CIPP/E Study Guide
Ch 8.4 - Privacy notices

Fair processing notices and best practice

Unlike the Directive, the GDPR specifies methods for informing data subjects, so fair processing notices (privacy notices) remain the convenient way to comply. Good notices are concise, transparent, easily accessible, intelligible (clear and plain language), and accurate/up to date. Best practice includes layered notices (key info first, detail behind links), just-in-time notices, privacy dashboards, and alternative formats/icons for hard contexts like the Internet of Things. Even when layering, the WP29 says the entirety of the information should also be available in one single place, and anything that must be explicitly brought to attention must not be buried in a lower layer.

  • Concise: separate content into headed sections, use short sentences, and adopt a layered approach.
  • Transparent: genuine, open, honest, not misleading; never imply a choice that does not exist; spell out risks/important consequences.
  • Easily accessible: clear where the information is; subjects should not have to hunt for it among other content.
  • Intelligible / clear and plain language: avoid jargon; vague labels like 'for research purposes' or 'to develop new services' are not sufficient; justify indefinite words like 'may'.
  • Accurate and up to date: review regularly.
  • Tools: layered notices, just-in-time notices, privacy dashboards, alternative formats/icons, and context-specific methods for drones, CCTV and the Internet of Things.
Layered notice - first layer

The WP29 says the first layer should include the purpose of processing, the controller's identity, the rights granted by the GDPR, and any processing that could surprise or impact the data subject - and signpost where the rest is. But the full information must also be available in one single place, and anything that must be explicitly brought to attention must not be buried below.

Effective notices bring commercial benefits too: more trust and customer loyalty, more and better data willingly shared, and fewer complaints and disputes. For challenging technologies the WP29 suggests practical steps - signage and the operator being clearly visible for drones; and for Internet of Things devices, hard-copy information, a QR code, embedded setup videos, or SMS/email links.

Key terms - quick answers

What is “Fair processing notice”?
A privacy notice; the convenient written/electronic method by which a controller communicates the information required by Articles 13/14.
What is “Layered notice”?
A notice presenting the most important information in a short first layer, with fuller detail accessible behind links or another channel.
What is “Just-in-time notice”?
Information provided at the specific point of data collection, when it is most relevant to the data subject (e.g. beside a form field).
What is “Privacy dashboard”?
A tool linked to a notice that lets data subjects view and control how their personal data are processed; useful across multiple devices.