GDPR Compliance Statement Template [Free Download + Guide]

What Is a GDPR Compliance Statement?

A GDPR compliance statement is a concise document that summarizes your organization's commitment to data protection under the General Data Protection Regulation. It's not the same as a privacy policy, though the two overlap:

Think of the privacy policy as the full legal document and the compliance statement as the executive summary. When a B2B prospect asks "are you GDPR compliant?", you send the compliance statement — not a 15-page privacy policy.

What Must Your GDPR Compliance Statement Include?

1. Organization Identity and DPO Contact

State who you are and how to reach your Data Protection Officer (or privacy contact if you don't require a DPO):

Template language:

[Company Name] is committed to protecting personal data in compliance with the General Data Protection Regulation (EU) 2016/679 (GDPR). For data protection inquiries, contact our Data Protection Officer at [dpo@company.com] or [physical address].

2. Lawful Basis for Processing

GDPR requires a legal basis for every type of data processing. The six lawful bases are: consent, contract, legal obligation, vital interests, public task, and legitimate interests. Your statement should identify which bases you rely on.

Template language:

We process personal data under the following lawful bases:

• Contract performance — to deliver services you've purchased or requested
• Consent — for marketing communications, which you may withdraw at any time
• Legitimate interests — for fraud prevention, security monitoring, and service improvement
• Legal obligation — for tax records, regulatory reporting, and employment law compliance

3. Categories of Personal Data Collected

Be specific about what data you collect and why:

Template language:

We collect and process the following categories of personal data:

• Identity data — name, job title, company name
• Contact data — email address, phone number, postal address
• Transaction data — purchase history, payment records (we do not store full credit card numbers)
• Technical data — IP address, browser type, device information, cookies
• Usage data — how you interact with our website and services

4. Data Retention Periods

State how long you keep each category of data:

Template language:

We retain personal data only as long as necessary for the purposes described above:

• Customer account data: duration of the business relationship + 3 years
• Transaction records: 7 years (legal/tax obligation)
• Marketing consent records: until consent is withdrawn
• Technical/usage data: 26 months (analytics purposes)
• Job applicant data: 6 months after the hiring decision

For a detailed retention schedule, use our data retention policy template.

5. Data Subject Rights

GDPR grants individuals 8 rights. Your statement must explain how to exercise them:

Template language:

Under GDPR, you have the following rights regarding your personal data:

• Right of access — request a copy of your personal data
• Right to rectification — correct inaccurate or incomplete data
• Right to erasure ("right to be forgotten") — request deletion of your data
• Right to restriction — limit how we process your data
• Right to data portability — receive your data in a machine-readable format
• Right to object — object to processing based on legitimate interests or direct marketing
• Rights related to automated decision-making — opt out of purely automated decisions

To exercise any right, email [dpo@company.com]. We will respond within 30 days.

6. International Data Transfers

If you transfer data outside the EU/EEA, explain the safeguards:

Template language:

Some of our service providers operate outside the European Economic Area. When we transfer personal data internationally, we ensure appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• EU-US Data Privacy Framework certification (where applicable)
• Adequacy decisions by the European Commission for specific countries

7. Third-Party Data Sharing

List categories of third parties you share data with:

Template language:

We share personal data with the following categories of third parties:

• Cloud hosting providers (data processing agreements in place)
• Payment processors (PCI DSS compliant, no card data stored by us)
• Email marketing platforms (consent-based communications only)
• Analytics providers (anonymized data where possible)

We do not sell personal data to third parties.

