Privacy notices are the primary transparency mechanism through which controllers discharge their Articles 13 and 14 obligations. They inform data subjects what data is collected, why it is collected, who it is shared with, how long it is kept, and what rights the data subject has. A notice that fails to provide required information — or buries it in legal language that ordinary people cannot parse — violates Article 5(1)(a)’s transparency principle regardless of how technically complete it may appear.
Transparency is not merely a legal formality. It is the mechanism that enables data subjects to exercise their rights, make informed decisions about the services they use, and hold controllers accountable for how their data is handled. Notices written primarily to satisfy legal checkboxes, rather than to genuinely inform, consistently fail both the transparency standard and the test of serving data subjects’ interests.
Articles 13 and 14: When Each Applies
The distinction between Articles 13 and 14 is the collection method. Article 13 applies when personal data is collected directly from the data subject. Article 14 applies when personal data is obtained from a source other than the data subject. Both require substantially the same information, but the timing and format obligations differ.
ARTICLE 13 vs. ARTICLE 14 — APPLICABILITY AND TIMING
| Dimension | Article 13 (Direct Collection) | Article 14 (Indirect Collection) |
|---|---|---|
| When it applies | Personal data collected directly from the data subject (form submission, account registration, purchase, phone call) | Personal data obtained from third parties, public sources, brokers, or partner organisations |
| When notice must be given | At the time of collection — before or at the point data is submitted | Within a reasonable period (max 1 month) of obtaining; at point of first contact if used to communicate; before disclosure to another recipient |
| Additional requirement vs. Art. 13 | Not applicable | Must state the categories of data obtained and the source(s) from which it was obtained |
| Exemption from Art. 14 | Not applicable | Where data subject already has the information; where impossible or disproportionate; where national law requires confidentiality |
Mandatory Information Elements
Articles 13(1), 13(2), 14(1), and 14(2) specify the information that must be provided. The EDPB’s transparency guidelines (WP260) clarify that ‘must be provided’ means actively communicated — not merely available on request or buried in a document the data subject is unlikely to read.
MANDATORY PRIVACY NOTICE INFORMATION — ARTICLES 13 AND 14
| Category | Required Information | Common Omissions |
|---|---|---|
| Controller identity and contact details | Name and address of controller; contact details of DPO (if designated) | Controller’s registered address omitted; DPO not listed even where mandatory |
| Purpose and lawful basis | Specific purposes for each processing activity; lawful basis relied on for each purpose | Generic ‘improve our services’ language; basis stated without linking to specific purpose |
| Legitimate interests (where applicable) | The specific legitimate interests pursued by the controller or third party | Blanket ‘legitimate business interests’ without specifying what they are |
| Recipients or categories of recipients | Who the data is shared with; if third-country recipients, the transfer mechanism | Third-party analytics vendors not listed; social media pixels not disclosed |
| Third-country transfers | Countries of destination; safeguards in place (SCCs, adequacy decision, etc.) | Cloud provider locations not disclosed; ‘may transfer to countries outside EEA’ without specifying mechanism |
| Retention periods | How long data will be kept, or the criteria used to determine retention | Generic ‘as long as necessary’ with no criteria; no differentiation between data types |
| Data subject rights | Right to access, rectify, erase, restrict, object, portability (where applicable); right to withdraw consent; right to lodge complaint with DPA | Portability omitted; complaint right absent; withdrawal instruction not provided |
| Source of data (Art. 14 only) | Where data was obtained; whether from publicly available sources | Source described vaguely; no distinction between purchased, scraped, and received data |
Layered Notice Architecture
A single comprehensive privacy notice — often referred to as a ‘privacy policy’ — is too long to be read at the point of collection and too compressed to be meaningfully consulted later. The EDPB’s transparency guidelines recommend a layered approach that presents the most critical information concisely at the point of collection, with full detail available in a longer document.
