Introduction
This checklist provides guidance on the drafting of privacy notices (sometimes also called an information notice or privacy policy) informing individuals such as clients, users, staff or others about the use of their personal data. It can be used by both in-house counsel and private practitioners advising organisations.
The checklist is EU-focused and covers:
- general requirements under the European Union’s General Data Protection Regulation (EU GDPR); and
- the European Data Protection Board (EDPB) and also, where relevant, EU member state supervisory authority interpretation of such EU GDPR requirements.
This checklist does not address UK specific data protection law requirements. However, it should be noted that the UK retained the EU GDPR in domestic law after Brexit (commonly referred to as the UK GDPR) with necessary changes to accommodate domestic areas of UK law. Therefore, insofar as the supervisory authority of the UK (the Information Commissioner’s Office (ICO)) has published guidelines specific to the EU GDPR (prior to Brexit) and the UK GDPR (after Brexit), such guidelines can assist when providing a helpful overview of the subject matter of this guide.
The checklist addresses the following steps:
- What to include in the privacy notice
- When to give the privacy notice
- How to give the privacy notice
- Fulfilling ongoing governance and compliance requirements
The checklist is presented as a list of requirements that you can tick off as they are addressed. At the end of the document there are explanatory notes, and specific notes corresponding to the relevant step in the checklist.
Key definitions, such as ‘controller’, ‘processor’, ‘data subject’, ‘personal data’ and ‘processing’, are further explained in How-to guide: Understanding key data protection definitions.
This checklist can be used in conjunction with How-to guide: How to ensure compliance with the GDPR and Checklists: GDPR compliance self-assessment audit and Lawful processing of personal data under the GDPR.
Step 1 – What to include in the privacy notice
| No. | Requirement | Legally required? | Good practice |
|---|---|---|---|
| 1.1 | Controller details – full entity name and contact details | ✔ | |
| 1.2 | Controller’s representative’s details (if relevant) – full entity name and contact details | ✔ | |
| 1.3 | Data protection officer’s contact details | ✔ | |
| 1.4 | Categories of personal data you collect and how you collect this - if data is collected directly from the data subject | ✔ | |
| 1.5 | Categories of personal data you have acquired - if data is sourced from third parties | ✔ | |
| 1.6 | Sources of personal data – including if it originates from publicly accessible sources | ✔ | |
| 1.7 | Purposes for which you will process personal data | ✔ | |
| 1.8 | Lawful bases relied on to process personal data | ✔ | |
| 1.9 | Any legitimate interests pursued by the controller or a third party | ✔ | |
| 1.10 | Recipients of the personal data | ✔ | |
| 1.11 | If the controller will transfer the personal data to a country or to an international organisation outside the European Economic Area (EEA) and, if so, what transfer mechanism (or adequate safeguards) is used for such transfers (if required) and where a copy of such transfer mechanism can be accessed | ✔ | |
| 1.12 | Details of any countries outside the EEA where personal data will be transferred | ✔ | |
| 1.13 | Data retention period or criteria used to determine how long personal data will be stored for | ✔ | |
| 1.14 | Details of the data subject rights available to the individual | ✔ | |
| 1.15 | Details of how the data subject can exercise their rights | ✔ | |
| 1.16 | Where processing is based on consent implicit or explicit, letting the individual know they have a right to withdraw consent at any time | ✔ | |
| 1.17 | The individual’s right to complain | ✔ | |
| 1.18 | Whether providing personal data is a statutory or contractual requirement, or necessary to enter into a contract, and what will happen if the individual does not do so | ✔ | |
| 1.19 | Whether you do any solely automated decision-making, including profiling, and meaningful information about:
| ✔ | |
| 1.20 | Whether you do any other automated decision-making and /or profiling | ✔ |
Step 2 – When to give the privacy notice
| No. | Requirement | Legally required? | Good practice |
| 2.1 | Where personal data is collected directly from the individual, the notice is provided at the time of data collection | ✔ | |
| 2.2 | Where personal data is not collected directly from the individual, the notice is provided within a reasonable time, no later than one month, of data collection. | ✔ |
Step 3 – How to give the privacy notice
| No. | Requirement | Legally required? | Good practice |
|---|---|---|---|
| 3.1 | The information in the notice is concise | ✔ | |
| 3.2 | The information in the notice is transparent | ✔ | |
| 3.3 | The information in the notice is intelligible | ✔ | |
| 3.4 | The information in the notice is easily accessible | ✔ | |
| 3.5 | The information in the notice is written in clear and plain language | ✔ | |
