A practical analysis of the transparency obligations under Articles 12, 13, and 14 — what information must be disclosed, how it must be presented, and why compliance has never mattered more than in 2026.

Regulation (EU) 2016/679, Arts. 5(1)(a), 12–14 | WP29/EDPB WP260rev.01 | Art. 83(5)(b) | EDPB CEF 2026

Home › Practice Areas › Privacy & Data Protection › GDPR Privacy Policy Requirements

Contents

  • Introduction: The Legal Status of the Privacy Policy Under GDPR
  • The Transparency Principle: Article 5(1)(a) as the Foundation
  • Three Interlocking Provisions: The Architecture of the Disclosure Obligation
  • Article 12: How the Information Must Be Provided
  • Article 13: Information Required When Data Is Collected Directly
  • Article 14: Information Required When Data Is Not Collected Directly
  • Special Categories and Criminal Conviction Data
  • Children and the Plain Language Obligation
  • Keeping the Privacy Notice Current
  • What a Privacy Notice Is Not: Common Misconceptions
  • Enforcement: Fines and the 2026 Coordinated Enforcement Action
  • Practical Compliance Steps
  • Key Statutory and Regulatory References

I. Introduction: The Legal Status of the Privacy Policy Under GDPR

The General Data Protection Regulation, Regulation (EU) 2016/679 (GDPR), does not itself use the term “privacy policy.” What the Regulation requires is that controllers provide data subjects with a specific set of information about the processing of their personal data in a manner that satisfies detailed standards for form, language, and timing. The document through which most businesses deliver that information — conventionally called a privacy policy, privacy notice, or privacy statement — is not a legal form mandated by the Regulation. It is the practical vehicle most commonly used to discharge the statutory transparency obligation. The legal requirement is to provide the specified information in the specified way; the privacy policy is simply the most widely used mechanism for doing so.

The transparency obligation applies to any controller established in the EU, and to any non-EU controller or processor subject to GDPR by virtue of the Article 3(2) targeting criterion — that is, any non-EU entity that processes the personal data of individuals physically located in the EU in connection with offering goods or services to those individuals or monitoring their behavior within the Union. It is not an obligation that only large technology companies or data-intensive businesses face. Any entity that collects and processes personal data in the context of GDPR — a small business collecting customer contact details, a professional services firm maintaining client records, or a non-profit processing member data — must comply with the disclosure requirements that Articles 12, 13, and 14 impose.

⚠ 2026 Enforcement Focus — Act Now

In October 2025, the European Data Protection Board announced that its 2026 Coordinated Enforcement Framework (CEF 2026) targets transparency and information obligations under Articles 12, 13, and 14 of the GDPR. The CEF 2026 investigation was formally launched in 2026, with national supervisory authorities across the EU conducting simultaneous coordinated audits of privacy notice compliance. Previous CEF investigations have resulted in significant enforcement actions. Organizations that have not recently conducted a thorough review of their privacy notices against the full statutory checklist should treat this enforcement cycle as an immediate prompt to do so.

This page provides a detailed analysis of the three core provisions that together define what GDPR requires of a privacy notice: Article 5(1)(a), the transparency principle; Article 12, which governs how information must be provided; Article 13, which specifies what must be disclosed when data is collected directly from data subjects; and Article 14, which specifies what must be disclosed when data is obtained from other sources. It also addresses the specific obligations that arise when processing involves special categories of data or children, the continuing obligation to keep the notice current, and several widely held misconceptions about what a privacy notice is and is not required to accomplish. It draws on the WP29/EDPB Guidelines on Transparency under Regulation 2016/679, 17/EN WP260rev.01 (adopted and endorsed by the EDPB), which remain the primary interpretive authority on these provisions, as well as enforcement decisions by national supervisory authorities that illustrate how the obligations operate in practice.

II. The Transparency Principle: Article 5(1)(a) as the Foundation

Article 5(1)(a) of the GDPR establishes transparency as one of the Regulation’s seven foundational data protection principles: personal data must be “processed lawfully, fairly and in a transparent manner in relation to the data subject.” The transparency requirement is not a procedural technicality sitting at the edge of GDPR compliance; it is a core constitutional element of the data protection framework on which a cascade of other rights and obligations depends. Recital 39 gives the principle its most direct expression: any information addressed to the public or to data subjects must be concise, easily accessible, and easy to understand; clear and plain language must be used; and information must not be encoded in legal boilerplate or buried in conditions that cannot realistically be read or understood by the individuals to whom it relates.

