GDPR Article 13: what your privacy policy must include

By Toby · Published April 2026 · Last updated April 2026

Under UK GDPR Article 13, when you collect personal data directly from someone, your privacy policy must tell them: who you are, why you are collecting their data, the legal basis, who you share it with, how long you keep it, and their rights. Article 13 lists 12 specific pieces of information that must be provided at the point of collection.

Many UK businesses have a privacy policy on their website, but a surprising number fail to cover all 12 mandatory items. This guide walks through each requirement in plain English, with practical advice on what to include and common gaps to watch for.

When Article 13 applies

Article 13 is triggered whenever you collect personal data directly from the individual — through a contact form, checkout process, newsletter signup, account registration, or any other direct interaction. This is the most common data collection scenario for websites and online businesses.

There is a related provision, Article 14, which applies when you obtain personal data from a source other than the individual themselves (for example, from a third-party data broker or a publicly available register). Article 14 has slightly different requirements, but this guide focuses on Article 13 as it applies to the vast majority of website data collection.

The information must be provided at the time you collect the data, not after the fact. For a website, this typically means having a clearly linked privacy policy accessible from every page, and linking to it specifically from any forms where you collect personal data.

The 12 mandatory items

1. Identity and contact details of the controller

Your privacy policy must state who is responsible for the personal data you collect. This means your organisation's full legal name, registered address, and at least one contact method (email address, phone number, or postal address). If you are a limited company, include your Companies House registration number. Do not hide behind a generic brand name — the individual needs to know who the legal entity is.

2. Contact details of your Data Protection Officer

If you have appointed a Data Protection Officer (DPO), you must provide their contact details. Not every organisation needs a DPO (see the FAQ section below), but if you have one — whether because it is required or because you chose to appoint one voluntarily — their name and contact information must be in your privacy policy.

3. The purposes of processing

Explain clearly why you are collecting and using personal data. Be specific — vague statements like "to improve our services" or "for business purposes" are not sufficient. Good examples include: to process and fulfil your order, to send you marketing emails you have opted into, to respond to your enquiry submitted via our contact form, to analyse website usage through Google Analytics.

4. The legal basis for processing

For each purpose you have identified, you must state which of the six legal bases under Article 6 you are relying on. The six bases are: consent, contractual necessity, legal obligation, vital interests, public task, and legitimate interests. Most small business websites will rely on a combination of contract (for order processing), consent (for marketing), and legitimate interests (for certain analytics and security purposes).

5. Legitimate interests pursued

If you rely on legitimate interests as your legal basis for any processing, you must explain what those interests are. For example: "We have a legitimate interest in analysing website traffic to improve our services" or "We have a legitimate interest in preventing fraud." Be specific about what the interest is and why it justifies the processing.

6. Recipients or categories of recipients

List who you share personal data with, or at least describe the categories. This includes payment processors, email marketing platforms, analytics providers, hosting companies, delivery partners, and any other third parties that receive or can access personal data. Name specific recipients where possible, or describe categories such as "payment service providers" and "email marketing platforms."

7. International transfer details

If personal data is transferred outside the UK, you must state this and explain the safeguards in place. Many common services transfer data internationally — Google Analytics sends data to the United States, Mailchimp is US-based, and so on. Identify which countries data is transferred to and what legal mechanism protects the transfer (UK adequacy regulations, standard contractual clauses, or binding corporate rules).

8. Retention period or criteria

State how long you keep personal data, or if a fixed period is not possible, the criteria you use to determine retention. Be as specific as you can. Good examples: "Order records are retained for 6 years to comply with HMRC requirements." "Marketing consent records are kept for as long as you remain subscribed, plus 12 months." Avoid vague statements like "as long as necessary."

9. Data subject rights

Inform individuals of their rights under UK GDPR. These include the right of access (to obtain a copy of their data), the right to rectification (to correct inaccurate data), the right to erasure (to have data deleted in certain circumstances), the right to restrict processing, the right to data portability, and the right to object to processing. You do not need to reproduce the full legal text, but you must clearly inform people that these rights exist and how to exercise them.

10. Right to withdraw consent

Where you rely on consent as your legal basis, you must tell individuals that they have the right to withdraw consent at any time, and explain how to do so. For email marketing, this is typically the unsubscribe link. For cookies, it might be your consent management platform's settings. Make the withdrawal process as easy as the original consent.

11. Right to complain to the ICO

You must inform individuals of their right to lodge a complaint with the Information Commissioner's Office (ICO). Include the ICO's contact details or a link to their website (ico.org.uk). This is a frequently missed item — many privacy policies forget to mention the ICO entirely.

12. Whether providing data is a statutory or contractual requirement

Tell individuals whether providing their personal data is required by law, required by a contract, or purely voluntary — and what happens if they do not provide it. For example: "Providing your name and address is necessary for us to fulfil your order. If you do not provide this information, we cannot process your purchase." Or: "Providing your email for our newsletter is entirely voluntary."

Article 13 vs Article 14

Article 13 applies when you collect data directly from the individual. Article 14 applies when you obtain data from another source — a data broker, a public register, a referral, or any third party.

Article 14 requires largely the same information, with two key differences. First, you must tell the individual where you obtained their data from (the source). Second, you must provide this information within a reasonable period — no later than one month after obtaining the data, or at the point of first communication if you intend to contact the individual.

