Privacy notice
Mandatory information under Articles 13 and 14 GDPR
Practitioner's note: This article is practice-oriented compliance documentation, not legal advice. We are a compliance specialist, not a law firm. For legally binding information please consult a licensed lawyer.
TL;DR
The privacy notice must present all processing activities transparently: controller, purpose, legal basis, retention period, recipients, third-country transfers, data subject rights, and supervisory authority.
What is a privacy notice?
Mandatory contents (Article 13):
- Identity of the controller
- DPO contact
- Purpose and legal basis
- Legitimate interest where Article 6(1)(f) applies
- Recipients / categories of recipients
- Third-country transfers and safeguards
- Retention period
- Data subject rights (Articles 15-22)
- Right to lodge a complaint with the supervisory authority
- Obligation to provide the data
- Automated decision-making under Article 22
Practical example
Online shop: a privacy notice of 8 to 12 pages, structured by processing purposes (orders, newsletter, cookies, recruitment).
Frequently asked questions
Update frequency?
With every change. Recommendation: a semi-annual review.
Multilingual?
Mandatory based on the target audience. Country-code versions for DE/AT/CH should be maintained separately.