+48 692 004 515

  kancelaria@maniszewska.pl

Menu
klauzula informacyjna rodo

GDPR Privacy Notice — How to Write a Compliant Information Obligation (Articles 13–14 GDPR)

The information obligation is one of the cornerstones of the GDPR and, at the same time, one of the most frequently mishandled requirements. Every company, institution, and organisation that processes personal data must inform the individuals concerned — and that information must meet strictly defined requirements. The document conveying this information is commonly referred to as a privacy notice (or information clause).

In practice, privacy notices are often too vague, incomplete, written in impenetrable legal jargon, or simply copied from the internet without any adaptation to the organisation’s actual processing activities. Each of these errors can constitute a GDPR violation and result in a fine from the supervisory authority.

This article explains step by step how to prepare a proper privacy notice — with references to Articles 13 and 14 of the GDPR, EDPB guidelines, and the practice of the Polish Data Protection Authority (UODO).

What Is the GDPR Information Obligation?

The information obligation is a GDPR requirement to provide the data subject with specified information about the processing of their personal data. The GDPR regulates it in two articles:

Article 13 GDPR — applies when personal data is collected directly from the data subject. Examples: a contact form on a website, a registration form, a customer contract, a recruitment questionnaire.

Article 14 GDPR — applies when personal data has not been obtained directly from the data subject but from another source. Examples: data received from a business partner, data from publicly available registers, data obtained from a marketing agency.

The difference between Article 13 and Article 14 is important — the scope of required information partially overlaps, but Article 14 additionally requires disclosure of the source and categories of data, and the deadline for providing the information differs.

What Must a Privacy Notice Include — Complete Checklist

Below is a complete list of elements that a privacy notice must contain. Elements marked with an asterisk (*) apply only to Article 14 (data from another source).

1. Identity and contact details of the controller — full company or institution name, registered address, contact details (email, phone). If there is a joint controller — details of both entities and information about their arrangement.

2. DPO contact details — if the controller has appointed a Data Protection Officer, their contact details must be provided (email and/or phone). The DPO’s name does not need to be disclosed.

3. Processing purposes and legal basis — for each processing purpose, the appropriate legal basis under Article 6(1) GDPR must be indicated (and for special category data, under Article 9(2)). Writing “we process data in accordance with the GDPR” is not sufficient — specific purposes and specific legal bases must be stated.

4. Legitimate interest of the controller — if the legal basis is Article 6(1)(f) (legitimate interest), the nature of that interest must be specified. Example: “the controller’s legitimate interest is direct marketing of its own products.”

5. Recipients or categories of recipients — it must be stated to whom data is or may be disclosed. These may be specific entities (e.g., the name of an accounting firm) or categories (e.g., “IT service providers,” “public authorities under applicable law”).

6. Information about transfers to third countries — if data is transferred outside the EEA, this must be disclosed along with the applicable safeguard mechanism (e.g., SCCs, adequacy decision).

7. Data retention period — a specific period (e.g., “5 years from the end of the contract”) or the criteria for determining it (e.g., “until consent is withdrawn,” “for the period required by tax law”). A phrase like “for as long as necessary” without further specification is insufficient.

8. Data subject rights — the notice must inform about applicable rights: access, rectification, erasure, restriction of processing, data portability, and objection. If processing is based on consent — the right to withdraw consent at any time (with a note that withdrawal does not affect the lawfulness of processing prior to withdrawal).

9. Right to lodge a complaint — information about the right to lodge a complaint with the supervisory authority (UODO in Poland), including its name and contact details.

10. Whether data provision is mandatory or voluntary — whether providing data is a statutory or contractual requirement, or a condition for entering into a contract, and the consequences of not providing the data.

11. Information about automated decision-making — if the controller uses automated decision-making, including profiling (Article 22 GDPR), meaningful information must be provided about the logic involved, the significance, and the envisaged consequences.

12. Source of data* (Article 14 only) — from what source the data originates (e.g., from a business partner, from a public register, from publicly available sources).

13. Categories of data* (Article 14 only) — what categories of personal data are processed (e.g., identification data, contact data, professional data).

When and How to Provide the Privacy Notice?

Article 13 (data from the individual): The information must be provided at the time the data is collected — e.g., when filling in a form, signing a contract, or starting a recruitment process.

Article 14 (data from another source): The information must be provided within a reasonable period, no later than one month after obtaining the data — or at the time of first contact with the individual if the data is to be used for communication, or at the time of first disclosure to another recipient.

Form of delivery — the GDPR does not prescribe a single form. The notice may be provided in writing (paper), electronically (email, website), orally (at the individual’s request, if identity is confirmed by other means), or in a layered format — a short version with the most important information plus a link to the full version.