LAYERED NOTICE ARCHITECTURE — THREE TIERS
| Layer | Content | Format | Where Presented |
|---|---|---|---|
| Layer 1 — Just-in-time notice | What data is collected, why, and one key fact (e.g. sharing with third parties or sensitive data use). Link to Layer 2. | 2–3 sentences; tooltip, pop-up, or inline text | At the point of data collection (form, checkout, registration, cookie banner) |
| Layer 2 — Summary notice | All mandatory Article 13/14 information in plain, accessible language; organised by purpose or data type. Link to Layer 3. | 1–2 pages; structured with headers; plain language | Linked from Layer 1; accessible from website footer / app settings |
| Layer 3 — Full privacy policy | Complete legal detail; definitions; all purposes; all transfers; all rights; legal basis analysis; DPO contact | Full document; may be longer; indexed with anchors | Linked from Layer 2; accessible from all pages |
The layered architecture allows data subjects to engage at the level of detail appropriate to their needs. A user completing a checkout form benefits from a one-sentence just-in-time notice explaining what happens to their email address. The same user, if they want to understand the full data processing picture, can navigate through the layers to the complete policy. Neither layer makes the others redundant.
Just-in-Time Notices: Transparency at the Point of Collection
Just-in-time notices are Layer 1 notices delivered at the specific moment a specific type of data is collected. Rather than asking data subjects to read an entire privacy policy before completing a form, just-in-time notices provide the immediately relevant information in context.
JUST-IN-TIME NOTICE — DESIGN EXAMPLES BY COLLECTION CONTEXT
| Collection Context | Data Collected | Just-in-Time Notice Content |
|---|---|---|
| Email newsletter signup | Email address | ‘We’ll use your email to send you our newsletter (approx. weekly). You can unsubscribe at any time. We won’t share your address with third parties. Privacy policy.’ |
| User account registration | Name, email, password | ‘Your details are used to create and manage your account and to provide the service. We retain your data while your account is active and for 2 years after deletion. Privacy policy.’ |
| Checkout / purchase | Name, address, payment details | ‘Your details are used to process and deliver your order. Payment data is processed by [provider] and not stored by us. See full privacy notice.’ |
| Contact form | Name, email, message | ‘We use your contact details to respond to your enquiry. We retain your message for 2 years. We may share with our support team only. Privacy policy.’ |
| Job application | CV, contact details, employment history | ‘Your application data is used for recruitment assessment. If unsuccessful, your data is retained for 6 months unless you consent to longer retention for future roles. See our Recruitment Privacy Notice.’ |
| Health data collection (app) | Health metrics, biometric data | ‘Your health data is special category data under GDPR. It is used only for [specific purpose]. It is not shared with insurers or employers. Full health data privacy notice.’ |
Writing for Comprehension: Plain Language Standards
Article 12(1) requires that privacy information be provided in a ‘concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child.’ The EDPB’s transparency guidelines elaborate: information must be understandable to a lay person, must avoid legal or technical jargon, and must be written at a reading level appropriate to the audience.
PLAIN LANGUAGE PRINCIPLES FOR PRIVACY NOTICES
| Principle | What It Means in Practice | Example of Violation |
|---|---|---|
| Concrete language over abstraction | Name specific purposes, not categories of purpose. ‘Send you offers for similar products’ not ‘marketing purposes’. | ‘We process data for business development, analytics, and operational improvement.’ |
| Active voice | State what the controller does, not what happens to data in passive constructions. | ‘Data may be processed for the purposes of...’ (passive) vs. ‘We use your data to...’ (active) |
| Avoid legal citation as explanation | Articles and recitals are not explanations. State what the right means, not that the right exists. | ‘You have rights under Articles 15–21 of GDPR’ with no explanation of what those rights allow. |
| Define technical terms when used | If data categories, processing terms, or lawful bases are named, explain them briefly. | ‘We rely on legitimate interests under Art. 6(1)(f)’ with no explanation of what that means or what the interests are. |
| Audience-appropriate reading level | Target the reading level of the actual audience. Consumer services should aim for UK readability Grade 8 or below. | A consumer app with a privacy notice written at the level of a legal contract. |
Format and Accessibility Requirements
Article 12(1) also requires that privacy information be ‘easily accessible’. Accessibility has both a technical and a practical dimension. Technically, the notice must be reachable without excessive navigation. Practically, it must be presented in a format that can be read by all users, including those using assistive technologies or accessing the service on mobile devices.
