Article

GDPR privacy statement for your website: what must it contain in 2026?

Mandatory as soon as your website processes personal data. Article 13 GDPR requires 11 elements. Checklist and frequently asked questions for SME websites.

Short answer
  • A privacy statement is mandatory for every website that processes personal data — contact forms, Google Analytics, newsletters or shopping carts. The obligation follows from Article 13 of the GDPR (General Data Protection Regulation, known as AVG in Dutch). The Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP) can impose a fine of up to €20 million or 4% of global annual turnover for non-compliance.
  • The statement must at minimum state: who the data controller is, which personal data you process, the legal basis (consent, legitimate interest, legal obligation, contract performance), how long you retain the data, with whom you share it (processors, third countries), and what rights the data subject has (access, rectification, erasure, objection, portability, complaint to the AP).
  • Do not use off-the-shelf generators without customisation: a generic text will not cover your specific processing activities. Link the privacy statement to your cookie banner and Data Processing Agreements (DPAs) with tools such as Google Analytics, Mailchimp and HubSpot.

When is a privacy statement mandatory?

A privacy statement is mandatory as soon as your website processes personal data. Personal data is any information that can directly or indirectly identify a natural person: name, email address, IP address, cookie ID or location data. In practice this means almost every business website is required to publish a privacy statement. A contact form processes name and email. Google Analytics registers IP addresses and cookie IDs. A newsletter system stores email addresses. The obligation applies equally to sole traders and SMEs as to larger companies. The legal basis is Article 13 GDPR: as soon as you collect data from the data subject, you must inform them directly.

Checklist

11 mandatory elements of a GDPR privacy statement

Article 13 GDPR (and Article 14 for indirectly obtained data) requires you to provide the following information. Check each element against your own statement.

1. Identity and contact details of the data controller

Full name (or company name), address and email address of the organisation that decides how personal data is processed. For sole traders: your name and Chamber of Commerce (KvK) number.

2. Contact details of the Data Protection Officer (DPO)

Only mandatory if your organisation has appointed a DPO (required for public authorities and organisations that process special categories of data on a large scale). Not applicable for most SMEs.

3. Purposes and legal bases of processing

For each purpose, state the legal basis: consent (Art. 6(1)(a)), contract performance (Art. 6(1)(b)), legal obligation (Art. 6(1)(c)), legitimate interest (Art. 6(1)(f)). Example: 'We process your email address based on consent to send our newsletter.'

4. Legitimate interest (if applicable)

If your legal basis is 'legitimate interest' (Art. 6(1)(f)), describe this interest. Example for website visitor analytics: 'We have a legitimate interest in measuring website performance to improve the user experience.'

5. Recipients or categories of recipients

Name all third parties with access to personal data: hosting provider, email marketing platform (Mailchimp, HubSpot, ActiveCampaign), CRM system, analytics tool (Google Analytics, Plausible), payment provider (Stripe, Mollie). Conclude a Data Processing Agreement (DPA) with each.

6. Transfers to third countries

If you transfer data to parties outside the EEA (European Economic Area) — such as Google (US) or Amazon AWS — state the transfer and the safeguard: adequacy decision, Standard Contractual Clauses (SCCs) or Binding Corporate Rules.

7. Retention periods

For each processing purpose, state how long you retain the data. Example: contact form data 2 years; invoice data 7 years (statutory fiscal retention); newsletter subscribers until unsubscription plus 1 year.

8. Rights of the data subject

Access (Art. 15), rectification (Art. 16), erasure ('right to be forgotten', Art. 17), restriction (Art. 18), portability (Art. 20), objection (Art. 21). State how the data subject can submit a request (email address or form) and within what timeframe you will respond (legally up to 1 month, extendable to 3 months).

9. Right to withdraw consent

If your processing is based on consent: explicitly state that the data subject can withdraw consent at any time without affecting processing prior to withdrawal.

10. Right to lodge a complaint with the supervisory authority

Data subjects have the right to lodge a complaint with the supervisory authority. In the Netherlands this is the Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl). State the name and web address of the supervisory authority.

11. Automated decision-making and profiling

Only required if you engage in this. State whether you make automated decisions (e.g. dynamic pricing, credit scoring) and describe the logic and consequences. Not applicable for most SME websites.

Practical approach

How do you write a solid privacy statement for your SME website?

Start with a processing register: a list of all systems that receive personal data (contact form, analytics, newsletter, chat, CRM, payment provider). For each system note the purpose, legal basis and retention period. Use this to write the statement. Use plain language — avoid legal jargon and write in understandable terms that meet the information obligation of Art. 13(3) GDPR. Publish the statement at a fixed URL (e.g. /privacy) accessible from the footer of every page and from the cookie banner. Also include a separate cookie statement if you use non-functional cookies (Google Analytics, Facebook Pixel, HotJar). Update the statement whenever you introduce a new processing tool. Retain versions with dates — the AP may request proof of the statement at a specific moment if a complaint is filed.

Frequently asked questions

Frequently asked questions about the GDPR privacy statement

Is a privacy statement mandatory for a small website or sole trader?
Yes. The GDPR makes no distinction based on company size. Every website that processes personal data — including a sole trader with only a contact form — is required to publish a privacy statement and inform data subjects pursuant to Article 13 GDPR. The Dutch Data Protection Authority takes a proportionate approach with small businesses, but the absence of a statement remains a violation.
Can I use a free privacy statement generator?
A generator provides a useful basic structure, but the output must always be customised to your specific processing activities. A generic text stating 'we may share personal data with third parties' without naming those parties does not comply with Article 13 GDPR. Work through the 11 mandatory elements and adapt the text to your specific tools (Google Analytics, Mailchimp, HubSpot, Stripe, etc.).
What is the difference between a privacy statement and a cookie statement?
A privacy statement covers all processing of personal data by your organisation (contact forms, newsletters, CRM, analytics). A cookie statement is specifically about the placement of cookies and similar technologies (pixels, local storage). The obligation for a cookie statement follows from the Dutch Telecommunications Act (and the upcoming ePrivacy Regulation). Most SME websites need both: the cookie statement as part of the cookie banner, the privacy statement as full disclosure under GDPR Art. 13.
How long must I retain personal data?
There is no universal statutory retention period in the GDPR — you retain data only as long as necessary for the purpose (data minimisation, Art. 5(1)(e)). Common periods for SME websites: contact form data 2 years; invoice data 7 years (fiscal retention obligation); newsletter subscribers until unsubscription plus 1 year as proof of consent; website log files maximum 6 months. Document your choices in your processing register.
What fine can the AP impose for a missing privacy statement?
The Autoriteit Persoonsgegevens can impose an administrative fine of up to €20 million or 4% of global annual turnover (whichever is higher) for violations of the information obligation under Art. 13 GDPR. For small SMEs the actual fines are much lower — the AP focuses on more serious violations — but a complaint from a data subject can lead to a binding instruction and ultimately a fine if you do not act promptly.

Need help with the GDPR compliance of your website?

We build websites that are privacy-compliant from the start: cookie banner, privacy statement and data processing agreements included. Book a free call to discuss what your website needs.

Book a free call →

Free and without obligation · Reply within one business day · Fixed price up front, no surprises