The structural consequence of the transparency principle’s foundational status is significant for enforcement purposes. Because Articles 13 and 14 are the operational implementation of Article 5(1)(a), a failure to provide required information is simultaneously a breach of the specific informational obligation and a violation of the basic transparency principle. This dual characterization matters because violations of Article 5 are among those subject to GDPR’s upper-tier administrative fine under Article 83(5): up to €20,000,000 or, for undertakings, up to 4% of total worldwide annual turnover of the preceding financial year, whichever is higher. A deficient privacy notice is not merely a technical non-compliance attracting a modest penalty; it is a foundational data protection violation that can attract the maximum available fine.

The transparency principle also defines the purpose of the entire privacy notice regime. The GDPR’s structure of data subject rights — access under Article 15, rectification under Article 16, erasure under Article 17, restriction of processing under Article 18, data portability under Article 20, and the right to object under Article 21 — is predicated on data subjects having been told what processing is occurring, for what purpose, on what legal basis, and for how long. A privacy notice that fails to provide this information, or that provides it in language so opaque that data subjects cannot extract meaning from it, undermines not only the transparency obligation but the practical operability of every downstream data subject right. Transparency is therefore not a standalone requirement; it is the precondition for meaningful data subject autonomy across the entire GDPR framework.

III. Three Interlocking Provisions: The Architecture of the Disclosure Obligation

GDPR’s transparency framework operates through three interlocking Articles. Article 12 sets the standards for how information must be communicated — the form, language, accessibility standards, and timing rules. Article 13 specifies the substantive content of the disclosure when personal data is collected directly from the data subject. Article 14 specifies the substantive content when personal data has not been obtained from the data subject — that is, when it was collected from a third-party source, inferred from data held by other entities, purchased from a data broker, scraped from publicly accessible sources, or shared by a business partner. Article 12 governs the delivery vehicle; Articles 13 and 14 fill its contents. All three provisions must be read and applied together.

The first practical question for any controller is whether the processing involves data collected directly from data subjects (triggering Article 13), data collected from another source (triggering Article 14), or both. Most modern commercial data processing involves both. A business collects some personal data directly — customers enter their name, address, and payment details at checkout; users submit their email address to sign up for a newsletter; employees complete onboarding forms with employment-related information. The same business also receives or derives data from third-party sources — it uses advertising technology platforms that track user behavior across the web, engages a data enrichment service that appends demographic information to its customer records, or receives referral data from a commercial partner. Both Articles 13 and 14 apply to such a business, each governing a different strand of its data collection activities. A privacy notice that satisfies only Article 13 and ignores the Article 14 obligations for indirectly collected data is legally incomplete regardless of how well it addresses directly collected data.

IV. Article 12: How the Information Must Be Provided

A. The Four Core Standards

Article 12(1) of the GDPR requires that the controller take “appropriate measures to provide any information referred to in Articles 13 and 14 … to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language.” These four adjectives — concise, transparent, intelligible, and easily accessible — each carry substantive content in the WP29/EDPB Guidelines on Transparency (WP260rev.01) and in supervisory authority enforcement decisions. They are not synonymous with one another, and a privacy notice can fail one standard while technically satisfying the others.

B. Clear and Plain Language

Article 12(1)’s clear and plain language requirement operates alongside and in addition to the intelligibility standard. WP260rev.01 provides detailed practical guidance: the language should be concrete and definitive rather than vague and open-ended; active voice should be preferred over passive constructions (not “your data may be processed for marketing purposes” but “we will use your email address to send you marketing newsletters”); direct address should be used, with the data subject referred to as “you” rather than “the data subject”; and any technical terms that must be included should be defined or explained.

C. The Layered Notice Approach

There is an inherent tension between the comprehensive substantive content that Articles 13 and 14 require and the conciseness and accessibility that Article 12(1) demands. The WP29/EDPB resolved this tension in WP260rev.01 through the endorsement of a layered notice approach. A layered notice presents information in graduated levels of detail: a first layer provides a short, clearly structured summary of the most important information — the identity of the controller, the key processing purposes, the most significant data subject rights, and the location of the full notice — while subsequent layers contain the full Article 13 and 14 content for data subjects who wish to know more.

D. Electronic Delivery and Free of Charge

Article 12(1) permits information to be provided “in writing, or by other means, including, where appropriate, by electronic means.” Article 12(5) provides that information under Articles 13 and 14 must be provided free of charge.

V. Article 13: Information Required When Data Is Collected Directly

A. Timing: At the Time of Collection

Article 13 applies wherever personal data is collected directly from the data subject. The information prescribed by Article 13 must be provided “at the time” the personal data is obtained — that is, before or simultaneously with collection.

B. Controller Identity, Representative, and DPO — Article 13(1)(a) and (b)

Article 13(1)(a) requires the identity and contact details of the controller and, where applicable, the controller’s representative. Article 13(1)(b) requires the contact details of the data protection officer, where one has been designated under Article 37.