Layered Approach — The Recommended Format

The EDPB and the Article 29 Working Party (in Guidelines WP 260) recommend using a layered approach, particularly in a digital environment. This involves presenting the information at two or more levels:

First layer (summary): The most important information: who the controller is, for what purpose data is processed, what rights the individual has, and a link to the full notice. It should be short, readable, and visible at the point of data collection (e.g., beneath a contact form).

Second layer (full): The complete privacy notice with all elements required by Article 13 or 14 — available after clicking a link or on a separate page.

This model reconciles the transparency requirement (the individual quickly understands the key points) with the completeness requirement (full information is available).

Language and Form — GDPR Requirements

Article 12(1) of the GDPR requires that information be provided in a concise, transparent, intelligible, and easily accessible form, using clear and plain language — particularly when the information is addressed to children.

In practice, this means:

Avoid legal jargon — instead of “the Controller processes personal data pursuant to Article 6(1)(f) GDPR,” write “we process your data based on our legitimate interest (Article 6(1)(f) GDPR), which is…”

Use active voice — “we process your data” rather than “data is processed.”

Group information logically — do not create one long block of text; divide the notice into readable sections with headings.

Adapt the language level to the audience — a notice for mobile app users should look different from one for business partners.

Do not copy notices from the internet — every notice should reflect the actual processing activities of your organisation.

Privacy Notice vs. Consent — They Are Not the Same

A very common mistake is confusing the privacy notice with consent for data processing. These are two separate elements:

Privacy notice — a one-sided provision of information to the individual. The controller informs; the individual does not need to sign or confirm anything. The information obligation exists regardless of the legal basis for processing.

Consent — a declaration of will by the individual expressing acceptance of data processing for a specific purpose. Consent must be freely given, specific, informed, and unambiguous (Article 7 GDPR). Consent is one of the six legal bases under Article 6 GDPR.

In practice: the privacy notice is always required, regardless of whether you process data on the basis of consent, a contract, a legal obligation, or a legitimate interest. Consent, on the other hand, is only required when it serves as the legal basis for processing.

Common Mistakes in Privacy Notices

Based on UODO audits, decisions by European supervisory authorities, and audit practice, the most common errors include:

No privacy notice at all — the organisation does not inform individuals about data processing. This is particularly common for employee data processing, CCTV monitoring, and website forms.

Incomplete notice — one or more required elements are missing, most often: the data retention period, information about data subject rights, or DPO contact details.

Vague wording — “data will be stored for the necessary period” (without specification), “data may be shared with cooperating entities” (without identifying categories of recipients).

Overly complex language — a multi-page document written in legal jargon, incomprehensible to the average reader.

One-size-fits-all — the same notice used for customers, employees, contractors, and website users, despite different purposes and legal bases.

No updates — a notice prepared in 2018 and never revised, despite changes in processing activities, purposes, or organisational structure.

Hidden notice — the notice is only available in a hard-to-find location (e.g., buried deep in terms and conditions), violating the accessibility requirement.

Who Needs a Privacy Notice — Group Checklist

Most organisations should have separate privacy notices for the following groups:

  1. Customers (natural persons) — contract performance, complaint handling
  2. Website users — cookies, contact forms, newsletters
  3. Employees — recruitment, employment, personnel files, workplace monitoring
  4. Job candidates — recruitment process
  5. Contractors (contact persons) — business cooperation, B2B contract performance
  6. Individuals under CCTV surveillance — if the organisation operates video monitoring
  7. Service users — e.g., patients, students, training participants
  8. Individuals whose data was obtained from another source — requires an Article 14 notice

Practical Checklist — How to Prepare a Privacy Notice Step by Step

  1. Identify the groups of individuals whose data you process.
  2. For each group, determine the processing purposes and legal bases.
  3. Map the data recipients (internal and external).
  4. Establish data retention periods for each purpose.
  5. Check whether data is transferred outside the EEA.
  6. Check whether you use automated decision-making.
  7. Write the notice in accessible language, divided into sections.
  8. Apply the layered approach (short version + full version).
  9. Deliver the notice at the appropriate time and in the appropriate form.
  10. Schedule regular reviews and updates.

Need Help With Privacy Notices?

Proper privacy notices are a foundation of GDPR compliance — and one of the first elements UODO checks during an audit. At the Law Office of Dr Joanna Maniszewska-Ejsmont, we prepare privacy notices tailored to the actual processing activities of your organisation — complete, compliant with EDPB guidelines, and written in plain language.

Notariusz-Joanna-Maniszewska-Ejsmont

Contact us — we will prepare or review your privacy notices.

  +48 692 004 515

  kancelaria@maniszewska.pl

Related Posts