- Contact The DPO Centre
- +44 (0)203 797 1289
- hello@dpocentre.com
GDPR DPO requirements: What qualifies as large-scale processing?
February 3, 2025
Building a privacy office: Key strategies for EU/UK compliance
March 3, 2025
A clear and compliant Privacy NoticeA clear, open and honest explanation of how an organisation processes personal data. is essential for organisations operating under the EU’s General Data Protection RegulationRegulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation). (GDPR), the UK GDPRThe UK General Data Protection Regulation. Before leaving the EU, the UK transposed the GDPR into UK law through the Data Protection Act 2018. This became the UK GDPR on 1st January 2021 when the UK formally exited the EU., and the UK Data Protection Act 2018The Data Protection Act 2018 is a United Kingdom Act of Parliament which updates data protection laws in the UK (and supersedes the Data Protection Act 1998), and implemented the GDPR into UK legislation.. A well-crafted Privacy Notice not only helps organisations meet their legal obligations but also builds trust with customers, employees, and users.
In this blog, we explore the GDPR requirements for a Privacy Notice, sharing practical advice on making it clear and user-friendly, and highlighting common pitfalls to avoid. By ensuring your Privacy Notice meets transparency obligations, you can meet regulatory expectations and increase confidence in your organisation’s data protection practices.
What is a Privacy Notice?
A Privacy Notice is a public document that outlines how an organisation processes personal dataInformation which relates to an identified or identifiable natural person.. It informs individuals about how their information is collected, used, and stored, as well as their rights under data protection lawAny law, statute, declaration, decree, directive, legislative enactment, order, ordinance, regulation, rule or other binding restriction (as amended, consolidated or re-enacted from time to time) that relates to the protection of individuals with regards to the Processing of personal data..
Recital 60 of the GDPR stipulates that individuals are ‘informed of the existence of the processing operation and its purposes’ – a requirement commonly met through the use of a Privacy Notice.
The purpose of a Privacy Notice is to ensure individuals understand what happens to their data. Whilst the main goal is legal compliance and transparency, a well-written Privacy Notice can also help strengthen trust between the organisation and its users, customers, and employees.
It should be noted that the GDPR does not explicitly refer to the term ‘Privacy Notice’ and organisations may choose to call this a Privacy Policy, Data Protection Notice, or another name.
Who is required to provide a Privacy Notice
Under the GDPR, only data controllersEntities (such as an organisation) which determine the purposes and means of the processing of personal data. are required to provide a Privacy Notice. Understanding the role of your business is, therefore, crucial.
- Data controllerAn entity (such as an organisation) which determines the purposes and means of the processing of personal data.: An entity (such as an organisation) that determines the purposes and means of the processing of personal data
- Data processorA third party processing personal data on behalf of a data controller.: A third-party processing personal data on behalf of a data controller
For more detailed information, visit the European Data Protection Board (EDPB) website for the EDPB’s official guidance on data controllers and data processorsThird parties processing personal data on behalf of a data controller..
For UK guidance, the Information Commissioner’s OfficeThe United Kingdom’s independent ‘supervisory authority’ for ensuring compliance with the UK GDPR, Data Protection Act 2018, the Privacy and Electronic Communications Regulations etc. (ICOThe Information Commissioner's Office (ICO) is the United Kingdom’s independent supervisory authority for upholding information rights in the public interest, ensuring compliance with the UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR).) has similar UK GDPR guidance on controllers and processors.
Key GDPR requirements of a Privacy Notice
Articles 12, 13, and 14 of the GDPR stipulate several legal requirements for Privacy Notices, including their content and availability to data subjects.
To be GDPR-compliant, a Privacy Notice must include the following:
| ACTION | DETAILS |
| Identity and contact details | The name and contact details of the organisation, its representative, and its Data Protection Officer, if required |
| Purpose and legal basis | The purpose(s) for data processing and the legal basis for doing so |
| Legitimate InterestsLegitimate interests is one of the six lawful bases for processing personal data. You must have a lawful basis in order to process personal data in line with the ‘lawfulness, fairness and transparency’ principle. | Any legitimate interests pursued by the organisation or a third party, if applicable |
| Data recipients | The recipients or categories of recipients of the personal data |
| Data transfers | Information about any transfers of personal data to third countriesCountries that are not part of the European Economic Area (EEA). or international organisations, including the safeguardsWhen transferring personal data to a third country, organisations must put in place appropriate safeguards to ensure the protection of personal data. Organisations should ensure that data subjects' rights will be respected and that the data subject has access to redress if they don't, and that the GDPR principles will be adhered to whilst the personal data is in the... in place |
| RetentionIn data protection terms, a defined period of time for which information assets are to be kept. period | The period for which personal data will be stored, or the criteria used to determine that period |
| Data subject rightsUnder UK and EU data protection regulation, data subjects have a number of rights available to them, including the right to be informed, access, rectification, erasure, restrict processing, data portability, to object and further rights in relation to automated decision making and profiling. | Information about data subjectAn individual who can be identified or is identifiable from data. rights, including the right to request access to and rectification or erasure of personal data, the right to restrict or object to processing, and the right to data portability |
| Right to withdraw consentAn unambiguous, informed and freely given indication by an individual agreeing to their personal data being processed. | The right to withdraw consent at any time, where processing is based on consent |
| Right to lodge a complaint | The right to lodge a complaint with a supervisory authorityAn authority established by its member state to supervise the compliance of data protection regulation. |
| Automated decision-making, including profiling | Information about the existence of an automated decision-making system, including profiling, and meaningful information about the logic involved, the significance, and consequences of such processing for the individual |
When and how to provide a Privacy Notice
If you collect personal data directly from the data subject, you should provide your Privacy Notice at the time of collection.