If your business buys mailing lists, uses lead generation services, or obtains data from partner organisations, Article 14 applies to that data and your privacy policy (or a separate notice) needs to address it.

Common gaps in UK privacy policies

Based on reviewing hundreds of UK small business privacy policies, these are the most frequent gaps:

• Missing legal basis. Many policies describe what data they collect and why, but never state the legal basis for each purpose. This is a core requirement.
• Vague retention periods. Statements like "we keep your data for as long as necessary" or "in accordance with our retention schedule" do not meet the Article 13 standard. Be specific.
• No mention of the ICO. The right to complain to the supervisory authority is frequently omitted.
• Generic templates not customised. Many businesses use a template privacy policy without adapting it to reflect their actual data processing activities, resulting in irrelevant sections and missing relevant ones.
• Forgetting cookie-related processing. Your privacy policy should cover data collected through cookies and analytics tools, or clearly reference a separate cookie policy that does.

Privacy policy checklist

• Include your organisation's full legal name, registration number (if a limited company), and contact details.
• Include DPO contact details if you have appointed one.
• List every purpose for which you process personal data, written in plain English.
• State the legal basis (Article 6) for each processing purpose.
• If relying on legitimate interests, explain what those interests are.
• Name the recipients or categories of recipients you share data with.
• Disclose any international data transfers and the safeguards used.
• Provide specific retention periods or clear criteria for each category of data.
• List all data subject rights and explain how to exercise them.
• Explain the right to withdraw consent and how to do it.
• Include the right to complain to the ICO with their contact details.
• State whether providing data is a contractual or statutory requirement and the consequences of not providing it.

Common mistakes

Using a generic template without customisation

Free privacy policy generators and templates can be a reasonable starting point, but they must be adapted to your specific processing activities. A template that mentions processing purposes you do not carry out, or omits ones you do, creates both compliance risk and confusion for your users. Review every section against your actual data practices. See our comparison of privacy policy generators for tools that can help.

Missing retention periods

This is the single most common gap. Many businesses simply do not know how long they keep different types of data. Before writing your privacy policy, map out each category of data you hold and set a defensible retention period. Consider legal requirements (6 years for tax records under HMRC rules, for example), contractual obligations, and practical necessity.

No legal basis specified

Listing purposes without connecting them to a legal basis is a clear Article 13 failure. Every processing purpose must be linked to one of the six legal bases. This also forces you to think critically about whether you actually have a valid basis for each activity.

Forgetting about cookie data

Data collected through cookies — browsing behaviour, IP addresses, device identifiers — is personal data. Your privacy policy needs to address it. Either include a comprehensive section on cookies within your main privacy policy, or clearly link to a separate cookie policy. In either case, make sure you cover the purposes, legal basis, and third-party recipients for cookie-related processing. For more on cookie requirements, see our guide to PECR.

Frequently asked questions

Do I need a Data Protection Officer (DPO)?

Most small businesses do not need a DPO. Under UK GDPR Article 37, you must appoint a DPO if you are a public authority, if your core activities require large-scale systematic monitoring of individuals, or if your core activities involve large-scale processing of special category data (health, biometric, racial or ethnic origin, etc.). If none of these apply, a DPO is not mandatory — but you still need someone responsible for data protection compliance, and you must provide their contact details in your privacy policy.

What is a "legal basis" for processing personal data?

A legal basis is the lawful reason you are allowed to process someone's personal data. UK GDPR Article 6 sets out six legal bases: consent (the individual has given clear consent), contract (processing is necessary to fulfil a contract with the individual), legal obligation (processing is necessary to comply with the law), vital interests (processing is necessary to protect someone's life), public task (processing is necessary for a task in the public interest), and legitimate interests (processing is necessary for your legitimate interests, provided they are not overridden by the individual's rights). You must identify and document which legal basis applies to each type of processing you carry out, and state this clearly in your privacy policy.

How specific does my retention period need to be?

Your retention period should be as specific as reasonably possible. Saying "we keep data as long as necessary" is not sufficient — the ICO expects you to provide meaningful information. Ideally, state a specific period (for example, "we retain purchase records for 6 years to comply with tax obligations" or "we delete inactive account data after 24 months"). Where a fixed period is genuinely not possible, explain the criteria you use to determine how long data is kept, such as "for the duration of your account plus 12 months."

Do I need a separate cookie policy?

There is no legal requirement for a separate cookie policy — you can include cookie information within your main privacy policy. However, many organisations choose to maintain a separate cookie policy for clarity, particularly if they use a significant number of cookies. Whether combined or separate, you need to explain what cookies you use, why you use them, how long they last, and whether they are first-party or third-party. Cookie consent requirements are governed by PECR rather than UK GDPR, so your cookie information should address both regulations.

What if I use Google Analytics — what do I need to include?

If you use Google Analytics (GA4), your privacy policy needs to cover several points. First, disclose that you use Google Analytics and explain its purpose (website usage analysis). Second, state the legal basis — most businesses rely on consent, since GA4 sets non-essential cookies that require consent under PECR. Third, explain that data is transferred to Google's servers (potentially outside the UK) and reference the safeguards in place. Fourth, list the GA4 cookies and their retention periods. Fifth, explain how users can opt out. You should also ensure your cookie consent mechanism blocks GA4 scripts until the user provides consent.