A privacy notice is a public document from an organization that explains how that organization processes personal data and how it applies data protection principles. GDPR provides detailed instructions on how to create a privacy notice, placing an emphasis on making them easy to understand and accessible. ( Articles 12, 13, and 14 )

According to the GDPR, organizations must provide people with a privacy notice that is:

  • In a concise, transparent, intelligible, and easily accessible form
  • Written in clear and plain language, particularly for any information addressed specifically to a child
  • Delivered in a timely manner
  • Provided free of charge

The following information must be contained in the privacy notice:

  • The identity and contact details of the organization, its representative, and its Data Protection Officer
  • The purpose for the organization to process an individual’s personal data and its legal basis
  • The legitimate interests of the organization (or third party, where applicable)
  • Any recipient or categories of recipients of an individual’s data
  • The details regarding any transfer of personal data to a third country and the safeguards taken
  • The retention period or criteria used to determine the retention period of the data
  • The existence of each data subject’s rights
  • The right to withdraw consent at any time (where relevant)
  • The right to lodge a complaint with a supervisory authority
  • Whether the provision of personal data is part of a statutory or contractual requirement or obligation and the possible consequences of failing to provide the personal data
  • The existence of an automated decision-making system, including profiling, and information about how this system has been set up, the significance, and the consequences

If an organization obtains your data indirectly (via another organization) its privacy notice must provide all the same information, except for:

  • Whether the provision of personal data is part of a statutory or contractual requirement or obligation and the possible consequences of failing to provide the personal data

And instead must add:

  • The categories of personal data obtained

Every organization that maintains a website should publish their privacy notice there, under the title “Privacy Policy,” and it should be accessible via a direct link from every webpage. If a website collects any personal data online, the privacy notice or a link to it should be provided on the same page where the data collection occurs. The GDPR also states that privacy notices must be available orally upon request to ensure comprehension and to aid the visually impaired.