Privacy notices—information requirements
Privacy notices—information requirements

The following Risk & Compliance guidance note provides comprehensive and up to date legal information covering:

  • Privacy notices—information requirements
  • Consent
  • Privacy notice—personal data collected from the data subject
  • Privacy notice—personal data not obtained from the data subject
  • Data breach
  • Data protection officer

Brexit: As of exit day (31 January 2020), the UK is no longer an EU Member State, but it has entered an implementation period during which it continues to be treated by the EU as a Member State for many purposes. The UK must continue to adhere to its obligations under EU law, including in relation to data protection, and the ICO has confirmed the GDPR will continue to apply during the implementation period. For more information, see: Practice Note: Brexit—implications for data protection.

This Practice Note sets out information requirements that are contained at various places in the General Data Protection Regulation (GDPR). Most of these relate to privacy notices, but there are also information requirements relating to issues like data breach and data protection officer (DPO). This Practice Note does not cover information requirements where information society services are provided to children.

For a quick reference check in relation to the form and content of your privacy notices, see Precedent: Privacy notice audit.

For a sample privacy notice, see Precedents:

  1. Privacy policy—general commercial organisation—customer-facing

  2. Privacy policy—law firms and professional services

  3. Privacy policy—general commercial organisation—customer-facing

  4. GDPR data protection privacy notice (employment)


Information to be given Timing Format