Is Your Privacy Policy GDPR Compliant? 7 Things Most Companies Get Wrong

Stating purposes without specifying the legal basis for each one

Article 13(1)(c) requires you to state both the purpose of processing and the lawful basis for it. Most policies state purposes ("to provide our services," "to send you updates") but never specify which of the six GDPR lawful bases applies to each activity.

The six bases are: consent, performance of a contract, compliance with a legal obligation, protection of vital interests, performance of a public task, and legitimate interests. You must name the specific one — and if you're relying on legitimate interests, you must describe what those interests are.

Create a processing activities table or clearly structured list. For each activity, state: what data, what purpose, and which lawful basis. If you use legitimate interests, add a brief explanation of the interest and why it isn't overridden by user rights.

Using retention language that tells users nothing

Article 13(2)(a) requires you to specify the period for which personal data will be stored, or if that isn't possible, the criteria used to determine that period. "As long as necessary for the purposes described above" is not a period. It's not even criteria. It's a placeholder.

This comes up in almost every enforcement action involving privacy notices. The Dutch DPA, the ICO, and the CNIL have all issued guidance making clear that this phrasing doesn't satisfy the requirement.

Break out retention by data category: account data (deleted 30 days after account closure), purchase records (7 years per tax law), marketing preferences (2 years from last interaction), support tickets (1 year). Specific timeframes are better; specific criteria (e.g., duration of contractual relationship plus 3 years) are acceptable when exact periods can't be set.

Enumerating data subject rights as a bullet list with no practical instructions

Most privacy policies include a section listing the rights: right of access, right to rectification, right to erasure, right to portability, right to restriction, right to object, rights related to automated decision-making. That section satisfies Article 13 only if you also explain how users actually exercise those rights.

Article 12(2) requires you to facilitate the exercise of data subject rights. A list with no contact information, no process, and no timeframe isn't facilitation — it's a formality that provides nothing of practical use.

Add a clear statement: how to submit requests (email address, web form, or portal), what information to include in the request, and that you'll respond within 30 days (the statutory maximum under Article 12(3)). If you have a designated DPO, include their contact details separately.

Disclosing that data leaves the EEA without identifying the transfer safeguard

If you transfer personal data outside the European Economic Area — which most companies do, because AWS, Google Cloud, Salesforce, HubSpot, Stripe, and hundreds of other US-based vendors process your users' data — Article 13(1)(f) requires you to identify the transfer and the "safeguards in place" or the "means by which to obtain a copy of them."

Saying "we may transfer data internationally" isn't enough. You need to name the mechanism: adequacy decision (covers countries like the UK, Japan, and South Korea), Standard Contractual Clauses (the most common mechanism for US transfers), Binding Corporate Rules, or an approved certification.

The TikTok €530 million fine from Ireland's DPC in 2025 was specifically about unauthorized data transfers to China with no adequate safeguard. That's an extreme case, but the principle applies at every scale.

Audit which vendors receive personal data and where they process it. For US-based vendors (most SaaS tools), confirm they have SCCs in place with their EU/EEA data processors. Name the mechanism in your privacy policy: "For transfers to the United States, we rely on Standard Contractual Clauses approved by the European Commission."

Ignoring Article 22 obligations around profiling and automated decisions

Article 13(2)(f) requires you to disclose "the existence of automated decision-making, including profiling" and provide "meaningful information about the logic involved, as well as the significance and the envisaged consequences."

Most companies think this only applies to fully automated decisions like credit scoring or loan applications. It doesn't. It applies wherever you use personal data to evaluate, analyze, or predict things about individuals — behavioral analytics, lead scoring, email segmentation based on activity, personalized pricing. If you use any modern marketing or analytics stack, you're likely doing profiling under the GDPR definition.

Walk through your marketing and analytics tools and identify any that perform scoring, segmentation, or behavioral modeling. If none produce "solely automated decisions" with legal or significant effects, you can state that and briefly describe the profiling activities that do occur. If you do make automated decisions with significant consequences, you must explain the logic and give users the right to human review.

Listing recipient "categories" so broadly they convey nothing

Article 13(1)(e) requires you to identify "recipients or categories of recipients of the personal data." Many privacy policies satisfy this technically but fail it practically by listing categories like "service providers," "business partners," "analytics providers," and "advertising partners" — categories so broad that a user has no real understanding of who actually has their data.

The EDPB's guidance on transparency is clear that the description should be specific enough to be meaningful. "Third-party analytics providers" covers both a small A/B testing tool and Google. Those aren't the same risk profile and shouldn't be described the same way.

Name specific vendors where practical, or at minimum provide genuinely specific categories: "cloud infrastructure providers (AWS, Google Cloud)," "CRM tools (HubSpot)," "payment processors (Stripe)." For advertising partners, this is where specificity matters most — list the actual platforms if you use third-party tracking pixels or ad networks.

Conflating the ePrivacy Directive cookie obligations with GDPR transparency obligations

Cookie consent and privacy policy transparency are legally separate requirements. The cookie banner (or cookie consent tool) satisfies your obligations under the ePrivacy Directive for consent to non-essential cookies. The privacy policy satisfies your GDPR Article 13 obligations to inform users about all data processing activities.

A lot of companies have implemented a cookie consent tool — which is good — and then treated this as having handled their privacy obligations. It hasn't. Even with a perfect cookie banner, your privacy policy still needs to cover all the items in this list: lawful bases, retention periods, data subject rights, transfer mechanisms, automated processing, and third-party recipients.

The other common failure here is the reverse: using your privacy policy to obtain consent to cookies. Consent buried in a privacy policy isn't valid GDPR consent for cookies — it needs to be specific, informed, and given at the point of collection, not inferred from someone reading a document.

Keep these as separate, linked documents that each serve their own purpose. Your privacy policy covers GDPR Article 13 obligations. Your cookie policy or consent banner covers ePrivacy consent. Neither substitutes for the other.