The privacy notice is the most visible part of your GDPR programme — the document customers, users and regulators see first. Done well, it builds trust and underpins people’s rights; done badly, it misleads people and undermines your GDPR compliance before anyone looks deeper.
This guide explains what a privacy notice must contain under Articles 13 and 14, when to provide it, how to make it clear and usable, and the mistakes to avoid.
What a privacy notice is
A privacy notice (sometimes called a privacy policy) is how you fulfil GDPR’s transparency obligation: it tells people what personal data you collect, why, who you share it with, how long you keep it, and what rights they have. Articles 13 and 14 set out exactly what it must contain.
It is not a legal disclaimer to bury and forget — it is a genuine communication to the people whose data you hold, and getting it right underpins their ability to exercise every other right.
Article 13 vs Article 14
GDPR splits the requirement in two. Article 13 applies when you collect data directly from the individual — a sign-up form, a purchase. Article 14 applies when you obtain data from another source — a data provider, a partner, public records — and adds a duty to tell people where you got their data.
Most organisations need to satisfy both, because they collect some data directly and acquire other data indirectly.
Free resource
GDPR Policy Templates
Get a ready-to-use GDPR privacy notice template you can adapt.
Who you are
The notice must identify who you are — the controller’s identity and contact details — and, where you have them, the contact details of your Data Protection Officer or EU representative. People need to know who is responsible and how to reach them.
This sounds obvious, but vague or missing controller identity is a surprisingly common failing.
Purposes and lawful basis
You must state the purposes for which you process the data and the lawful basis for each. Where you rely on legitimate interests, you must say what those interests are; where you rely on consent, you must explain the right to withdraw it.
Linking each purpose to its basis makes the notice accurate and demonstrates that you have actually thought about your processing.
Recipients and transfers
Tell people who you share data with — the categories of recipients, such as service providers or partners — and whether you transfer data outside the EU/EEA, identifying the safeguards (such as SCCs or adequacy) you rely on for those transfers.
Transparency about sharing and transfers is increasingly scrutinised, so be specific rather than generic.
Retention periods
The notice must explain how long you keep the data, or the criteria you use to decide. A vague “we keep data as long as necessary” is weak; better to give real periods or clear criteria tied to purpose and law.
This connects directly to your retention schedule — the notice should reflect what you actually do.
The rights you must explain
You must inform people of their rights: access, rectification, erasure, restriction, portability and objection, plus the right to withdraw consent where relevant, and the right to complain to a supervisory authority.
Explaining how to exercise these rights — not just listing them — makes the notice genuinely useful and reduces friction when requests arrive.
Source and automated decisions
Two extra items often get missed. Under Article 14, you must disclose the source of data obtained indirectly. And if you carry out automated decision-making with significant effects, including profiling, you must explain it, its significance and the consequences for the individual.
As automated decisions and AI spread, this last requirement is becoming more important.
When you must provide it
Timing matters. Under Article 13 you must provide the notice at the time you collect the data. Under Article 14, you must provide it within a reasonable period — at the latest within a month, or when you first communicate with the person or share their data.
A privacy notice that exists but is never actually shown to people does not meet the obligation.
Make it clear and accessible
The notice must be in clear, plain language, concise and easy to access — especially where children are involved. Dense, jargon-filled policies that no one reads do not achieve transparency, even if they technically list everything.
A layered approach works well: a short, readable summary up front, with the option to expand into the full detail.
Keep it accurate and current
A privacy notice must match reality. As your processing changes — new purposes, vendors, transfers — update the notice. An out-of-date notice that misdescribes what you do is arguably worse than none, because it misleads people and misstates your basis.
Review the notice whenever your processing changes and at least periodically as a matter of routine.
Common privacy notice mistakes
Frequent failings include copying a generic template that misdescribes your processing, omitting the lawful basis or legitimate interests, being vague about retention and recipients, hiding the notice, forgetting the Article 14 source disclosure, and never updating it.
Each undermines transparency — and a notice that doesn’t reflect your actual processing can itself be evidence of non-compliance.
How ISpectra helps
A clear, accurate privacy notice is the public face of your GDPR compliance. ISpectra Technologies helps organisations build privacy notices that meet Articles 13 and 14, reflect their real processing (lawful bases, recipients, transfers, retention and rights), and use a layered, plain-language format that people can actually understand.
If your current notice is a generic template, a short review will align it with what you actually do.
In one paragraph
A privacy notice fulfils GDPR’s transparency duty, and Articles 13 and 14 set out what it must contain: who you are and your DPO/representative; the purposes and lawful basis for each activity (including legitimate interests and the right to withdraw consent); the recipients and any international transfers and their safeguards; retention periods; the individual’s rights and the right to complain; the source of indirectly obtained data; and any significant automated decision-making. Provide it at collection (or within a month for indirect data), in clear, layered, plain language, and keep it accurate as your processing changes.
Free consultation
Need help with GDPR?
Talk to our data-protection specialists — we’ll map your fastest path to compliance.
The layered notice in practice
The single most useful technique for privacy notices is layering, and it is worth a closer look because it resolves the tension between “complete” and “readable”. The top layer is a short, human summary — a few sentences or a simple table covering who you are, the main things you do with data, and how to exercise rights. The lower layer holds the full Article 13/14 detail for anyone who wants it. Just-in-time notices add a third dimension: a brief explanation shown exactly where data is collected, such as a one-line note next to a form field explaining why you ask for it.
This approach respects how people actually behave — almost no one reads a long policy top to bottom — while still giving regulators and the genuinely interested the complete picture. It also forces a healthy discipline: if you cannot summarise what you do with someone’s data in a few plain sentences, that is often a sign your processing is more sprawling or less justified than it should be. In that way, writing a good layered privacy notice doubles as a useful audit of your own data practices, frequently surfacing purposes or data flows that deserve a second look before you commit them to a public document.