A data protection notice (also known as “privacy policy”) is an accountability tool that helps a data controller demonstrate that it is compliant with data protection law, in particular in respect of its obligations under the transparency principle (Articles 12 to 14 of the General Data Protection Regulation (GDPR)), and to fulfil the right of data subjects to receive certain information in relation to a data controller’s processing operations. The general approach of the Data Protection Commission (DPC) in relation to privacy policies is that they should reflect a detailed examination of an organisation's processing of personal data and the application of data protection law to these practices. The privacy policy should be a dynamic document, regularly reviewed and updated to reflect changes in the way the organisation processes personal data.

Firstly, in accordance with a functional approach, a data controller should carefully assess its business and the activities in which it deals with personal data, making sure that the data protection notice will reflect what its processing operations really are. Once a data controller has singled out each data processing operation, it will have to gather all the information about the operations that data protection law requires it to provide to data subjects, including the purpose of processing, the recipients of the personal data, the retention period, and so on.

Thereafter, a data controller should consider the categories of data subjects it must provide the information to, in order to draft, in appropriate language, the data protection notice. Before making a data protection notice available, remember to check whether certain information should be omitted in accordance with applicable exemptions or derogations to data protection rights.

For more information, read our detailed guidance on data protection principles.

To help organisations identify any gaps in their data protection practices, the DPC has a Data Protection Self-Assessment Checklist.