DAT-009 Privacy Notice and Transparency
Description
Individuals whose personal data is collected or processed are provided with a clear privacy notice at or before the point of collection. The notice discloses: the identity of the data controller, processing purposes, legal basis, data categories, retention periods, third-party disclosures, data subject rights, and contact details for the DPO or privacy team.
Rationale
Transparency is a foundational GDPR principle and is required for individuals to exercise meaningful control over their data. Inadequate notices are a leading cause of regulatory enforcement action.
Framework Mappings (6)
| GDPR-Art.13.1 | Privacy Notice — Data Collected Directly (Core Information) | full |
| GDPR-Art.13.2 | Privacy Notice — Data Collected Directly (Supplementary Information) | full |
| GDPR-Art.14.1 | Privacy Notice — Data Not Collected Directly | partial |
| GDPR-Art.5.1a | Lawfulness, Fairness and Transparency of Processing | partial |
| PT-5 | Privacy Notice | full |
| P1.1 | Privacy Notice | full |
Evidence (2)
Privacy notice (public-facing) disclosing all required GDPR Art.13 and Art.14 information to data subjects at or before the point of data collection.
Example: Privacy Policy / Privacy Notice published at https://[company].com/privacy — version dated within 12 months, including: controller identity, DPO contact, processing purposes, legal bases, data categories, retention periods, third-party disclosures, international transfer mechanisms, and data subject rights
Test: Review the published privacy notice. Verify it includes all GDPR Art.13 required elements: (1) controller identity and contact details, (2) DPO contact (if applicable), (3) processing purposes and legal bases for each purpose, (4) retention periods or criteria, (5) third-party recipients or categories of recipients, (6) details of any international transfers and safeguards, (7) all six data subject rights plus right to withdraw consent, (8) right to lodge a complaint with a supervisory authority, (9) notice is currently published and dated.
Privacy notice version history and change log demonstrating that the notice is kept current and material changes are communicated to data subjects.
Example: Privacy notice version log (Git history, CMS version history, or Confluence page history) — showing the last 3 versions with: date published, summary of changes, and evidence of communication to existing users (email notification or in-product banner) for any material changes
Test: Request the privacy notice version history and any change communication records. Verify: (1) the current notice version is dated within the last 12 months, (2) a change log or version history is maintained, (3) for any material changes (new purposes, new third-party disclosures, changes to rights mechanisms), evidence exists that existing users were notified before the change took effect, (4) the DPO reviewed and approved the current version.
Questions (2)
Is a current privacy notice published at or before the point of personal data collection, disclosing all information required by GDPR Articles 13 and 14?
The notice must include: controller identity and contact details, DPO contact (if applicable), processing purposes and legal bases, retention periods, third-party recipients, international transfer mechanisms, and all six data subject rights. It should be dated and reviewed within the last 12 months.
What process ensures the privacy notice remains current when processing activities change?
The notice should be updated proactively when new purposes, new third-party recipients, or changes to data subject rights mechanisms are introduced. Annual review alone is insufficient for rapidly evolving SaaS products.