| 3.6 | A ‘user-centric’ approach is taken | ✔ | |
| 3.7 | The notice is provided in writing or by other means, including electronically where appropriate | ✔ | |
| 3.8 | If an individual requests, the information may be provided verbally (subject to additional ID verification) | ✔ | |
| 3.9 | The information in the privacy notice is provided for free | ✔ | |
| 3.10 | The notice is delivered appropriately for the audience and the media | ✔ |
Step 4 – Fulfilling ongoing governance and compliance requirements
| No. | Requirement | Legally required? | Good practice |
| 4.1 | The privacy notice is regularly reviewed and, where necessary, updated | ✔ | |
| 4.2 | Regular information audits are done to identify what personal data is held and what is done with it, including any new data uses or processes | ✔ | |
| 4.3 | Additional privacy information is communicated to individuals before using personal data for a different purpose | ✔ |
Explanatory notes
General notes
Legal framework
The checklist covers the requirements under:
- the EU GDPR;
- Article 29 Working Party Guidelines on transparency under Regulation 2016/679 (As last revised and adopted on 11 April 2018) – the Article 29 Working Party has been replaced by the European Data Protection Board (EDPB) transparency guidelines; and
- EU member state supervisory authority interpretation of such transparency requirements.
Articles 12–14, EU GDPR set out the key information an organisation must provide when processing the personal data of individuals.
Why have a privacy notice?
A privacy notice is a way of addressing the transparency requirements under data protection laws, which ensure that individuals (or data subjects) are fully informed and given clear information about how the organisation will process their personal data.
The requirement to have a privacy notice is separate from other obligations such as establishing a valid lawful basis to process the personal data (see article 6, EU GDPR). However, the content of your privacy notice can also hamper your ability to lawfully process personal data – for instance:
- if you request consent to process personal data, this will not be ‘fully informed’ if you do not present individuals with relevant privacy information upfront; and
- relying on ‘legitimate interests’ (see explanatory notes at 1.9) will be difficult if individuals are not aware of how you will use their data.
Exceptions and exemptions to the requirement for a privacy notice
Consider whether any of the limited exceptions and exemptions to the requirement to provide the prescribed information in a privacy notice apply to your organisation.
When the information is collected directly from the individual, if the individual already has the information you do not have to provide it again.
When you collect personal data from a source other than the individual it relates to, privacy information does not have to be provided if:
- the individual already has the information;
- providing the information to the individual would be impossible;
- providing the information to the individual would involve a disproportionate effort;
- providing the information to the individual would render impossible or seriously impair the achievement of the objectives of the processing;
- you are required by law to obtain or disclose the personal data; or
- you are subject to an obligation of professional secrecy regulated by law that covers the personal data.
See articles 13(4) and 14(5), EU GDPR.
Sources of information for the notice
Your organisation should maintain certain records as part of its data protection compliance obligations, such as records of its data processing activities (ROPA) (article 30, EU GDPR) or a data inventory, which will provide much of the information you need for the privacy notice. If this record does not exist, you may need to conduct an information audit or data-mapping exercise to identify the relevant data flows in terms of what personal data you hold and what you do with it.
Implications of non-compliance
Infringement of the transparency requirements under the EU GDPR can attract the highest tier of fines of up to the greater of €20 million and 4% of global annual turnover, or other enforcement action from the regulator. There can also be reputational damage resulting from individuals losing trust in your ability to use their information responsibly and compliantly.
Step 1 – Content of the privacy notice
1.1 Controller details
Set out the full entity name and contact details of the controller in the notice (articles 13(1)(a) and 14(1)(a), EU GDPR).
1.2 Controller’s representative’s details
If your organisation is required to have a representative (for example, if they are not established in the EEA), set out their full entity name and contact details in the notice (articles 13(1)(a) and 14(1)(a), EU GDPR).
1.3 Data protection officer’s contact details
You can use an email address or a contact form via which individuals or regulators can reach the data protection officer (DPO) (articles 13(1)(b) and 14(1)(b), EU GDPR).
