GDPR fundamentals · Articles 12–14

Privacy notices — what EU GDPR requires

Updated April 2026EU GDPR Articles 12–14EDPB aligned

Under Articles 13 and 14 of EU GDPR, organisations must provide individuals with specific information about how their personal data is used — at the point of collection, in plain language, without charge. A privacy notice buried in small print, missing mandatory content, or using vague descriptions of processing purposes does not comply. National DPAs across the EU have taken enforcement action against non-compliant privacy notices.

How to read this guide. This guide explains requirements and expectations derived from EU GDPR 2016/679 and EDPB published guidance. Where we write “EU GDPR requires” we cite the regulation. Where we write “EDPB guidance indicates” we cite regulatory guidance, which is not identical to a statutory obligation. Application of GDPR obligations may vary depending on member state law and supervisory authority interpretation — consult a qualified data protection practitioner familiar with the relevant jurisdiction.

Articles 13 and 14 — when each applies

Article 13 applies where personal data is collected directly from the individual — a contact form, registration page, job application. Information must be provided at the time of collection. Article 14 applies where data is obtained from a third party. Information must be provided within one month of obtaining the data, or at first contact with the individual if earlier. Both articles require the same content; the timing differs.

Source: EU GDPR Articles 13 and 14; EDPB Guidelines 01/2022

Mandatory content

Both articles require: controller identity and contact details; DPO contact details where applicable; processing purposes and lawful basis for each; where legitimate interests is relied upon, what those interests are; recipients or categories of recipients; transfers to third countries and safeguards; retention periods or criteria; the data subject’s rights under Articles 15–21; where consent is the basis, the right to withdraw; the right to complain to a supervisory authority; whether provision of data is statutory or contractual; and whether automated decision-making is used with meaningful information about the logic. Article 14 additionally requires the categories of data and its source.

Source: EU GDPR Articles 13(1), 13(2), 14(1), 14(2)

Plain language and accessibility

Article 12 requires information to be provided in a concise, transparent, intelligible, and easily accessible form, using clear and plain language. The EDPB has published guidelines on transparency that set high standards for readability. French CNIL, German DPAs, and the EDPB have all cited opacity and inaccessibility as factors in enforcement action against non-compliant privacy notices.

Employee privacy notices

A customer-facing privacy notice does not cover employee data processing. A separate employee privacy notice must address all employment data processing: payroll, performance management, CCTV, communications monitoring, occupational health, and all third-party disclosures. It must be provided before or at the start of employment and updated when processing activities change materially.

Layered notices

The EDPB endorses a layered approach: a concise notice at the point of collection covering key information, with a link to a full notice. The summary layer must contain at minimum the purpose, lawful basis, and an indication of the individual’s rights — not merely a link to the full notice. Multi-language versions are expected where services are offered in multiple member states.

Record this. Keep a dated version history of your privacy notice. Record what changed and why at each update. Where Article 14 applies, retain evidence of how and when affected individuals were notified. Supervisory authorities ask for the notice in force at the time of any complaint.

Note: application of EU GDPR obligations may vary under member state law. Confirm with a practitioner familiar with the relevant jurisdiction.

Not legal advice. This guide is derived from EU GDPR (Regulation (EU) 2016/679), EDPB published guidelines, and national supervisory authority guidance as at April 2026. Obligations are subject to change. Consult a qualified solicitor or data protection practitioner for advice specific to your organisation.