Transparency, privacy policies and notices

The United Kingdom General Data Protection Regulation, Assimilated Regulation (EU) 2016/679 (UK GDPR) provides various requirements concerning data transparency.

The terms ‘privacy policy’, ‘data protection policy’, ‘privacy notice’, ‘privacy statements’, ‘fair processing notices’ and ‘data protection notice’ are interchangeable.

For an introduction to the UK GDPR, see Practice Notes: Introduction to the EU GDPR and UK GDPR and The UK General Data Protection Regulation (UK GDPR).

This subtopic contains guidance:

•
relating to privacy policies generally
•
on the related topic of cookie policies
•
relating to employment specific policies

Transparency and the role of privacy policies

Transparency is an overarching obligation under the UK GDPR

The concept is embodied in the lawfulness, fairness and transparency principle under Article 5(1)(a) of the UK GDPR, which requires personal data to be ‘processed lawfully, fairly and in a transparent manner in relation to the data subject’.

However,

To view the latest version of this document and thousands of others like it, sign-in with LexisNexis or register for a free trial.

TAKE A FREE TRIAL

Latest Information Law News

Gender identity and the right to rectification of personal data (VP v Országos Idegenrendészeti Főigazgatóság)

EU Law analysis: The Court of Justice has held that personal data relating to gender identity on the public registers of a Member State must be subject to the right to rectification under Article 16 of the General Data Protection Regulation, Regulation 2016/679 (EU GDPR). Rectification may require production of relevant and sufficient evidence reasonably required to establish the inaccuracy, which may include medical certificates. However, a Member State may not make the exercise of the right of rectification conditional on evidence of gender reassignment surgery. Further, any restrictions on Article 16 rights in this regard must also comply with Article 23 of the EU GDPR and must be established by legislative measures and not by administrative practice. Importantly, the Court of Justice looked at data accuracy within the broader context of fundamental rights, especially the rights to personal integrity and privacy. In doing so, it expanded protections for transgender people by referring to gender identity, rather than relying on the traditional focus on gender reassignment. Written by Gaelyn Fuhrmann, Legal Director at Wiggin LLP.

Information Law weekly highlights—15 May 2025

Welcome to this week’s edition of the Information Law weekly highlights: a hand-picked summary of news analysis, updates and new content related to laws governing the use and dissemination of information and personal data. Each week these highlights focus on developments in key topics such as data protection, ePrivacy, cybersecurity, breach of confidence, misuse of private information, and defamation.

Testing the limits of confidentiality—when does use become misuse? (Illiquidx Ltd v Atlana Wealth Ltd and others)

Information Law analysis: This was a High Court case involving issues of confidentiality, trade secrets and copyright. It centred around two firms who had entered into a non-disclosure agreement (NDA) and subsequently embarked on a joint venture to set up an investment fund. Following the breakdown of the business relationship, one of the firms, Atlana, set up its own fund which was very similar to the one envisaged under the joint venture. The High Court ruled that in setting up its own fund, Atlana had breached the terms of the NDA by misusing confidential information and in turn had also infringed trade secrets. The judgment reinforces the importance of precise drafting in NDAs and provides clarifications around the meaning of information being in the public domain. It also emphasises the importance of originality when establishing copyright infringement, particularly in the context of business presentations and other materials which may be more difficult to prove. Written by Marija Nonkovic, associate at Kemp IT Law LLP.

DSIT launches enterprise IoT security consultation with vulnerability research

The Department for Science, Innovation and Technology (DSIT) has launched a call for evidence on the security of enterprise connected devices, supported by commissioned research from NCC Group revealing multiple security vulnerabilities. The research identified remote code execution vulnerabilities, outdated software, and poor adherence to National Cyber Security Centre Device Security Principles and European Telecommunications Standards Institute EN 303 645 standards across commonly-used business devices. The consultation aims to gather industry views on potential interventions to improve cyber resilience across the UK economy. The call for evidence closes at 11:59pm on 7 July 2025.

View Information Law by content type :

News