What the Privacy Policy should contain in Spain

In a context where digitalization has permeated every corner of the business, massive data collection has become a constant regardless of the size or sector of an organization. In this scenario, digital security and efficient information management emerge as fundamental pillars. In the age of information and data, ensuring security and privacy becomes not only a priority, but an essential requirement for the ethical and trustworthy operation of any company.

This article will delve into enterprise-level privacy policies, exploring the practices necessary to safeguard data confidentiality and integrity in an interconnected world.

What is the Privacy Policy?

The privacy policy of a website is the legal safeguard established by the owner of the site to inform its clients and users about the collection, means of obtaining, storage and processing of personal data during browsing. This document not only outlines the processes involved, but also highlights the measures implemented to ensure the security and ethical use of such information, thereby ensuring data privacy.

In line with article 12 of the General Data Protection Regulation (GDPR) , the privacy policy must be simple, concise, transparent and easily understandable, avoiding ambiguous or overly technical terms that may generate unnecessary confusion.

Is it mandatory to have a Privacy Policy on the website?

In today’s digital landscape, managing a website without data collection is virtually impossible. For this reason, each website must have its own privacy policy, an essential tool to establish clear rules on the collection and processing of personal data.

The obligation to incorporate a privacy policy arises at the moment the website collects any personal data. This may include, for example, recording the IP address through third-party cookies hosted on the website, such as social media buttons or advertising banners. Essentially, any type of website, from e-commerce to personal blogs with a comments section, has a legal responsibility to include a privacy policy page. This requirement is not only a recommended practice, but a specific obligation to comply with the provisions of the RGPD and Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights (LOPDGDD), thus guaranteeing ethical and legal processing of the data collected.

What should the Privacy Policy of your website include?

The wording of the privacy policy on the website is crucial to establish clear and transparent guidelines on the collection and processing of personal data. Following the guidelines established in Article 13 of the GDPR, it is essential to address the following elements, among others, to ensure correct writing:

Identification of the data controller: It is essential to provide the contact information of the data controller. This includes the name of the organization, registered office, email address, among others.

Data of the person responsible for data protection: The policy must include the contact information of the person responsible for the treatment or his representative, as well as the information of the data protection officer, if this figure is available.

Purpose of data processing: The specific purpose of personal data processing must be clearly and concisely specified. This may include managing contractual relationships, sending requested information, managing applications, among others.

Data retention period: Inform about the period during which the personal data will be kept or the criteria used to determine that period. This period may vary depending on legal obligations, conservation needs for claims, or to provide contracted services.

Data recipients: Inform about the recipients or categories of recipients of personal data, even if no transfers are made to third parties. It is essential to mention the non-communication of data to any third party when applicable.

Rights of the Interested Parties: Highlight the rights that assist the interested parties regarding the processing of their personal data, such as the right of access, rectification, deletion, limitation, portability and opposition.

In addition to these elements, it is important to mention the explanation about the use of automated individual decisions if your website uses automated processes that may affect the user, such as profiling.

In conclusion, the absence of a privacy policy and poor implementation of data protection on a website can have significant consequences, including the imposition of sanctions for non-compliance. Adopting clear and transparent practices in the management of personal information not only strengthens trust with users, but is also crucial to comply with current regulations. In an increasingly regulated digital environment, prioritizing privacy becomes an essential preventive measure to avoid possible legal repercussions and protect the integrity of the company.


This publication does not constitute legal advice. 


How can LAW4DIGITAL help you? 

At LAW4DIGITAL we are lawyers specialized in digital business. We provide comprehensive legal advice to digital companies. We help you with online legal advice. 

We will keep you updated about digital business. In any case, you can contact us by sending an email to, calling (+34) 931 444 820 or filling out our contact form at 

We look forward to seeing you in the next post! 

Law4Digital Team. 


Subscribe to our Newsletter!