Under the GDPR a Privacy Policy is absolutely necessary to each and every website where personal data are processed. Websites, e-shops, social media and blogs must have Privacy Policies, when there is a contact form, a login function or users may create accounts or even send their data without creating an account. Users are Data Subjects, and websites' owners are considered Data Controllers.