Privacy notices—information requirements

The following Risk & Compliance practice note provides comprehensive and up to date legal information covering:

  • Privacy notices—information requirements
  • Consent
  • Privacy notice—personal data collected from the data subject
  • Privacy notice—personal data not obtained from the data subject
  • Data breach
  • Data protection officer

Privacy notices—information requirements

This Practice Note sets out information requirements that are contained at various places in the UK General Data Protection Regulation (UK GDPR). Most of these relate to privacy notices, but there are also information requirements relating to issues like data breach and data protection officer (DPO). This Practice Note does not cover information requirements where information society services are provided to children.

For a quick reference check in relation to the form and content of your privacy notices, see Precedent: Privacy notice audit.

For a sample privacy notice, see Precedents:

  1. Privacy policy—general commercial organisation—customer-facing

  2. Privacy policy—law firms and professional services

  3. Privacy policy—general commercial organisation—customer-facing

  4. Data protection privacy notice (employment)

Consent

Information to be givenTimingFormatRegulatory requirement or recommended?
☐ Notice that the data subject has the right to withdraw their consent at any timePrior to the data subject giving consentIn a format to satisfy the requirement that it shall be as easy to withdraw as to give consentRegulatory requirement
Article 7(3) of Retained Regulation (EU) 2016/679, UK GDPR

Privacy notice—personal data collected from the data subject

There are a number of techniques you can use to provide people with privacy information. You can use:

  1. a layered approach—short notices containing key privacy information that have additional layers of more detailed information

  2. dashboards—preference management tools that inform people how you use

Popular documents