- GDPR Articles 13 and 14 specify mandatory content that every privacy notice must include
- Article 13 applies when you collect data directly from the individual; Article 14 when collected from a third party
- The notice must be provided at the time of collection — not buried in terms and conditions
- Language must be concise, transparent, intelligible, and in plain language — not legalese
A privacy notice is not just a legal formality — it is the primary tool through which you fulfil GDPR's transparency principle. Data subjects have a right to know what you are doing with their data, and you have an obligation to tell them proactively, at the time of collection, in clear language. Generic boilerplate copied from a template does not satisfy this requirement.
Related HubSecure buying path
Document Collection & Vault guidesecure document collectionSecure Vault moduleDropbox comparisondocument collection software guideGuide Librarybook a workflow demo
Related security, privacy and governance resources
Continue with HubSecure security and trust center, data processing agreement, subprocessors, compliance workflows, governed AI operator.
Related use case
This guide belongs to the Secure Document Collection Guides cluster. Continue with the product hub for secure document collection.
Article 13: when you collect data directly
Article 13 applies when you collect personal data directly from the individual — through a form, in an intake meeting, or via your website. The privacy information must be provided at the time of collection. The mandatory content includes:
- ✓Identity and contact details of the controller
- ✓Contact details of the DPO (if applicable)
- ✓Purposes and legal basis for each processing activity
- ✓The legitimate interests pursued (if legitimate interests is the basis)
- ✓Any recipients or categories of recipients of the data
- ✓Whether data will be transferred outside the EEA and the safeguards in place
- ✓Retention periods or the criteria used to determine them
- ✓The individual's rights: access, rectification, erasure, restriction, portability, objection
- ✓Right to withdraw consent (where consent is the lawful basis)
- ✓Right to lodge a complaint with a supervisory authority
- ✓Whether providing data is a statutory or contractual requirement and the consequences of not providing it
- ✓Whether automated decision-making (including profiling) will occur, and if so, the logic and significance
Article 14: when you obtain data from a third party
Article 14 applies when you collect personal data about someone from a source other than the individual themselves — purchasing prospect data, receiving referrals, or obtaining information from public registers. The same information must be provided, plus:
- The categories of personal data concerned (since the individual did not provide it directly)
- The source from which the data was obtained, and whether it came from publicly accessible sources
This must be provided within a reasonable period — at most one month — or at the time of the first communication, or when data is disclosed to a third party, whichever comes first.
Common privacy notice failures
Vague purposes
"We use your data to improve our services and for marketing purposes" does not satisfy the specificity requirement. Each distinct purpose must be stated clearly: "We process your contact details to send you our monthly newsletter on compliance developments (Article 6(1)(a) — consent)."
No retention periods
Saying "we keep your data for as long as necessary" without any further specification does not meet the Article 13(2)(a) requirement. State actual periods or the criteria used to determine them.
Boilerplate rights descriptions
Listing data subject rights without explaining how to exercise them is not sufficient. Your notice should tell individuals how to submit a request — for example, by emailing [email protected] — and what to expect in terms of response time.
Missing DPO contact details
If you have a DPO (mandatory for certain organisations under Article 37), their contact details must appear in the privacy notice. Many firms omit this.
Format and accessibility
GDPR requires privacy notices to be provided in a concise, transparent, intelligible, and easily accessible form, using clear and plain language. The ICO and other DPAs recommend a layered approach: a short notice at the point of collection with the key points, linking to a full notice for detail.
Does our privacy notice need to be reviewed regularly?
Yes. Whenever your processing activities change — new systems, new purposes, new third-party processors, new transfers — your privacy notice must be updated. If you update it, notify data subjects whose data is affected by the changes if the updates are material.
Is a cookie policy the same as a privacy notice?
No. A cookie policy addresses consent and information requirements under the ePrivacy Directive (for EU) and national implementing regulations. A privacy notice addresses GDPR transparency obligations for all personal data processing. Both are required; many organisations combine them in a layered document.
Privacy documentation built in
HubSecure includes privacy notice templates pre-mapped to regulated business types — covering client data, employee data, and AML processing activities.
Book a demoOfficial sources and further reading
Use these public sources to verify regulatory background and terminology. HubSecure content is product guidance, not legal advice.
Credibility notes
This guide is written for product and operations evaluation, not as legal advice. For compliance obligations, confirm requirements with qualified counsel or the relevant regulator.
Related HubSecure references: Security · DPA · Subprocessors · AML/KYC glossary · RBAC glossary
Reviewed for regulated teams
Prepared by the HubSecure editorial team for operators, compliance leaders and IT reviewers evaluating secure client operations software.