1.4 Categories of personal data you collect and how you collect this
This information is not legally required if the data is obtained directly from the relevant individual, but it is practically impossible to draft the notice without this. Consider both information collected directly from the individual and other information observed from their behaviour.
1.5 Categories of personal data you have acquired
The privacy notice only has to include this information if the data is not obtained directly from the relevant individual, although it is good practice to include this anyway (article 14(1)(d), EU GDPR) (see explanatory notes at 1.4).
1.6 Sources of personal data
The privacy notice only has to include this information if the data is not obtained directly from the relevant individual. If applicable, you need to specify if the data originates from publicly accessible sources (article 14(2)(f), EU GDPR).
If, for example, you are buying in personal data from another organisation, you must provide your own privacy notice to data subjects (unless an exemption or exception applies).
1.7 Purposes for which you will process personal data
Detail why you are using the data to give the individual a clear picture of what will happen to their information (articles 13(1)(e) and 14(1)(c), EU GDPR).
1.8 Lawful bases relied on to process personal data
For each processing activity, you need to establish a valid lawful basis to process the personal data (see article 6, EU GDPR). These broadly include consent, performance of contract, performance of a legal obligation and ‘legitimate interests’ (see explanatory notes at 1.9) and other reasons. Additional exemptions / conditions must be met if special categories of personal data, such as health or ethnicity data (see article 9, EU GDPR), will be processed (articles 13(1)(c) and 14(1)(c), EU GDPR), (see also articles 6(1) and 9, EU GDPR).
1.9 Any legitimate interests pursued by the controller or a third party
You can use personal data if necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where the data subject’s rights and interests requiring protection of their data override these interests, in particular where children are concerned (articles 13(1)(d) and 14(2)(b), EU GDPR), (see also article 6(1)(f), EU GDPR).
The EU GDPR specifically references use of client or employee data, marketing, fraud prevention, intra-group transfers, or IT security as potential legitimate interests, but there may be others. Certain compliance steps will determine if you can rely on legitimate interests, such as carrying out a legitimate interests assessment. The EDPB has adopted guidelines of personal data based on legitimate interest. For further information on legitimate interests, see also the legitimate interests section of Ireland’s supervisory authority (the Data Protection Commission (‘DPC’)) guidance on the legal bases for processing personal data and EDPB social media guidelines and the EDPB also provide a Data Protection Guide for small businesses.
For further information on legitimate interests, see the ICO’s guidance on legitimate interests, the legitimate interests section of Ireland’s supervisory authority (the Data Protection Commission (‘DPC’)) guidance on the legal bases for processing personal data and EDPB social media guidelines.
1.10 Recipients of the personal data – by name or by category
This requirement is contained in articles 13(1)(e) and 14(1)(e), EU GDPR.
Ireland’s DPC guidance on the right to be informed says that in your privacy notice you must inform data subjects whom you will transfer their information to and why (unless an exception or exemption applies). This includes details of group companies, suppliers and partners or customers that will have access to the data. You can either name them specifically or state the categories of recipient with enough detail for the individual to understand the nature of the recipient’s role in the processing of their data (eg the type of business at least).
1.11 International data transfers
The notice needs to state if the controller will transfer the personal data to a country or to an international organisation outside the EEA and the existence or absence of an adequacy decision by the European Commission with respect to the country or countries of the recipient(s) of the personal data. ‘Transfer’ includes both physical data transfers and remote access to data. If applicable, you must also outline:
- what alternative transfer mechanism (or adequate safeguards) are used; and
- if so, how the individual can obtain or access a copy of the transfer mechanism.
This requirement is contained in articles 13(1)(f) and 14(1)(f), EU GDPR. See also chapter V, EU GDPR.
An adequacy decision may be made by the European Commission, as applicable. It effectively whitelists countries assessed as adequate in terms of data protection (with some adequacy decisions being subject to certain conditions, eg, the EU-US Privacy Framework (July 2023)) and allows personal data to be transferred there without additional safeguards. If there is no adequacy decision, and you are relying on an article 46 transfer mechanism (ie, that appropriate safeguards are in place) you must carry out a transfer risk assessment (see the EDPB’s Recommendations on measures that supplement transfer tools and Ireland’s DPC guidance on Transfers of Personal Data to Third Countries or International Organisations). Appropriate safeguards include standard contractual clauses and binding corporate rules.
