Privacy Policy Requirements

A GDPR-compliant privacy policy is not optional for any organisation that processes personal data about EU residents. GDPR Articles 13 and 14 specify exactly what information must be provided to individuals — and supervisory authorities enforce these requirements through audits and complaint investigations. This guide covers all mandatory elements.

Article 13 vs Article 14: The Key Distinction

GDPR sets different transparency requirements depending on how personal data was obtained:

Article 13 applies when personal data is collected directly from the individual — via a contact form, account registration, purchase, survey, phone call, or any other direct interaction. The required information must be provided at the time of collection.

Article 14 applies when personal data is obtained from third-party sources — purchasing contact lists, receiving data from data brokers, obtaining data from another controller (such as a business partner), or accessing publicly available data for processing purposes. The required information must be provided within one month of obtaining the data, or at the time of the first communication with the individual (whichever is earlier).

Most organisations process data under both articles and need a privacy policy that covers both situations.

Mandatory Elements Under Article 13

1. Identity and Contact Details of the Controller

The full legal name of the organisation (not a trading name alone), its registered address, and contact details — at minimum a working email address. If the organisation is based outside the EU/EEA but subject to GDPR (because it processes data of EU residents), it must also identify its EU representative (required by GDPR Article 27) with contact details.

2. Contact Details of the Data Protection Officer

Where a DPO has been appointed (mandatory for public authorities, organisations conducting large-scale systematic monitoring, or organisations processing special categories of data at scale), the DPO's contact details must be included. This can be a dedicated privacy team email — the DPO's personal contact information is not required.

3. Purposes and Legal Bases of Processing

For every category of personal data processed, the privacy policy must state both the purpose (what the data is used for) and the legal basis (the GDPR Article 6(1) ground relied upon). The six lawful bases are: consent, contract, legal obligation, vital interests, public task, and legitimate interests.

Where legitimate interests is the basis, a brief description of what those interests are must be provided. Where consent is the basis, the policy must note that individuals can withdraw consent at any time, without affecting the lawfulness of processing before withdrawal.

4. Recipients or Categories of Recipients

Individuals must know who receives their personal data. While it is not necessary to list every specific company name, categories must be specific enough to be meaningful. "Service providers and business partners" is insufficient. "Payment processing providers, cloud storage providers operating within the EEA, and marketing analytics platforms" is closer to compliance — and specific company names are better still.

5. International Transfers

Where personal data is transferred outside the EEA, the privacy policy must state this and describe the safeguards in place. Recognised mechanisms under GDPR Chapter V include: adequacy decisions (EU Commission has recognised the UK, Switzerland, Israel and certain others), Standard Contractual Clauses (SCCs, the most commonly used mechanism), Binding Corporate Rules for intra-group transfers, and derogations for specific situations.

Transfers to the United States warrant particular attention. Following the Schrems II ruling (CJEU, 2020), transfers based on the Privacy Shield mechanism were invalidated. The EU-US Data Privacy Framework (adopted July 2023) reinstated a mechanism for US transfers, but organisations should verify that their US processors are certified under DPF.

6. Retention Periods

How long each category of personal data will be kept, or the criteria used to determine this. "We keep data for as long as necessary" without further specification does not satisfy this requirement. Acceptable approaches include: specifying fixed periods (e.g. "customer account data retained for the duration of the account plus 7 years for tax records"), or clearly explaining the criteria (e.g. "retained until you close your account, or until required for legal proceedings").

7. Data Subject Rights

All eight rights available under GDPR must be listed and briefly explained:

• Right of access (Article 15)
• Right to rectification (Article 16)
• Right to erasure (Article 17)
• Right to restriction of processing (Article 18)
• Right to data portability (Article 20)
• Right to object (Article 21)
• Rights related to automated decision-making and profiling (Article 22)
• Right to withdraw consent (where consent is the legal basis)

For full explanations of each right, see the EU data subject rights guide.

8. Right to Lodge a Complaint

Individuals must be informed of their right to complain to their national supervisory authority. The policy should identify the relevant authority by name — not just "your national DPA" — and provide a link or contact details. For a UK-facing policy, this is the ICO; for Germany, the BfDI (federal) or the relevant state authority; for France, the CNIL; for Ireland (relevant for many large US tech companies with European HQ in Ireland), the DPC.

9. Statutory or Contractual Requirement

Where providing personal data is a statutory requirement (required by law) or a contractual requirement (necessary to enter into or perform a contract), this must be stated — along with the consequences of not providing the data.

10. Automated Decision-Making and Profiling

Where the organisation uses automated decision-making processes — including profiling — that produce legal or similarly significant effects on individuals, this must be disclosed. The disclosure must cover: the fact that automated decision-making occurs; the logic involved (to the extent this can be explained meaningfully); the significance and consequences for the individual; and their rights to request human review, express their view, and contest the decision.

Additional Requirements Under Article 14 (Indirect Collection)

Where personal data was not collected directly from the individual, the privacy policy or a separate notice must additionally include:

• The categories of personal data being processed (since the individual was not present when it was provided)
• The source from which the data originates — whether it is a public source, a data broker, another controller, or a third party

This information must be provided within one month of obtaining the data, or at the time of the first communication with the individual, or at the latest when the data is first disclosed to another recipient.

Format and Accessibility Requirements

GDPR Article 12(1) requires that privacy information be provided "in a concise, transparent, intelligible and easily accessible form, using clear and plain language." This is an enforceable requirement, not guidance. Supervisory authorities have found violations where policies were written in dense legal language inaccessible to an average reader.

Recommended practices:

• Layered approach: A short summary with key information prominently displayed, with links to more detailed explanations. This is particularly useful for privacy notices at point of collection (e.g. at contact forms or checkout).
• Accessibility: The privacy policy should be reachable in one click from every page — typically linked in the footer. It must be accessible without JavaScript and in a format that works with screen readers.
• Version control: Dated versions should be maintained. Where material changes are made, individuals should be notified proactively — not just via a general "we updated our privacy policy" banner.
• Language: Privacy policies should be available in the language(s) of the individuals they cover. For EU-wide services, this often means multiple language versions.

Common Violations Found in Enforcement

Supervisory authority decisions identify recurring violations in privacy policies:

• Vague recipients: "third parties" or "our partners" without specificity
• Missing legal bases: Describing what data is collected without stating the legal basis for each purpose
• No retention periods: Omitting retention information entirely, or stating retention is "for as long as necessary"
• Buried rights information: Listing data subject rights in an appendix or in language requiring legal expertise to understand
• Inaccurate policies: Privacy policies that do not reflect actual processing practices — a policy copied from a template that describes processing the organisation does not actually do
• No supervisory authority contact: Omitting the right to complain or not naming the specific authority
• International transfers without safeguards: Disclosing US or other transfers without identifying the applicable mechanism

For the full overview of what GDPR requires and how its principles apply to your organisation, see the GDPR compliance guide. For cookie consent requirements specifically, see the cookie consent guide.