GDPR Policy for a Company — Obligations and Documents

What GDPR Requires

Since 25 May 2018 every business processing personal data of EU citizens is required to have specific documents in place. This applies to small companies too — there is no exemption if you accept orders online or store customer emails.

Mandatory Documents

1. Privacy Policy Published on your website, it describes: what data you collect, the purpose, the legal basis, the retention period, the rights of data subjects.

2. Cookie Policy If you use Google Analytics, Facebook Pixel or any tracking cookies, informed consent (a cookie consent banner) and a cookie policy are required.

3. Notice Under Art. 13/14 GDPR When collecting data directly — it must be provided to data subjects.

Penalties for Non-Compliance

The Commission for Personal Data Protection (CPDP) may impose:

• Up to 10 million EUR or 2% of turnover — for less serious infringements
• Up to 20 million EUR or 4% of turnover — for serious infringements

Typical violations for small businesses: missing privacy policy, missing cookie consent, missing DPA with sub-processors.

DPA — Data Processing Agreement

Whenever you provide access to personal data to a third party (hosting, email service, CRM), you must have a Data Processing Agreement (DPA) under Art. 28 GDPR.

How Firmify Helps

Firmify generates personalised legal documents for your company in minutes:

1. Select the required document type
2. Fill in your company and website details
3. Receive a ready PDF for publication

All templates are updated in line with the latest guidelines from the CPDP and the EDPB.