UK

UK GDPR: Privacy Notice Requirements (Articles 13-14)

Privacy Notice Requirements [Arts 13-14]

Rule: You must tell people what you’re doing with their data at the point of collection.

Article 13: Data collected directly from the person

Must include:

InformationDetailsCitation
Who you areController identity, contact details, DPO contactArt 13(1)(a-b)
Why you’re processingPurposes and legal basisArt 13(1)(c)
Legitimate interestsIf relying on LI, explain what they areArt 13(1)(d)
Who receives dataRecipients or categories of recipientsArt 13(1)(e)
International transfersIf transferring outside UK, explain safeguardsArt 13(1)(f)
Retention periodHow long you’ll keep data, or criteria to determineArt 13(2)(a)
RightsAccess, rectification, erasure, portability, objectionArt 13(2)(b-d)
WithdrawalRight to withdraw consent (if applicable)Art 13(2)(c)
ComplaintsRight to complain to ICOArt 13(2)(d)
Automated decisionsIf using profiling/automated decisions, explain logicArt 13(2)(f)

Article 14: Data obtained from other sources

Same requirements as Art 13, plus:

  • Categories of data obtained
  • Source of the data
  • Must provide within 1 month (or at first communication)

Source Text (Article 13)

  1. Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with all of the following information: (a) the identity and the contact details of the controller and, where applicable, of the controller’s representative; (b) the contact details of the data protection officer, where applicable; (c) the purposes of the processing for which the personal data are intended as well as the legal basis for the processing; (d) where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third party…

  2. In addition to the information referred to in paragraph 1, the controller shall, at the time when personal data are obtained, provide the data subject with the following further information necessary to ensure fair and transparent processing: (a) the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period; (b) the existence of the right to request from the controller access to and rectification or erasure of personal data…

Citation

Article 13, UK GDPR | Article 14

Contains public sector information licensed under the Open Government Licence v3.0 where applicable. This is not legal advice. Always refer to official sources for authoritative text.

llms.txt