GDPR Arts. 12, 13, and 14 require a privacy policy that is accessible, written in plain language, and covers specific mandatory disclosures — controller identity, legal bases, retention periods, data subject rights (including the right to lodge a complaint with a supervisory authority), and subprocessor names. A policy that requires authentication to access violates the accessibility requirement immediately: prospective users and regulators must be able to read it. An undated policy cannot demonstrate whether it was in effect before or after a particular data collection event. Vague language like 'we share with trusted partners' without naming anyone fails the specificity requirements of Art. 13(1)(e) independently of other gaps.
Info because the policy is a documentation and transparency obligation — its absence or inadequacy is independently sanctionable but does not itself expose user data, though it signals systemic GDPR non-compliance to regulators.
Ensure your privacy policy at /privacy is publicly accessible, footer-linked from every page, has a visible 'Last updated' date, and covers each required Art. 13/14 disclosure.
## Required sections for a GDPR-compliant privacy policy:
1. Controller identity and contact (company name, address, privacy@example.com)
2. What data we collect (enumerate: email, name, usage events, payment info, cookies)
3. Why we collect it and legal basis per type:
- Account data: contract (Art. 6(1)(b))
- Analytics: legitimate interest (Art. 6(1)(f)) with balancing test
- Marketing: consent (Art. 6(1)(a))
4. Retention periods per data type
5. Named subprocessors, location, and transfer mechanism
6. International transfer mechanism (SCCs or adequacy decision)
7. Your rights: access, erasure, portability, rectification, restriction, objection,
consent withdrawal, and right to lodge a complaint with the supervisory authority
8. Privacy contact and response time commitment
9. Last updated: [date]
Link the policy from every page footer. Use robots: { index: true } so search engines can surface it. Verify it is accessible without authentication by opening it in an incognito window. Update it within 30 days of any material change to data handling.
ID: gdpr-readiness.breach-accountability.accessible-privacy-policy
Severity: info
What to look for: Find the privacy policy page (typically /privacy, /privacy-policy, or /legal/privacy). Work through a checklist of GDPR Article 13/14 required disclosures: (1) controller identity and contact details, (2) DPO contact if applicable, (3) purposes and legal bases for each processing activity, (4) legitimate interest statement if used, (5) recipients or categories of recipients, (6) transfers to third countries and safeguards, (7) retention periods per data type, (8) user rights (access, erasure, portability, rectification, restriction, objection, withdrawal of consent, right to lodge a complaint with the supervisory authority), (9) existence of automated decision-making. Check: Is the policy accessible without authentication? Is it linked from the footer of every page? Does it have a "Last updated" or effective date? Is it written in plain language (not exclusively legal jargon)? Before evaluating, extract and quote the section of the privacy policy that describes the lawful basis for each processing activity. Count all instances found and enumerate each.
Pass criteria: Privacy policy exists at an accessible URL (no login required), is linked from every page footer, has a clear "Last updated" date, covers all GDPR Art. 13/14 required elements, and is written in language a non-lawyer can reasonably understand. At least 1 implementation must be confirmed.
Fail criteria: No privacy policy exists. Policy requires login to access. Policy not linked from footer. Policy lacks required disclosures (no legal bases, no retention periods, no user rights section, no third-party list). Policy is undated.
Skip (N/A) when: Application collects no personal data of any kind (purely static site, no auth, no analytics, no forms). This is extremely rare — document this assessment explicitly.
Detail on fail: Example: "No privacy policy found." or "Privacy policy exists but not linked from footer. Requires login to access." or "Privacy policy present but omits legal bases, retention periods, and user rights section.".
Remediation: Create or update the privacy policy to cover all GDPR-required disclosures:
Required sections for a GDPR-compliant privacy policy:
1. Who we are (controller identity, registered address, contact email)
2. What data we collect (enumerate each type: email, name, usage events, cookies)
3. Why we collect it and legal basis:
- Account data: contract (Art. 6(1)(b))
- Analytics: legitimate interest (Art. 6(1)(f)) or consent (Art. 6(1)(a))
- Marketing: consent (Art. 6(1)(a))
4. How long we keep it (per type: account data until deletion; logs 90 days; analytics 26 months)
5. Who we share it with (name each subprocessor, location, their DPA link)
6. International transfers (mechanism: SCCs or adequacy decision)
7. Your rights (access, erasure, portability, rectification, restriction, objection,
withdraw consent, lodge a complaint with the supervisory authority)
8. Contact for privacy inquiries (privacy@example.com)
9. Last updated: [date]
Use a plain-language generator (Iubenda, Termly) as a starting point and
customize for your actual data flows. Review and update within 30 days of
adding new third-party integrations or changing how data is handled.
Link to the privacy policy in every page footer. Make it accessible without authentication.