The Internal Privacy Guideline – Tips for the setup

An internal data protection guideline should be established by each controller who processes personal data. The policy is an important part of the data protection management system and must meet some criteria. We give a brief overview of the most important points.

What has to be considered when setting up the guideline?


On the one hand, the data protection guideline should inform about the necessary aspects of a data protection management system, on the other hand, they should be as short as possible for reasons of transparency and understandability. The size, structure and industry of the company as well as the type of personal data processed also play an important role in determining the scope. A volume of approx. 5 to 15 pages usually makes sense.

Language and form

Art. 12 Para. 1 (1) GDPR sets language requirements for the information obligations: Precise, transparent, comprehensible, in an easily accessible form and in clear and simple language. It also makes sense to apply these requirements to the Data Protection Guideline.


In order to meet the requirements of understandability and transparency, a clear structure of the data protection guideline is indispensable. A table of contents, a preamble explaining the meaning and purpose of the guideline as well as its scope and, if necessary, definitions of technical terms used are useful for structuring the guideline.


A data protection guideline should contain the following essentials:

  • all components of the data protection management system
  • the data protection organisation in the company, in particular processes for involving the data protection officer in all processing operations of personal data as well as in data breaches
  • Processes for data breaches

The points above contain some guidance to help in the preparation of the internal privacy guideline. If you have any further questions or comments, we look forward to hearing from you.