8. Breach Notification Procedures

GDPR requires notification within 72 hours of discovering a breach:

Template language:

In the event of a personal data breach, we will:

• Notify the relevant supervisory authority within 72 hours of becoming aware of the breach
• Notify affected individuals without undue delay if the breach poses a high risk to their rights
• Document all breaches in our internal breach register, regardless of severity

How to Publish Your Compliance Statement

Where to put it:

• Dedicated page on your website (e.g., /gdpr-compliance or /data-protection)
• Link from your footer next to Privacy Policy and Terms of Service
• Include in your B2B sales materials and vendor questionnaires
• Reference in your Data Processing Agreements

Who should approve it:

• Legal counsel (mandatory)
• Data Protection Officer (if you have one)
• CEO or equivalent (demonstrates organizational commitment)

How often to update:

• Review annually at minimum
• Update immediately when you add new data processing activities, new third-party processors, or change your data retention practices
• Date-stamp every version: "Last updated: [date]"

For a complete privacy policy (not just the compliance statement), use our privacy policy template and GDPR compliance guide for US companies.

Common GDPR Compliance Statement Mistakes

1. Copy-pasting without customization — Regulators can tell when a statement is generic. Your processing activities, data categories, and retention periods must reflect your actual business operations.

2. Claiming GDPR compliance without evidence — If your statement says "we encrypt all personal data" but you don't, that's worse than not having a statement. Only claim what you can demonstrate.

3. Missing the lawful basis — Every processing activity needs a documented legal basis. "We collect data because we need it" isn't a lawful basis. Map each data type to one of the six GDPR bases.

4. Forgetting to include all third parties — If you use 15 SaaS tools that process customer data, your statement must acknowledge this. Regulators will ask for your vendor list.

5. No process for data subject requests — Stating that people have rights isn't enough. You need a documented process to fulfill requests within 30 days, including identity verification.

For ongoing GDPR compliance tracking, use our GDPR compliance checklist, data processing inventory template, and data subject request forms.

Frequently Asked Questions

Is a GDPR compliance statement legally required?

GDPR doesn't explicitly require a "compliance statement" as a named document. However, Articles 13 and 14 require you to provide specific information to data subjects about your processing activities, and Article 5(2) requires demonstrable accountability. A compliance statement is the most practical way to meet these obligations publicly. Most B2B customers and enterprise procurement teams expect one — not having it raises red flags during vendor assessments.

Does GDPR apply to US companies?

Yes, if you process personal data of EU residents. GDPR applies based on the data subject's location, not the company's location. If your website is accessible to EU visitors and you collect their data (even just cookies and IP addresses), GDPR applies. The practical trigger: if you have EU customers, EU website visitors you track, or EU employees, you need GDPR compliance. See our GDPR compliance guide for US companies for a detailed breakdown.

What's the difference between a GDPR compliance statement and a privacy policy?

A privacy policy is a detailed legal document (typically 3,000-8,000 words) that discloses all data processing activities in full detail — it's required by law. A compliance statement is a shorter summary (500-1,500 words) that highlights your commitment to data protection and provides a quick reference for customers and partners. Most organizations publish both: the privacy policy for legal compliance, the compliance statement for business communications.

How do I know if I need a Data Protection Officer (DPO)?

GDPR requires a DPO if you: (1) are a public authority, (2) conduct large-scale systematic monitoring of individuals (e.g., behavioral tracking), or (3) process large-scale special category data (health, biometric, racial/ethnic). Most mid-market B2B companies don't technically require a DPO, but designating a privacy contact person is strongly recommended. If you're unsure, consult a privacy attorney — the cost of the consultation is far less than the cost of getting it wrong.

What fines can we face for GDPR non-compliance?

GDPR fines have two tiers: up to €10 million or 2% of global annual turnover (whichever is higher) for less severe violations, and up to €20 million or 4% of global annual turnover for the most serious breaches. In practice, SME fines typically range from €5,000 to €500,000. The supervisory authority considers factors like the nature and severity of the breach, whether the company cooperated, whether data subjects were notified, and what preventive measures were in place.

Can I use the same compliance statement for GDPR and CCPA?

You can create a combined privacy compliance statement that covers both GDPR and CCPA (California Consumer Privacy Act), but the requirements differ enough that you should address them separately within the document. GDPR focuses on lawful basis, data portability, and the right to be forgotten. CCPA focuses on the right to know, delete, and opt-out of data sales. Many companies use a single privacy page with separate GDPR and CCPA sections. For a CCPA-specific template, see our CCPA privacy policy template.