What do you need in a GDPR privacy statement?

Since the coming into force of the EU’s GDPR you will have noticed many GDPR privacy statements.  This is driven by the GDPR’s focus on transparency which is intrinsically linked to fairness and the principle of accountability. This is enumerated clearly in Article 5.2 where the onus is placed on the controller to demonstrate that personal data is processed in a transparent manner. To provide this transparency data controllers must provide information about their personal data processing.

These information notices are given various names such as data protection notice, privacy notice, privacy policy, privacy statement or fair processing notice. Naturally the name is less important than the content.

The GDPR itself does not prescribe the format or modality by which such information should be provided to the data subject.  In line with the principles based approach that underpins GDPR, it is the data controller’s responsibility to take “appropriate measures” in relation to the provision of the required information for transparency purposes.


Transparency, empowers data subjects to hold data controllers and processors accountable and to exercise control over their personal data. The concept of transparency in the GDPR is user-centric rather than legalistic and is realised by way of specific practical requirements on data controllers and processors in various articles. The most important of these articles are specified below.

When to provide a GDPR privacy statement

The transparency requirements in the GDPR apply irrespective of the legal basis for processing and throughout the life cycle of processing. This is clear from Article 12 which provides that transparency applies at the following stages of the data processing cycle:

  • before or at the start of the data processing cycle i.e. when the personal data is being collected either from the data subject or otherwise obtained;
  • throughout the whole processing period i.e. when communicating with data subjects about their rights; and
  • at specific points while processing is ongoing, for example when data breaches occur or in the case of material changes to the processing.

Information style

As well as timing, the form and manner in which the information required under Articles 13 and 14 should be provided to the data subject is also important.

The key articles in relation to transparency in the GDPR, as they apply to the rights of the data subject, are found in Chapter III (Rights of the Data Subject). In particular Article 12 requires that the information or communication in question must comply with the following rules:

  • it must be concise, transparent, intelligible and easily accessible (Article 12.1);
  • clear and plain language must be used (Article 12.1);
  • the requirement for clear and plain language is of particular importance when 
providing information to children (Article 12.1);
  • it must be in writing “or by other means, including where appropriate, by electronic 
means” (Article 12.1);
  • where requested by the data subject it may be provided orally (Article 12.1) ;
  • it must be provided free of charge (Article 12.5).

These rules are sometimes summarized as “Free, concise, transparent, intelligible and easily accessible”

Examples of Not permitted

It is sometimes easier to understand this by looking at what is not permitted. The following phrases were given as examples by Working Party 29.  They also issued their reasoning as to why they are not acceptable:

  • “We may use your personal data to develop new services” (as it is unclear what the services are or how the data will help develop them);
  • “We may use your personal data for research purposes (as it is unclear what kind of research this refers to);
  • We may use your personal data to offer personalised services” (as it is unclear what the personalisation entails).

Children and other vulnerable users

Where a data controller is targeting children or is, or should be, aware that their goods/ services are particularly utilised by children (and potentially relying on the consent of the child), it should ensure that the vocabulary, tone and style of the language used is appropriate to and resonates with children so that the child addressee of the information recognises that the message/ information is being directed at them.


It is critical that the method(s) chosen to provide the information is/are appropriate to the particular circumstances, i.e. the manner in which the data controller and data subject interact or the manner in which the data subject’s information is collected.

Given the very high level of internet access in the EU and the fact that data subjects can go online easily, electronic privacy statement/ notice are suggested in the case of data controllers who maintain a digital presence.

However, based on circumstances, a data controller may need to additionally or alternatively use other modalities and formats to provide the information. Other possible ways may include:

  • Hard copy/ paper environment, for example when entering into contracts by postal means.;
  • Telesales: oral explanations by a real person or pre-recorded information with options to hear further more detailed information;
  • Person to person environment, such as registering in person for a service: oral explanations will suffice.
  • CCTV / drone recording: visible boards containing the information.

Information required

The following information should always be contained in a GDPR privacy statement/ notice:

  1. The identity and contact details of the controller and, where applicable, their representative
  2. Contact details for the data protection officer, where applicable
    The purposes and legal basis for the processing
  3. Where legitimate interests (Article 6.1(f)) is the legal basis for the processing, the legitimate interests pursued by the data controller or a third party
  4. Categories of personal data concerned
  5. Recipients (or categories of recipients) of the personal data
  6. Details of transfers to third countries, the fact of same and the details of the relevant safeguards (including the existence or absence of a Commission adequacy decision) and the means to obtain a copy of them or where they have been made available
  7. The storage period (or if not possible, criteria used to determine that period)
  8. The rights of the data subject to:
    1. access; 
    2. erasure;
    3. restriction on processing;
    4. objection to processing
    5. Where processing is based on consent (or explicit consent), the right to withdraw consent at any time
  9. The right to lodge a complaint with a supervisory authority
  10. Whether there is a statutory or contractual requirement to provide the information or whether it is necessary to enter into a contract or whether there is an obligation to provide the information and the possible consequences of failure.
  11. The source from which the personal data originate, and if applicable, whether it came from a publicly accessible source
  12. The existence of automated decision-making including profiling and, if applicable, meaningful information about the logic used and the significance and envisaged consequences of such processing for the data subject

Leave a Reply