C. Purposes and Legal Bases — Article 13(1)(c) and (d)

Article 13(1)(c) requires disclosure of the purposes for which the personal data is intended to be processed and the legal basis for each purpose. Article 13(1)(d) imposes an additional disclosure obligation where the controller relies on legitimate interests: the notice must identify what those legitimate interests are.

D. Recipients and International Transfers — Article 13(1)(e) and (f)

Article 13(1)(e) requires disclosure of the recipients or categories of recipients. Article 13(1)(f) requires disclosure of any intended international transfers, the destination country, and the applicable transfer mechanism.

E. Retention Periods, Data Subject Rights, and Related Disclosures — Article 13(2)

Article 13(2) specifies additional mandatory information: retention periods or criteria; all six data subject rights (access, rectification, erasure, restriction, portability, and objection); right to withdraw consent; right to complain to a supervisory authority; mandatory/voluntary data provision disclosure; and automated decision-making disclosure.

F. Further Processing — Article 13(3)

Where a controller intends to process personal data for a purpose other than the one for which it was originally collected, the controller must provide data subjects — before that further processing begins — with information about the new purpose and any additional relevant information.

VI. Article 14: Information Required When Data Is Not Collected Directly

A. Scope and Substantive Content

Article 14 applies wherever personal data has not been obtained from the data subject. The substantive content required mirrors Article 13 almost entirely, with one significant additional element.

B. The Source-of-Data Disclosure — Article 14(2)(f)

Article 14(2)(f) requires that the notice inform the data subject of the source from which the personal data originates and, if applicable, whether it came from publicly accessible sources. This disclosure has no parallel in Article 13.

C. Timing Requirements — Article 14(3)

Article 14 imposes a phased timing structure: within a reasonable period and at the latest within one month; at the time of the first communication to that person; or when the personal data is first disclosed to another recipient — whichever occurs first.

D. Article 14(5) Exemptions

Article 14(5) provides four narrow exemptions: where the data subject already has the required information; where providing information is impossible or involves disproportionate effort; where obtaining or disclosure is expressly laid down by law; or where the data must remain confidential subject to professional secrecy.

VII. Special Categories and Criminal Conviction Data

Where processing includes special categories under Article 9(1) or criminal data under Article 10, the privacy notice must identify the specific Article 9(2) derogation or Article 10 basis with particularity. Generic descriptions of special category processing are inadequate.

VIII. Children and the Plain Language Obligation

Where a service is directed at or likely to be accessed by children, the privacy notice must be in clear and plain language that the child can easily understand. Controllers should consider a separate child-adapted version where the standard notice is not accessible to child users.

IX. Keeping the Privacy Notice Current

A privacy notice is a living document requiring active governance. Material changes to processing activities, data categories, recipients, or legal bases require notification to data subjects before the changes take effect. Prior versions should be retained as accountability records under Article 5(2).

X. What a Privacy Notice Is Not: Addressing Common Misconceptions

A privacy notice is not a consent mechanism. Acknowledging a privacy notice does not constitute valid GDPR consent. A privacy notice is not a data processing agreement under Article 28(3). Publication of a public-facing privacy policy does not satisfy Article 14 obligations for individuals who have not seen it. A privacy notice is not a substitute for the right of access under Article 15.

XI. Enforcement: Fines and the 2026 Coordinated Enforcement Action

Violations of Articles 12, 13, and 14 engage the upper tier of GDPR administrative fines under Article 83(5)(b): up to €20,000,000 or 4% of total worldwide annual turnover. The EDPB’s 2026 Coordinated Enforcement Framework specifically targets transparency and information obligations, with national supervisory authorities conducting simultaneous coordinated audits across the EU.

XII. Practical Compliance Steps

  • Map all data flows and collection methods to determine which data is subject to Article 13 and which to Article 14.
  • Verify completeness against the Article 13(1) and 13(2) checklists for all directly collected data.
  • Satisfy Article 14 for all indirectly collected data, including the source-of-data disclosure and delivery within timing requirements.
  • Apply the Article 12(1) plain language test with a non-specialist reviewer.
  • Consider a layered notice structure for complex processing activities.
  • Address special categories and criminal data separately with specific derogation identification.
  • Assess child-accessibility where the service reaches individuals under 16.
  • Disclose all international transfers with applicable transfer mechanisms.
  • Establish version control and a scheduled review process.
  • Confirm that notice acknowledgment and consent capture are distinct mechanisms.

XIII. Key Statutory and Regulatory References

Legal Disclaimer. This page is provided for general informational and educational purposes only and does not constitute legal advice. No attorney-client relationship is created by accessing or reading this page.