GDPR Privacy Policy Template
Download this template for free
By submitting your information, you agree to Lattice's Terms of Service and Privacy Policy. You can opt out anytime.
Thanks! We'll be in touch soon.
Data privacy isn’t just a legal obligation — it’s a commitment to transparency, trust, and respect. The General Data Protection Regulation (GDPR) is a European Union law that gives individuals more control over how their personal data is collected, used, and protected.
Whether you're hiring in the EU, serving EU customers, or partnering with EU-based vendors, GDPR likely applies to your business. This privacy policy outlines how your company handles personal data, what rights individuals have, and what steps you take to ensure data is secure, lawful, and transparent.
This template provides a clear and compliant foundation for communicating your GDPR responsibilities to employees, customers, candidates, or site visitors.
What the GDPR Privacy Policy Should Include
To comply with GDPR, your privacy policy must include:
- Who you are: The name and contact details of the data controller
- What data you collect: Categories of personal data you process
- How you collect it: Web forms, cookies, employee records, third-party sources, etc.
- Why you process the data: Legal basis for each type of processing
- How long you retain data: Retention periods or criteria for determining them
- Who you share it with: Processors, partners, or authorities
- What rights individuals have: Access, rectification, erasure, data portability, etc.
- How individuals can exercise their rights: Contact details or forms
- Data security: Steps taken to protect personal information
- International transfers: If data is transferred outside the EEA and how it’s protected
- Your lawful basis for processing: Consent, contract, legal obligation, legitimate interests, etc.
Purpose of the GDPR Privacy Policy
This policy is intended to:
- Demonstrate compliance with Articles 12–14 of the GDPR
- Help individuals understand how and why their data is used
- Provide a simple and accessible guide to their rights under the GDPR
- Reduce legal risk by setting clear expectations around data handling and access
Sample GDPR Privacy Policy
{{rich-highlight-1}}
Effective Date: [Insert Date]
Policy Owner: Data Protection Officer / Legal Team / Compliance Lead
Last Reviewed: [Insert Date]
1. Who We Are
[Company Name] (“we,” “our,” or “us”) is the data controller responsible for your personal data under this policy. If you have any questions or concerns, you can contact us at:
Company Name
[Company Address]
Email: [Insert email address]
Phone: [Insert phone number]
Data Protection Officer (if applicable): [Insert DPO contact info]
2. What Personal Data We Collect
We may collect and process the following types of personal data:
- Identification data: Name, address, email, phone number
- Employment data: Job title, CV/resume, references, performance data
- Payment data: Bank details, transaction records
- Technical data: IP address, browser type, device identifiers
- Usage data: Interactions with our website, services, or communications
- Marketing preferences: Consent history, email subscription choices
We collect personal data directly from you, through third parties (e.g., background check providers, job platforms), and automatically through cookies or similar technologies.
3. Why We Collect Your Data
We process your personal data for the following purposes:
4. How Long We Keep Your Data
We retain personal data only for as long as necessary for the purpose for which it was collected, including legal or regulatory requirements.
For example:
- Recruitment data: up to 12 months after the hiring decision (unless extended with consent)
- Customer data: as long as you use our services + [Insert period, e.g., 6 years] for accounting/legal compliance
- Website analytics: anonymized data retained for [Insert period, e.g., 24 months]
You can request deletion of your data at any time unless we are required by law to retain it.
5. Who We Share Your Data With
We may share your data with:
- Service providers and vendors: Hosting, email, analytics, and HR systems (under data processing agreements)
- Government authorities or regulators: Where required by law
- Legal and professional advisors: In the course of business operations or dispute resolution
- Third parties: Only with your explicit consent or under legal obligation
We do not sell or rent your personal data to third parties.
6. International Data Transfers
If we transfer your personal data outside of the European Economic Area (EEA), we will ensure appropriate safeguards are in place, such as:
- Standard Contractual Clauses (SCCs)
- Transfers to countries with adequate protection laws (per EU Commission decisions)
- Binding corporate rules or certification mechanisms
{{rich-highlight-3}}
7. Your Data Protection Rights
Under the GDPR, you have the right to:
- Access your personal data and obtain a copy
- Rectify inaccurate or incomplete data
- Erase your personal data (“right to be forgotten”)
- Restrict or object to processing in certain situations
- Withdraw consent at any time (where processing is based on consent)
- Port your data to another provider in a structured, machine-readable format
- Complain to a supervisory authority (e.g., your national data protection authority)
To exercise your rights, contact us at [Insert contact email or request form link].
8. Data Security
We use reasonable and appropriate technical and organizational security measures to protect your data from unauthorized access, loss, alteration, or misuse. These measures may include:
- Encrypted storage and transmission
- Access controls and password protections
- Employee training and awareness
- Regular audits of our systems and vendors
Despite these measures, no method of data transmission is 100% secure. We encourage you to contact us immediately if you believe your personal data has been compromised.
9. Changes to This Policy
We may update this privacy policy from time to time to reflect legal, technical, or business changes. When we do, we’ll post the revised policy on our website and update the effective date at the top.
If we make material changes, we’ll notify you directly (e.g., via email or platform notification) where required by law.
Frequently Asked Questions
1. What does GDPR mean for me as a job applicant?
It means your personal information (e.g., resume, contact info) is protected. You can request to see, update, or delete your data at any time, and we won’t share it without a valid reason or your consent.
2. Do you use cookies or tracking technologies?
Yes — but only with your consent. For more detail, see our [Cookie Policy] (link to your separate cookie notice, if applicable).
3. How do I withdraw consent?
You can opt out of marketing emails by clicking “unsubscribe” or contact us at [Insert contact info] to withdraw any other type of consent.
4. What happens if I don’t want you to collect my data?
In some cases, we may not be able to provide you with certain services (e.g., processing a job application) without some personal data. We’ll always explain what’s optional and what’s required.
{{rich-highlight-2}}
🚩 Please note: This sample policy is for informational purposes only and does not constitute legal advice. Always consult a data protection officer (DPO) or legal advisor to ensure your privacy policy meets GDPR requirements for your business model and jurisdiction.
✨ Disclaimer: This resource was developed with the help of artificial intelligence, though reviewed, edited, and approved by (real) humans.
🗂️ Your employee record, secured.
If it's worth keeping, store it in Lattice. Employee documents, company policies, and more — in a modern HRIS built to delight HR teams and employees alike. Give it a spin by scheduling a demo.
Frequently Asked Questions
Vos collaborateurs sont votre entreprise
Garantissez votre réussite mutuelle avec Lattice.