Privacy Notice at Data Collection
Plain English Translation
Under GDPR Article 13, organizations must provide individuals with a clear, concise, and accessible privacy notice at the exact moment their personal data is collected. This GDPR privacy notice must detail who is collecting the data, the specific purpose and lawful basis for processing, who it will be shared with, and how long it will be retained. It also ensures data subjects are fully informed about their privacy rights, including how to access, delete, or object to the processing of their information.
Technical Implementation
Use the tabs below to select your organization size.
Required Actions (startup)
- Publish a basic privacy policy on the website covering all Article 13 requirements.
- Include a hyperlink to the public privacy policy in all user registration forms and cookie banners.
Required Actions (scaleup)
- Implement a layered privacy notice approach, showing key processing details directly at the point of collection.
- Maintain logs of user consent and policy version acknowledgments.
Required Actions (enterprise)
- Deploy a centralized consent and preference management platform to automate the delivery of context-specific privacy notices.
- Integrate dynamic privacy notices that update based on the exact data being collected across global applications.
Evidence Required
GDPR Article 13 dictates the information a data controller must provide to a data subject when personal data is collected directly from them. It applies at the exact moment an organization gathers personal information from an individual, such as through a website form or account registration.
A GDPR privacy notice must include the controller identity, the Data Protection Officer contact details, the purposes and lawful basis for processing, data recipients, international transfer details, retention periods, and a comprehensive list of data subject rights.
According to Article 13, the privacy notice requirements must be met at the time when personal data are obtained. This means the notice or a direct link to it must be presented exactly at the point of collection, rather than later.
Yes, organizations are explicitly required to state both the specific purposes for which the personal data are intended and the legal basis for the processing, such as consent, contract, or legitimate interest, in the privacy notice.
The privacy notice must explicitly inform individuals of their right to request access, rectification, or erasure of personal data, as well as the right to restrict or object to processing, and the right to data portability. The explanation should use clear and plain language.
Yes, you must disclose the period for which the personal data will be stored. If it is not possible to provide an exact retention period, the GDPR privacy notice retention period disclosure must provide the specific criteria used to determine that duration.
Yes, organizations must disclose the recipients or the categories of recipients to whom the personal data will be disclosed. Naming specific third parties provides maximum transparency, but listing categories of service providers is generally acceptable.
If the organization intends to transfer personal data to a third country or international organization, the privacy notice must disclose this fact. It must also reference the existence or absence of an adequacy decision, or the appropriate safeguards used and how to obtain a copy of them.
The information must be provided in a concise, transparent, intelligible, and easily accessible form, using clear and plain language. Organizations often use a layered approach, providing key privacy details directly in the sign-up UI with a prominent link to the full privacy policy.
Privacy notices should be reviewed at least annually or whenever there are material changes to data processing activities. Users should be notified of significant changes prior to further processing, typically via email or a prominent notification upon their next login.
Privacy notices often drift from reality as forms, products, and vendors change. Tools like WatchDog Security's Compliance Center can help teams track GDPR control requirements, map evidence (e.g., current notices, screenshots, DPIAs), and highlight gaps when collection points or processing activities change so the notice stays consistent with how data is actually used.
Auditors typically expect to see what notice/policy was in effect at the time of collection and whether key acknowledgments were captured when applicable. Tools like WatchDog Security's Policy Management can centralize privacy notice versions, maintain approval history, and track attestations/acknowledgments so you can demonstrate which version was presented and when it was updated.
"1. Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with all of the following information: (a) the identity and the contact details of the controller and, where applicable, of the controller's representative; (b) the contact details of the data protection officer, where applicable; (c) the purposes of the processing for which the personal data are intended as well as the legal basis for the processing..."
| Version | Date | Author | Description |
|---|---|---|---|
| 1.0.0 | 2026-02-23 | WatchDog Security GRC Team | Initial publication |
