A privacy policy: why your website or online store needs one

Either because it is required or because without a privacy policy you risk serious financial penalties. If those aren't two convincing reasons to develop a privacy policy, then we don't know what are. 😉 Together we dive into the world of privacy rules for websites and webshops.

What you should definitely know about a privacy policy

"What exactly is a privacy policy?", good job asking yourself that question. After all, you can only create a privacy policy for your website if you are completely on board with everything concerning online privacy.

To put it simply, a privacy policy is an important document that informs your website or webshop visitors about how you deal with their privacy.

So don't approach your policy merely as an internal privacy policy. Make it a web page and give it a place on your website. That way, you are transparent about all the data that are collected, the reasons for collecting them and how the data are used. Walk your talk, so implement your policy as well. 😉

Privacy protection rights of your visitors

In addition, a privacy policy in Dutch also includes information about how data is stored ( among other things via cookies), secured and shared. You should also indicate how long you will retain certain data. Or what you as a company will do in case of data loss, a leak, hacking ...

Visitors also want to know which "third parties" you share their data with. For example, with service providers, advertisers or government agencies.

All this information is needed to make visitors or potential customers aware of their privacy rights and how their data is processed.

If you want to take it a step further, you can also explain yourself what rights your users have. There are quite a few! Like the right to access, correct, delete ...


The Data Protection Authority, a Belgian independent authority that ensures that basic principles of personal data protection are properly observed, has its own website where, among other things, you can read what privacy rights you have.

A privacy and cookie policy with different article numbers.
If you collect (special) personal data, having your own privacy statement is mandatory.

Why creating a privacy policy is important

Whether you want to put a standard privacy policy or a more detailed description online, drafting a privacy policy is always a good idea.

The most important reason to develop your privacy policy is, of course, because it is required by law. Anyone who starts a website or webshop must comply with (European) laws and regulations. More about that in a moment!

A privacy policy is a crucial part of ensuring the privacy of your users while protecting your organization's reputation. Because by being transparent, you create more trust with your visitors.

You want visitors to trust you

At this point, we don't have to tell you how important customer trust is. The more data leaks there are, the more internet users - not entirely unjustifiably - begin to worry. So your audience will start looking into their own privacy data. They will consider you responsible for handling their data safely. Think about birthdays, phone numbers, e-mail addresses ...

More than half of companies suffered a recent data breach in the year 2023. Unplanned disruptions caused by cyberattacks are also increasing, and becoming more and more expensive.


Your privacy policy must prevent visitors from doubting the security of your site or online shop. If problems do arise, your policy is a legal tool, while you can also use it as marketing.

Another important point: more and more third-party apps are asking for transparency (Third-Party Requirements) regarding the handling of private data from business partners.

Both Google and Apple currently require privacy policies from everyone they partner with, for all their products and apps. Since analytics software relies heavily on personal data, a policy is almost always required when using it.

Prevent hefty fines!

If you want to avoid hefty fines, create a privacy policy. Whether we are exaggerating? No, because the average GDPR fines in Belgium are up to 25,000 euros.


The bottom line is always the same: fines were issued to companies that did not comply with GDPR privacy guidelines. GDPR, by the way, stands for General Data Protection Regulation. That's the international term when talking about AVG.

Is a privacy policy required by law?

We'll go over it a few more times: yes, a privacy policy is mandatory. The European Union decided so by enacting GDPR, and it's penalizing those who violate those clear but strict rules.

As soon as you process personal data through your websites, you must create a privacy policy. Do you have a contact form on your site, do you collect e-mail addresses to send newsletters, can customers enter contests ... Those are immediately three boxes on your GDPR bingo card. 😉 So that puts you within the category of organizations that process personal data.


Rules and laws you must comply with

What rules and laws related to privacy do you need to consider? They mainly have to do with General Data Protection Regulation (AVG), cookie policies, and data protection.

Webshop or website? You always need to put this info online:

Name of your own business.
Legal form under which you exist.
Address of your company's registered office.
Contact details.
Company number and VAT number.
Details of a supervisory authority (only if you need a license for your activity).

Strictly speaking, you must also include those details on your various accounts on social media. The department of economics of the Belgian government explains it all:

An important AVG rule: if you use cookies on your website, you are required to inform visitors about this in your privacy policy or in a separate cookie policy. You must also ask them permission to process their IP address. You do so with a cookie banner.

How do cookies work?

When you visit a website, the site places small text files, called cookies, on your device (laptop, mobile phone ...). Those cookies contain information that the website can read when you return to the same website. For example, a shopping cart on a webshop. When you add items to your shopping cart, this information is stored in a cookie on your device. The next time you visit the website, the website can read the cookie and restore your shopping cart so you don't have to add the selected items again.

Do you send newsletters to your customers or use their data for other marketing campaigns? Indeed, there are rules for that too. To use that data, you have to ask your contacts for a separate permission. You must also state the processing, and privacy terms of this.

A cookie banner powered by iubenda.
If you use cookies, you need your visitors' permission to do so. You do that with a cookie banner.

Test your website's privacy settings

Are your website's privacy settings in compliance with the law? If not, you risk hefty fines in case of an audit. Complete the iubenda compliance scan and find out immediately whether your website meets all the conditions.

The iubenda logo on the left, a website in the middle and a magnifying glass to its right. The iubenda scan checks whether your website complies with the law.

Privacy statement and privacy policy difference

Getting everything mixed up ... Useful for some dj's among us, not when it comes to a serious matter like privacy. Because the terms privacy statement and (standard) privacy policy are often used together. So often they mean the same thing, but theoretically there are slight differences.

