Blog
GDPR compliance and best practices

Write a privacy policy and information notices that comply with the GDPR, are clear, transparent and accessible to all

Writing a privacy policy in accordance with the GDPR is an essential step in inspiring trust and ensuring transparency in the processing of personal data. This practical guide explains how to design documents that are legible, accessible, and effective for your users.

By
Anne-Angélique de Tourtier
1
Min
Share this article
Drafting of privacy policies and GDPR information notices
Summary
Heading 2

Summary of the article in a nutshell

  • The GDPR requires the persons concerned to be clearly informed
  • Information statements should be simple, accessible and transparent
  • We distinguish direct collection and indirect collection personal data
  • La privacy policy is often the first thing an Internet user sees
  • Transparency is not a constraint: it is a lever for trust and business
  • Tools like Adequacy make it easier to generate and update these mentions

Transparency, a must (and an opportunity)

When an Internet user arrives on a website, what do they see first? Not your products. Not your services. But one cookie banner and often a link to the RGPD privacy policy.

Today, online business goes beyond physical commerce (Fevad, 2024). This means that your privacy policy has become a commercial front door.

La CNIL is clear: information should be understandable, accurate and accessible. However, all too often, they still look like illegible legal blocks.

Informing should not be seen as a constraint. It is a legal obligation (articles 13 and 14 of the GDPR), but above all a A guarantee of trust. Transparency reassures your visitors — and trust is the basis of business.

Mandatory information to be provided according to the RGPD

Direct collection: inform as soon as data is entered

We are talking about direct collection when the person gives you their personal data themselves.
Example:

  • A contact form where you enter your first name, email and message
  • A cookie banner where you accept or refuse tracking

In this case, you must indicate, in a simple way:

  • Who is responsible for the data (the company)
  • Why the data is requested (e.g. responding to a contact request, sending a newsletter)
  • On what legal basis (consent, contract, legal obligation...)
  • How long are they kept (e.g. 3 years for commercial contacts)
  • What are the rights of the person (access, deletion, opposition...)

Indirect collection: providing information within a reasonable time

La indirect collection refers to cases where you get data from another source.
Example:

  • A file shared by a business partner
  • Data from a professional directory

In this case, you should inform the person in a reasonable time (1 month maximum according to the RGPD), with the same elements as for direct collection, but also specifying The origin of the data.

How do you write a clear and effective privacy policy?

Write a privacy policy in accordance with the RGPD, it is not aligning articles of law. It is Explain simply what you do. A good policy is based on three pillars: clarity, accessibility and transparency.

1. Clarity: banishing legal jargon

Forget legal jargon. Prefer simple sentences.


Example: rather than “The personal data collected is likely to be transmitted to our subcontractors”, say:
“We work with trusted service providers (hosting provider, emailing solution). They only have access to the data they need to provide their service.”

This approach makes your RGPD privacy policy more readable and more understandable for your users.

2. Accessibility: structure and make reading fluid

The policy should be easy to find (often at the bottom of the page of a website). It must also be readable : titles, short paragraphs, clickable summary.

The example ofAdequacy illustrates this approach well:

  • Clear titles (“What data do we collect? ”, “What are they for? ”)
  • Short and accessible answers
  • Information grouped by theme (purposes, rights, conservation, transfers)

3. Transparency: assume and explain your choices

Don't try to minimize or hide information. Saying that you keep data for 3 years for legal reasons will not scare away your customers. On the contrary, they will appreciate your honesty.

The Legal design can also help: pictograms, diagrams, even explanatory videos. These elements increase accessibility and improve your brand image.

Transparency, the basis of trust and business

Write a clear and GDPR compliant privacy policy, it's not “being regulated.” It is:

  • Fulfill a legal obligation
  • Gain the trust of your users
  • Strengthen your brand image

It's not the hardest part of compliance. It is often even the simplest. No need to be a lawyer: on the contrary, explaining in your words will make your information mentions more accessible and understandable.

In three words: clarity = trust = business.

The latest news

GDPR compliance and best practices

Digital governance and privacy: why we need to treat the causes rather than the symptoms

Faced with the omnipresence of screens and AI, current regulations often simply treat symptoms rather than causes. For data professionals, the challenge goes beyond simple compliance with the GDPR: it is a question of restoring real attentional and decision-making sovereignty. This summary analyzes why systemic governance is essential to protect human balances and collective performance.

Guillemette Songy
GDPR compliance and best practices

What does cookies mean: definition and advice to protect your browsing

Understanding what cookies mean is essential to protect your online privacy in 2026. A cookie is a digital memory placed by a site on your browser to remember your preferences or track your behavior. While they offer convenience (basket, language), they also ask the question of whether to accept cookies in the face of the risks of profiling. This guide gives you a clear cookie def and the method to clear Chrome cookies in one click.

Anne-Angélique de Tourtier
GDPR compliance and best practices

AI and cybersecurity: how to anticipate compliance with the AI Act

The entry into force of the AI Act defines the new framework for European innovation, reconciling technology and the protection of fundamental rights. For DPOs and CISOs, this regulation imposes increased vigilance on the “red lines” of Article 5, such as cognitive manipulation or social scoring. The success of your compliance now depends on integrated governance, linking the requirements of the AI Act to the rigor of the GDPR to ensure a sovereign and secure growth trajectory.

Anne-Angélique de Tourtier

They have trusted us for years

Used by over 10,000 legal entities

Discover Adequacy

One of our experts introduces Adequacy to you in a real situation.
Request a quote