NOTICE FORMAT AND ACCESSIBILITY CHECKLIST
| Requirement | Compliant Practice | Non-Compliant Practice |
|---|---|---|
| Accessibility from all pages | Link in footer of every page; link in account settings; link in all transactional emails | Notice accessible only from the homepage footer; buried under ‘Legal’ section with multiple clicks |
| Format at point of consent | Privacy notice link visible before form submission; accessible without scrolling on mobile | Consent checkbox placed before privacy notice link; notice link below the fold |
| Mobile readability | Responsive design; large enough font; no horizontal scrolling; collapsible sections for long content | Full-length desktop notice not adapted for mobile; 9pt font on mobile screens |
| Language | Notice provided in all languages in which the service is offered; translated by qualified translators, not auto-translate | English-only notice for a multilingual service; machine-translated notice with legal inaccuracies |
| Accessibility for disabled users | Compliant with WCAG 2.1; suitable contrast ratios; screen reader compatible HTML | PDF-only notice with no text alternative; image-based notice content not accessible to screen readers |
| Version control | Notice dated; previous versions archived and accessible; version shown to each user at consent recorded | Undated notice; no version history; no record of which notice version was in place at any given time |
Children’s Privacy Notices
Article 12(1)’s plain language requirement applies with particular force to notices directed at children. Where a service is directed at or likely to be accessed by children, the privacy notice must be written at an appropriate reading level and use design elements (visual aids, simplified language, icons) that aid comprehension for young readers. The UK ICO’s Age Appropriate Design Code provides the most detailed practical guidance on this obligation.
| IMPORTANT | Where a service is directed at children under the age of digital consent (16 in most EU member states; lower in some), the privacy notice must be written so a child can understand it — and parental consent mechanisms must be coupled with a parent-facing notice that explains what the child’s data is used for. A notice written only for adults is not compliant for a service used by children, even if children are a minority of the user base. |
Maintaining and Updating Privacy Notices
A privacy notice reflects the current state of processing. Whenever processing activities change — new purposes are added, new recipients are introduced, new transfers to third countries are initiated, retention periods are revised — the notice must be updated to reflect the change before the new processing begins. Publishing a notice and treating it as permanent is one of the most common and consequential transparency failures.
NOTICE UPDATE TRIGGERS
| Trigger | Notice Update Required | Timing |
|---|---|---|
| New processing purpose added | Add purpose, lawful basis, and any new recipients associated with it | Before the new processing begins |
| New third-party recipient or processor introduced | Add recipient or category; add transfer mechanism if outside EEA | Before data is first shared with the new recipient |
| New cross-border transfer | Add destination country; add transfer mechanism (adequacy, SCCs, etc.) | Before data is first transferred |
| Change in retention period | Update retention period for affected data categories | Before the change takes effect |
| Withdrawal of consent base and switch to LI | Update lawful basis statement; add legitimate interests disclosure; explain right to object | Before processing continues under new basis; data subjects must be re-informed |
| DPO contact details change | Update DPO contact details | As soon as the change is effective |
| Major regulatory change affecting processing | Review entire notice for accuracy against new legal requirements | Before deadline for compliance with new regulation |
| BITLION INSIGHT | The most effective privacy notice programmes treat the notice as a living product, not a legal document filed once and forgotten. The team responsible for the notice should receive automatic notification whenever a new system is procured, a new data sharing arrangement is executed, or a new marketing channel is launched. A quarterly notice review — comparing the current notice against the current RoPA — catches gaps before they become enforcement findings. |