In some cases, your privacy notice (also called privacy statement) can be a summarized version of your privacy policy. Although we recommend not making a difference and dropping your full policy online. A short privacy statement is one way to communicate your privacy guidelines in an understandable manner.

Webshops that use a privacy statement often have an internal privacy policy. This contains a detailed description of how the company handles all collected data.

Like it or not, it will occasionally contain "dusty" legal language. But that should not be a reason not to put it on your website. The more openness to your visitors, the better.

Key elements of a standard privacy policy

Here you get a list of the most important basic elements that a developed privacy policy should include:

  • Who owns the website or app?
  • On what date was your privacy policy created?
  • What data do you collect?
  • How do you collect that data?
  • Why (on what legal basis) are you collecting that data?
  • What will you do with the collected personal data? (analytics, email marketing ...).
  • Through what sources do you collect personal information from your visitors (contact form, e-mail, cookies ...).
  • With which third parties do you share the data? (plugins, widgets, social media ...).
  • What rights do users have (view, delete, block data ...)?
  • Does the processing result in any automated decision-making?
  • How will you inform visitors about changes to your privacy policy?

If applicable, you must provide specific information about the transfer of data across national borders (for example, with an international organization) and the measures you take to ensure that this transfer takes place in a secure and compliant manner. This is another consequence of the General Data Protection Regulation (GDPR).

How do you create a privacy policy?

You can create your own privacy policy, but take your time. As well as a remedy for a headache, because figuring out all those rules yourself is a complex process. 😒 We hope these steps get you started quickly.

  1. Research legislation yourself. Map out the privacy laws and regulations that apply to you, learn about the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA) in the United States, and/or the privacy law in Australia.
  2. Make an inventory of the types of personal data you collect from your visitors and customers.
  3. Clearly describe why you collect data and its legal basis.
  4. Explain how you process, store, protect and with whom you share the data collected.
  5. Inform visitors about their rights. This includes access, consent and possible deletion of their data.
  6. Write out the security measures you have taken to protect collected data from loss, misuse or disclosure, among other things.
  7. Add a section on the use of cookies. Be sure not to forget your cookie banner!
  8. Share contact information. Include contact information where surfers can go for questions, requests or complaints regarding data protection and privacy.

Website privacy policy outsourcing

Why make it hard on yourself, when you can do things much easier ... Instead of struggling yourself, let's outsource the creation of a privacy policy to others. No, not to your neighbor - or she happens to be a lawyer - but to competent partners.

You can turn to specialized lawyers or law firms, for example. Of course, check whether they have experience with data protection and privacy laws. There are also several consulting firms that will help you create a privacy policy.

Also useful (and often cheaper): use online compliance software. A compliance manager has several tools that you can use to create (or have created) a policy. That's how you generate the documents you need.

Just beware of websites that offer you a free privacy policy generator. Privacy policy generators usually offer free templates. Those are a good starting point in some cases, but you should always customize all documents to your situation.

Discover the easiest way to comply with privacy legislation

If you want to create your own privacy policy and cookie banner in no time, we recommend iubenda. This compliance software, managed by a team of international lawyers, is a sister company of Combell. So, you can count on the same service. 😄

With iubenda, you can generate all the necessary documents and tools and automatically keep them in line with changes in the law.

It is perhaps the easiest way for your website or webshop to comply with the GDPR legislation and other privacy laws. We agree that it is a mess of rules and regulations!

The iubenda logo - our compliance software

Iubenda is highly recommended because:

You can create your own privacy and cookie policies. The policies are automatically updated as legislation changes.
You can generate your own cookie banner. In this way you can effortlessly collect and store permission from Internet visitors.
You can also draw up general terms and conditions. With this detailed document you protect your company in case of problems or complaints.
In the centre is the iubenda logo surrounded by the logos of CMS systems Joomla, Magento and WordPress. iubenda is easy to install through plugins for the above CMS systems.
Iubenda takes care of the mandatory privacy components on your website.

Included with an iubenda package:

All the documents that make your website GDPR-proof.
Cookie banner in your own style to ask permission from your visitors.
Up-to-date with legislative changes thanks to a team of international lawyers.

Contact us to determine which package suits your website! You can start small and expand later to useful extras. Thanks to the handy plugins you can install iubenda on your website in minutes. We have plugins for WordPress, Joomla and Magento. You can also easily add it to SiteBuilder, by easily embedding a simple code (found in the tool) into the website.

Example privacy policy

Looking for a sample privacy policy? Good idea. A "privacy policy template" can be the basis for your own policy. But never just copy it. Your document must be customized for your company!

A screenshot of Combell's privacy policy as an example of what a privacy policy can look like.
Privacy policy example GDPR. In it you explain what happens to personal data.

However, you can stalk with your eyes in terms of structure, the privacy rules mentioned and the tone of voice of the document. That is why we provide a link to Combell's privacy policy. This way, you will immediately have a much better idea of what your own policy could look like.

Another privacy policy (website) example comes from VisitFlanders, an agency of the Flemish government.

Creating website privacy policies: 6 handy tips!

To conclude, we have 6 short, handy tips that will help you draft your own privacy policy.

  1. Clearly state how long you will keep data.
  2. Note whether the person concerned is obliged to provide certain data.
  3. Explain what organizational measures you will take if your company were to discontinue or merge.
  4. Provide clear instructions on how customers can withdraw their consent to the collection or certain processing of their personal data.
  5. Explain how users can file complaints in case of any violation of their (online) privacy.

😃 And that 6th tip is ... Use iubenda for your privacy policy.

Frequently asked questions about a privacy policy