Privacy Notice vs Privacy Policy

Privacy Notice / Privacy statement / Privacy Policy (rarely)

Privacy Policy / Data Protection Policy



Policy / Statement

Glossary of Privacy Terms by IAPP

A statement made to a data subject that describes how an organization collects, uses, retains and discloses personal information. A privacy notice may be referred to as a privacy statement, a fair processing statement or, sometimes, a privacy policy. The General Data Protection Regulation requires a controller to provide a privacy notice prior to processing and to specify in the privacy notice the legal basis for the processing, in addition to other details, such as the contact information for the organization's Data Protection Officer. When relying on the legitimate interest ground, the controller must describe the legitimate interests pursued.

An internal statement that governs an organization or entity’s handling of personal information. It is directed at those members of the organization who might handle or make decisions regarding the personal information, instructing them on the collection, use, storage and destruction of the data, as well as any specific rights the data subjects may have. May also be referred to as a data protection policy.


GDPR art.13 and 14

GDPR art.24

ISO 27701 (5.3.2),
ISO 27001 (5.2)


Usually External (Customers)

Internal (Employees) + External (Suppliers and Customers)



  1. The identity and the contact details of the


  2. The contact details of the DPO

  3. The purposes and legal basis + Information

    on legitimate interest (if applicable)

  4. The categories of personal data concerned

  5. The recipients or categories of recipients

  6. Information on transfer to a recipient in a

    third country

  7. The period for which the personal data will be stored

  8. Rights of the data subject + the right to

    withdraw consent at any time

  9. The right to lodge a complaint with a

    supervisory authority

  10. Whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data

  11. Information on the source of origin of personal data

  12. Information on automated decision-making, including profiling


  1. Management statement on


  2. A list of legal requirements

  3. Principles relating to

    processing of personal data

  4. Rights of the data subject

  5. Leadership and commitment

  6. Continual Improvement

  7. A short description of security


  8. The contact details of the DPO

Other specific internal requirements and procedures should be described in the Data Protection Framework and other internal documents


It is recommended to add links to the Information Security Policy and the Data Protection Policy