection. Unlike Article 14 (which covers data obtained indirectly), Article 13 applies when you collect personal data directly from the individual — which covers virtually every website contact form, newsletter signup, and account registration.

What Must a GDPR Privacy Policy Include?

Under Article 13, your privacy policy must clearly state:

  • Who you are (Data Controller) — your company name, address, and contact details
  • Contact details of your DPO — if you have a Data Protection Officer
  • What data you collect — names, emails, IP addresses, payment details, etc.
  • Why you collect it (purposes) — marketing, order fulfilment, analytics, etc.
  • Your legal basis for processing — consent, contract, legal obligation, or legitimate interests
  • Who you share it with — third-party processors like Google Analytics, Stripe, Mailchimp
  • How long you keep it — your data retention periods
  • Users' rights — access, rectification, erasure, portability, objection
  • The right to complain — to a supervisory authority (e.g. the ICO in the UK, CNIL in France)
Generate Your Privacy Policy in Under 60 Seconds
3-step wizard. Covers all Article 13 requirements. Free, no sign-up.
Open GDPR Generator →

The 6 Lawful Bases Under GDPR Article 6

You must identify a valid legal basis for every type of processing you carry out. The most common bases for websites are:

  • Consent — the user has actively agreed (e.g. ticking a marketing opt-in box). Note: pre-ticked boxes do NOT count as consent under GDPR.
  • Contractual necessity — processing is needed to fulfil a contract (e.g. storing a delivery address to ship an order)
  • Legal obligation — you are required by law (e.g. keeping invoices for tax purposes)
  • Legitimate interests — your business interest, balanced against the user's privacy rights (e.g. fraud prevention, security logs)

Common Mistakes to Avoid

  • Copying another company's policy — it must reflect your actual data practices, not theirs
  • Vague language — "we may share your data with partners" is not specific enough under GDPR
  • Forgetting third-party processors — if you use Google Analytics, Stripe, Mailchimp etc., they must be listed
  • Not updating after changes — if you add a new tool or change your retention period, update the policy

Do Small Businesses Need a Privacy Policy?

Yes. GDPR applies to any organisation that processes personal data of EU residents, regardless of size. The only partial exemption is for purely personal or household activities. If you run a website that collects so much as an email address from an EU resident, GDPR applies.