1.12 Details of any countries outside the EEA where personal data will be transferred
The EU GDPR does not expressly say that you have to list the countries to which personal data is being exported. However, this information may help an individual to make an informed decision about whether they are comfortable with the controller doing this with their data.
1.13 Data retention
The notice must specify the data retention period or the criteria you use to determine how long personal data will be stored (articles 13(2)(a) and 14(2)(a), EU GDPR).
1.14 Data subject rights, including the right to object
The notice must outline the data subject rights available to the individual, in particular that they can request from the controller access to and rectification or erasure of personal data, or to restrict or object to processing concerning them, and the right to data portability. Not all of these rights will always be available to the individual, and exceptions and exemptions will apply.
The right to object must be brought to the individual’s attention clearly and separately from any other information. You need to make the right to object stand out (eg in bold, underlined, a different colour or through functionality).
These requirements are contained in articles 13(2)(b), 14(2)(c) and 21(4), EU GDPR.
1.15 Details of how the data subject can exercise their rights
Given that the EU GDPR requires controllers to have a process to deal with data subject requests, it is strongly recommended that you also tell them how to make a request. Asking data subjects to follow a process will also make requests easier for you to manage (although you will still need to respond to all valid requests even if they do not follow your preferred process).
1.16 Right to withdraw consent
Where processing is based on consent (express or implied), the notice needs to inform the individual that they have a right to withdraw consent at any time, but this will not invalidate processing up to that point (articles 13(2)(c) and 14(2)(d), EU GDPR).
1.17 Right to complain to data protection regulator
The notice needs to inform the individual that they have the right to make a complaint to the relevant data protection regulator (known as a supervisory authority under EU GDPR) (13(2)(d) and 14(2)(e), EU GDPR).
1.18 Statutory or contractual requirements
The notice needs to specify if providing personal data is a statutory or contractual requirement, or necessary to enter into a contract, and what will happen if the individual does not do so. This only applies if the personal data is collected directly from the relevant individual (articles 13(2)(e) EU GDPR).
1.19 Solely automated decision-making, including profiling
The notice needs to explain whether you do any solely automated decision-making, including profiling, (of the kind referred to in article 22, EU GDPR) and, if so, include meaningful information about:
- the logic used; and
- the envisaged consequences for the individual.
This requirement is contained in articles 13(2)(f) and 14(2)(g), EU GDPR. See also article 22, EU GDPR. Use of AI models should be explained in this part of the privacy notice. The EU AI Act is now in force and the EDPB has adopted an opinion on the use of personal data and the development and deployment of AI models.
1.20 Other automated decision-making and profiling
The EU GDPR is ambiguous about whether the privacy notice needs to disclose automated decision-making and profiling that you carry out aside from that covered by article 22, EU GDPR. It seems likely that this requirement will be covered in articles 13(2)(f) and 14(2)(g), EU GDPR.
In addition, the UK’s ICO right to be informed guidance recommends explaining your use of these processing activities and, in particular, your use of artificial intelligence, for example.
Step 2 – When to give the privacy notice
2.1 Data collected directly from the individual
Where personal data is collected directly from the individual, the notice must be provided at the time of data collection (article 13(1), EU GDPR).
2.2 Data not collected directly from the individual
Where personal data is not collected from the individual (ie, you receive this from another source), the notice is provided within a reasonable time no later than one month after collection.
If you intend to use the personal data to communicate with the data subject, the latest you can provide the information is when you first communicate with the individual or disclose their data – this still needs to be within the one-month time limit.
If you are collecting the data and will then disclose it to someone else, the latest you can provide the information is when you disclose the individual’s data – again, this still needs to be within the one-month time limit.
These requirements are contained in article 14(3), EU GDPR.
Step 3 – How to give the privacy notice
3.1 The information in the notice is concise
Try not to overwhelm individuals with overly wordy explanations (article 12(1), EU GDPR).
3.2 The information in the notice is transparent
Ensure you do not omit or obfuscate key information (article 12(1), EU GDPR).
3.3 The information in the notice is intelligible
Ensure the notice is legible, eg, not in tiny print, and in the language of the individuals who will read it (article 12(1), EU GDPR).