However, if you obtain personal data from a third party, the timing of the notice depends on the circumstances:
- Within a reasonable period, but no later than one month, after obtaining the personal data
- At the time of the first communication if the personal data is to be used for communication with the data subject
- No later than when the data is first disclosed if you intend to disclose the personal data to another recipient
When a Privacy Notice is not required: GDPR exemptions
A Privacy Notice does not need to be provided in these situations, as laid out in Article 14(5) of the GDPR:
- The data subject already has the information
- When giving the notice is impossible or involves disproportionate effort, especially if the data is used for archiving, historical research, statistics, or in the public interest, subject to the conditions and safeguards under Article 89(1). In such cases, the data controller must take measures to protect data subject rights
- Disclosure is required by Union or Member State law, which includes safeguards for the data subject’s legitimate interests
- The data must remain confidential due to professional or statutory secrecy obligations
Writing for clarity and accessibility
Article 12 of the GDPR mandates that Privacy Notices should be written in a ‘concise, transparent, intelligible and easily accessible form, using clear and plain language’.
Here are tips for achieving this:
- Use plain language – Avoid legal jargon and technical terms. Write in plain language, using simple sentences that can be easily understood.
- Be concise – Provide only relevant information without unnecessary detail.
- Improve readability – Use headings and bullet points to break up long sections. Consider using a collapsible contents page or links to more detailed sections for those who want further information.
- Consider your audience – Tailor the language and content to your audience, whether they are employees, customers, or website visitors. If your Privacy Notice is aimed at children, ensure it is age appropriate.
- Provide examples – Use examples to illustrate complex points, making it easier for readers to understand how their data will be used.
Common mistakes to avoid
Errors can easily occur when drafting a Privacy Notice and these are the common pitfalls to avoid:
- Using complex language that is overly technical or contains legal jargon
- Failing to specify exactly how and why data is collected
- Failing to update when any business or legal changes occur
- Using generic templates that aren’t tailored to your business practices
- Missing key requirements, such as data retentionData retention refers to the period for which records are kept and when they should be destroyed. Under the General Data Protection Regulation (GDPR), data retention is a key element of the storage limitation principle, which states that personal data must not be kept for longer than necessary for the purposes for which the personal data are processed. periods or legal bases for processing
- Making it difficult to find or access
Steps to keep your Privacy Notice up to date
Regularly reviewing and updating your Privacy Notice is important to reflect any changes in data processing activities, legal requirements, or business operations.
These key steps can help ensure it stays relevant and supports your ongoing compliance:
- Conduct periodic reviews to ensure it remains accurate and compliant with current legislation.
- Monitor legal changes to data protection laws and update your Privacy Notice accordingly.
- Assess business operations and update your Privacy Notice if your organisation makes changes to how it collects, uses, or shares data.
- Record all versions of your Privacy Notice and the changes made to ensure transparency and accountabilityPerhaps the most important GDPR principle, which requires controllers to take responsibility for complying with the GDPR and, document their compliance..
- Ensure consistency across platforms by aligning hard-copies and digital copies.
- Notify impacted individuals of any significant updates to your Privacy Notice via email, website notifications, or pop-ups.
Summary
A Privacy Notice is an essential document for all data controller organisations processing personal data under the jurisdiction of EU and UK data protection laws. To ensure compliance, it must include certain information, including the purpose of data processing, retention periods, and data subject rights.
For clarity and accessibility, Privacy Notices should be written in plain language and structured for easy readability. Common mistakes, such as using complex language or making it difficult to access, can undermine transparency and lead to non-compliance.
Regular reviews and updates are crucial to keeping a Privacy Notice accurate and aligned with evolving legal and business requirements. By following best practices, organisations can create a Privacy Notice that not only complies with data protection laws but also enhances transparency and customer confidence.
Do you need support with your Privacy Notice and GDPR compliance? Get in touch and learn how we can help.
______________________________________________________________________________________________________________________________
In case you missed it…
- GDPR DPO requirements: What qualifies as large-scale processing?
- Understanding GDPR territorial scope: Essential compliance guide
- How data protection builds customer trust and loyalty
______________________________________________________________________________________________________________________________
For more news and insights about data protection follow The DPO Centre on LinkedIn
Fill in your details below and we’ll get back to you as soon as possible
