Compliant Privacy Notice Template

Privacy Background Banner

What is a Privacy Notice?

Square Secure Server ClipartA privacy notice as a document, form, webpage or pop-up that is provided to individuals at the point their personal information is collected. Where data is obtained indirectly, the notice is provided at the earliest opportunity. 

A business is obligated to provide a privacy notice to all individuals when their personal data is being processed. However, the context and/or content of the notice can vary depending on the legal basis relied upon when processing.

Difference Between Privacy Notice and Privacy Policy

The two terms are often used interchangeably, and there is no universally defined difference. However, some definitions suggest a Privacy Notice is the content presented at the time personal data is obtained (pop-up, on-screen, form etc). Whereas, a Privacy Policy is an internal policy setting out the obligations and objectives a firm has in relation to maintaining a privacy notice.

At Know Your Compliance Limited, we follow the same method as the Information Commissioners Office (ICO) and refer to the provision of information under Article 13 of the UK GDPR as a Privacy Notice.

Information to be Provided to the Data Subject

Under the UK GDPR, Article 13 (collected directly) and Article 14 (collected indirectly) set out the requirements on controllers for the necessary and legal information about how, why and when a controller processes personal data. The rules also include an individuals rights and obligations.

This information must be included in a Privacy Notice that is made available to the data subject at the time their personal information is being obtained. This notice is the customer facing policy that provides the legal information on how a controller handles, processes and discloses personal information.

Security icon with blue tickArticle 13 & 14 Disclosures

  • The identity and contact details of the controller, and controller’s representative where applicable.
  • Data Protection Office contact details.
  • The purpose(s) of the processing for which the personal information is intended.
  • The legal basis for the processing.
  • Where processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, details of those interests.
  • The recipients or categories of recipients of the personal data.
  • If the controller intends to transfer the personal data to a third country or international organisation and the existence/absence of an adequacy decision by the Commission.
  • Secure document iconFor transfers without an adequate regulation by the Secretary of State, reference to the appropriate or suitable safeguards.
  • The period for which the personal data will be stored and/or the criteria used to determine the period.
  • Whether providing personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract.
  • Whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data.
  • The existence of automated decision-making, including profiling.
  • The existence of the right to: –
    • request access to personal data
    • request rectification or erasure of personal data
    • request restriction of processing concerning the data subject
    • object to processing
    • data portability
    • withdraw consent at any time (where legal basis is consent)
    • lodge a complaint with the Commissioner.
  • The categories of personal data (when collected indirectly)
  • The source the personal data originated from and whether it came from publicly accessible sources (when collected indirectly).