Privacy Policy: Mandatory Disclosures, Update Obligations and Structured Accountability

Art. 13 and 14 GDPR require controllers to fully inform data subjects at the time of data collection about the purpose, legal basis, retention period and their rights. A missing or outdated privacy policy is not a formal deficiency, but a measurable fine risk: German data protection supervisory authorities regularly treat incomplete transparency obligations as violations of the transparency principle under Art. 5(1)(a) GDPR and may impose fines of up to €10 million or 2% of global annual turnover under Art. 83(2) GDPR.

This article describes what a GDPR-compliant privacy policy must contain, when updates are required and how a DPO structures the maintenance process so that it withstands supervisory scrutiny.

The GDPR distinguishes two information scenarios. Art. 13 GDPR applies where personal data are collected directly from the data subject, such as via website forms, ordering processes, application procedures or newsletter sign-ups. Art. 14 GDPR applies where data are not collected directly from the person but originate from third parties, such as purchased address lists, public registers or datasets transmitted by business partners.

In both cases, the information must be provided at the time of collection (Art. 13(1) GDPR) or, where data are not obtained directly, within one month (Art. 14(3) GDPR). A privacy policy on the website covers Art. 13 obligations for website-based data collection; separate Art. 14 notices are required for indirect data acquisition and must be handled separately in the documentation.

Art. 13(1) GDPR exhaustively lists the minimum content that must be communicated to a data subject upon direct data collection. This includes: identity and contact details of the controller (name, address, email, and where applicable, an EU representative under Art. 27 GDPR), contact details of the DPO if one has been appointed, purposes and legal bases of the processing with explicit reference to the applicable Art. 6 ground as well as the legitimate interests of the controller or third parties where Art. 6(1)(f) is the basis. Recipients or categories of recipients must also be listed, including any transfers to third countries and the applicable safeguards. Retention periods or the criteria for determining them must be stated, along with all data subject rights under Arts. 15–22 GDPR, the right to withdraw consent and the right to lodge a complaint with a supervisory authority.

Art. 13(2) GDPR requires additional information where necessary for fair and transparent processing: the existence of automated decision-making including profiling, and whether the provision of personal data is a contractual or statutory requirement.

Art. 12(1) GDPR requires that information be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language. For legally trained authors, this represents a translation task: statutory mandatory disclosures must be formulated so that a person without data protection knowledge can understand them. Legal technical terms must either be explained or supplemented with plain-language formulations.

The Data Protection Conference (DSK) recommends a layered approach for websites: a short, easily understandable overview layer and a detailed second layer with the complete legal information. This approach facilitates both user comprehension and full compliance with Art. 13 GDPR requirements.

For websites using tracking and cookies, requirements under the Telecommunications-Telemedia Data Protection Act (TTDSG) apply in addition to the GDPR transparency obligations. § 25 TTDSG contains an independent consent provision for accessing users' terminal equipment. The privacy policy must therefore fully cover both GDPR information obligations and TTDSG-relevant processing so that both regulatory frameworks are satisfied simultaneously.

Technically necessary cookies that serve solely to transmit a communication or are strictly required by the user are exempt from the consent requirement under § 25(2) TTDSG. All other cookies — analytics, marketing, personalisation — require prior, informed consent. The privacy policy must transparently document which categories exist, for what purposes they are used and which providers process the data.

A privacy policy is not a static document. Every material change to processing activities gives rise to an update obligation. The most common triggers in practice are: integration of new SaaS tools or analytics services with new cookie categories or recipients; changes to or additions of processors under Art. 28 GDPR, particularly where US providers are involved; new processing purposes such as lead-nurturing emails or AI-driven personalisation; and changes to the product catalogue involving new data processes, such as a new customer account or loyalty programme.

The update process must be documented: date of review, reviewer, reason for change, version number and approval by management. A versioned archive of all previous versions of the privacy policy ensures that it can be established at any time which version was in force when a specific data subject was informed.

Legal responsibility for the privacy policy lies with the controller within the meaning of Art. 4(7) GDPR — in practice, with management. The operational drafting and maintenance sits at the interface between the legal department, IT/web development, marketing and the Data Protection Officer. This interface is not clearly defined in many organisations, which regularly leads to maintenance backlogs.

The Data Protection Officer under Arts. 37–39 GDPR has an advisory and monitoring function. They review the completeness of mandatory disclosures, identify update triggers and coordinate the drafting process between departments. They do not bear legal liability for violations — but they do bear accountability for identifying and communicating deficiencies.

In the B2B context, the same requirements apply in principle to the website privacy policy as in B2C, since business partners may also be natural persons: contact persons, representatives, shareholders. In addition, many B2B organisations process data in contexts that trigger specific transparency obligations that must be addressed in the public privacy policy. In practice, B2B organisations frequently overlook these contexts and thereby create silent compliance gaps.

For applicant management, Art. 13 GDPR also applies to job applications received by email or via the website. For suppliers and service providers, transparency is required where natural persons' data are processed — for example, contact persons from partner companies. For employees, a separate employee data protection notice is required that goes beyond the website privacy policy.

German state data protection authorities and the Federal Commissioner for Data Protection (BfDI) have systematically reviewed website privacy policies in recent years. The Berlin and Hamburg data protection authorities have repeatedly required organisations to correct their policies. Recurring findings include: missing or outdated legal bases for US services following the invalidation of Privacy Shield in 2020, incomplete information on automated decision-making, and missing contact details of the DPO. These are not theoretical deficiencies — they are the direct grounds for formal warnings and fines.

The most frequently identified deficiencies in SME privacy policies are: incomplete list of recipients for analytics tools; absence of an adequacy mechanism for US data transfers; missing information on data subject rights; outdated retention periods that no longer reflect actual practice; and missing versioning that makes it impossible to establish which version was in force when.

The most important lesson from supervisory practice and case law is clear: a privacy policy is not a one-off project, but an ongoing process. Those who draft it once and never revisit it risk an outdated document within 12 to 18 months that can be challenged in any supervisory review or civil dispute.

A structured maintenance process comprises four elements: first, an annual full review of all mandatory disclosures against the current state of the GDPR, TTDSG and EDPB guidelines; second, a trigger-based update process for material changes to processing activities; third, a versioned approval workflow with timestamp, reviewer and management sign-off; fourth, an archived version history stored in the compliance workspace so that it can be established at any time which version was in force when.

CIVAC provides DPO workspaces for internal officers and external DPO services for organisations that need a ready-to-go appointment within two working days. The privacy policy maintenance process is one of the documented standard tasks in the CIVAC workspace. info@civac.de.