3.4 The information in the notice is easily accessible
Make sure that the individual can access the information easily, eg, does not have to click multiple times to get to the notice (article 12(1), EU GDPR).
3.5 The information in the notice is written in clear and plain language
Explain complex concepts in easy-to-understand terms (article 12(1), EU GDPR).
Avoid technical jargon. Consider having a layered approach, eg, provide a basic ‘summary’ and also a ‘detailed explanation’ for those who want to read more (article 12(1), EU GDPR).
3.6 A ‘user-centric’ approach is taken
Take a user-focused approach to privacy notices – think from the point of view of the data subject and what information they would want to know about the use of their information. Where appropriate, carry out user testing to evaluate how effective and comprehensible your notice is. Consider also the needs of specific types of users, such as children.
These are recommendations in the UK’s ICO right to be informed guidance and Ireland’s DPC Fundamentals document on a Child-Oriented Approach to Data Processing.
3.7 Means of conveying notice
The notice may be provided in writing or by other means, including electronically where appropriate (article 12(1), EU GDPR).
3.8 Orally providing the notice, if requested
If an individual requests, the information may be provided orally (subject to additional ID verification) (article 12(1), EU GDPR). We query how workable this is in practice however given that the information being provided is publicly available in any event, and that the ID requirement would mean the organisation collecting additional personal data.
3.9 The information in the privacy notice is provided for free
In most circumstances, you cannot charge a fee to provide the information in the privacy notice – the individual has a legal right to be given this information (article 12(5), EU GDPR). However, if the data subject request is manifestly unfounded or excessive, a reasonably fee may be charged, provided such charge reflects the administrative cost for responding to the request.
3.10 Delivery of the notice
The notice needs to be delivered appropriately for the relevant audience and the relevant media. For example, the UK’s ICO right to be informed guidance recommends dashboards, layering, just-in-time notices and standardised icons (machine-readable). Also, ensure that mobile and smart device functionalities are factored in. From a privacy by design perspective, consider the EDPB’s Guidelines on EU GDPR Article 25 Data Protection by Design and by Default.
Step 4 – Ongoing governance and compliance
4.1 Regularly reviewing the notice
The ICO right to be informed guidance recommends regular reviews of privacy notices. In practice, if the privacy notice is not up to date and does not contain all of the relevant information about data processing, it will not be legally compliant.
4.2 Regular information audits
The ICO’s right to be informed guidance recommends regular information audits. Check the results of the audit against the information in the privacy notice and make any necessary updates.
4.3 Using the data for a different purpose
You will need to provide privacy information to individuals before using personal data for a different purpose to that which you told them about in your original notice. This is to comply with the ‘purpose limitation’ principle, which requires personal data to be collected for specified, explicit and legitimate purposes and not further processed incompatibly with those purposes. Consent may also need to be obtained.
This requirement is contained in articles 13(3) and 14(4), EU GDPR. See also article 5(1)(b), EU GDPR. In relation to change of purpose, also see Ireland’s DPC Guidance on Legal Bases for Processing Personal Data.
Additional resources
Related Lexology Pro content
How-to guides:
Understanding key data protection definitions
How to comply with data processing principles under the GDPR
How to ensure compliance with the GDPR
How to establish a valid lawful basis for processing personal data under the GDPR
How to transfer personal data lawfully outside the European Economic Area
How to reduce the risk of a GDPR data breach
How to deal with a GDPR data breach
How to deal with a supervisory authority dawn raid
Checklists:
GDPR compliance self-assessment audit
Assessing whether an organisation is a controller or processor under the GDPR
Lawful processing of personal data under the GDPR
Obtaining and managing consent under the GDPR
Processor due diligence (data protection and cybersecurity)
Making an international transfer of personal data under the GDPR
Data subject access rights under the GDPR
When and how to appoint a data protection officer
Complying with cookie requirements under the ePrivacy Directive and the GDPR
Reliance on information posted:
While we use reasonable endeavours to provide up to date and relevant materials, the materials posted on our site are not intended to amount to advice on which reliance should be placed. They may not reflect recent changes in the law and are not intended to constitute a definitive or complete statement of the law. You may use them to stay up to date with legal developments but you should not use them for transactions or legal advice and you should carry out your own research. We therefore disclaim all liability and responsibility arising from any reliance placed on such materials by any visitor to our site, or by anyone who may be informed of any of its contents.