Is a UK privacy notice required under UK GDPR even for a one-person sole-trader website?

Yes, where personal data is collected. Articles 13 and 14 of the UK GDPR impose mandatory transparency obligations on any controller, regardless of size — collecting an email through a contact form triggers the duty. Article 5(1)(a) makes lawfulness, fairness and transparency a principle of processing. Failure to provide a notice meeting Article 13 or 14 is itself a UK GDPR infringement and exposes the controller to fines under Article 83(5) of up to £17.5m or 4% of turnover.

What is the deadline for responding to a UK subject access request?

One month from receipt under Article 12(3) UK GDPR, extendable by a further two months for complex or numerous requests with notification to the data subject. The first copy of the personal data must be provided free of charge under Article 15(3); reasonable fees may be charged for further copies. Manifestly unfounded or excessive requests may be refused or charged a reasonable fee under Article 12(5), but the controller bears the burden of proving the exception.

Is the EU SCC plus UK Addendum legally equivalent to an IDTA for a UK-US transfer?

Yes — both are valid Article 46 safeguards under the UK GDPR. The International Data Transfer Agreement (IDTA) is the standalone UK instrument; the UK Addendum bolts onto the EU Commission's June 2021 SCCs to extend them for UK use. Both have been in force since 21 March 2022. For certified US recipients, the *Data Protection (Adequacy) (United States of America) Regulations 2023* (UK-US Data Bridge, effective 12 October 2023) provides adequacy and removes the need for Article 46 safeguards.

Does the UK Age Appropriate Design Code apply to every online service likely to be used by children?

Yes — every information-society service "likely to be accessed by" children must comply. The Code is a statutory code under s.123 *Data Protection Act 2018*, prescribing fifteen standards including high default privacy settings, profiling restrictions, geolocation-default-off, and data minimisation. In force since 2 September 2021. The "likely to be accessed by" test is broader than "directed at" children, capturing general-audience services not specifically targeted at minors.

How fresh does the 'last updated' date on a UK privacy notice need to be?

ICO guidance recommends at least annual review and prompt revision on every material change in processing operations or vendor relationships. There is no statutory frequency requirement, but Article 12(1) UK GDPR requires information to be "concise, transparent, intelligible and easily accessible" — a stale notice fails that standard. Material changes should be communicated contemporaneously through email, in-product banner, or login-page modal, not silently swapped at the URL.

Can a UK controller rely on legitimate interests for direct-marketing personal-data processing?

Yes for the UK GDPR layer, but the PECR overlay imposes stricter electronic-channel rules. The legitimate-interests basis under Article 6(1)(f) supports the processing of contact data for marketing, subject to a three-part balancing test (purpose, necessity, balance). However, Reg 22 of PECR requires opt-in consent for unsolicited marketing email or SMS to individuals, with only a narrow "soft opt-in" for existing customers. The Article 21(2) absolute right to object also applies — no balancing required for marketing objections.

UK Privacy Notice — UK GDPR + DPA 2018

The privacy notice is the central transparency document required by the UK General Data Protection Regulation. It tells data subjects who is processing their personal data, why, on what lawful basis, with whom it is shared, for how long it is kept, and how data subject rights may be exercised. Article 5(1)(a) of the UK GDPR makes lawfulness, fairness and transparency a principle of processing; Articles 12-14 operationalise that principle through enforceable disclosure obligations. Failure to provide a notice meeting Articles 13 or 14 is itself a UK GDPR infringement and exposes the controller to the higher tier of administrative fines under Article 83(5) — up to £17.5 million or 4% of total worldwide annual turnover, whichever is higher.

This page is the drafting reference for a UK-facing privacy notice. See Cookies Policy for the PECR overlay on device-storage and tracking technologies and Consumer Contract Terms for the contractual layer.

Applicable Law

UK GDPR. The United Kingdom’s general data-protection regime is the retained Regulation (EU) 2016/679 — referred to in domestic law as the “UK GDPR” — as it applied immediately before IP completion day on 31 December 2020. The retention was effected by the European Union (Withdrawal) Act 2018 and the territorial and substantive amendments necessary to make the retained Regulation operate in a UK-only context were made by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (SI 2019/419) and the 2020 Regulations (SI 2020/1586). With effect from 1 January 2021 the UK has its own free-standing data-protection regime, supervised by the Information Commissioner’s Office under Part 5 of the DPA 2018.

Data Protection Act 2018. The DPA 2018 supplements the UK GDPR (Part 2), implements derogations and exemptions including the age 13 threshold for information society services consent (s.9), provides separate regimes for law-enforcement processing (Part 3) and intelligence-services processing (Part 4), establishes the Information Commissioner and her enforcement powers (Part 5 and Part 6), and creates a number of criminal offences for unlawful obtaining or re-identification of personal data (Part 7).

PECR. The Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426) overlay the UK GDPR for electronic-marketing and device-storage matters — cookies and similar tracking technologies (reg 6), unsolicited marketing email (reg 22), unsolicited marketing calls (reg 21), automated marketing calls (reg 19). Where PECR sets a higher standard than the UK GDPR (for example, opt-in consent for non-essential cookies regardless of personal-data content), PECR governs.

Information Commissioner. The Information Commissioner is the supervisory authority under Part 5 of the DPA 2018. The ICO maintains extensive published guidance on UK GDPR application that, while not binding, is the practical reference standard for the regulator’s expectations. Civil enforcement powers include information notices, assessment notices, enforcement notices, and monetary penalty notices. The two-tier penalty structure mirrors the EU GDPR: up to £8.7m or 2% global turnover under Article 83(4) for processor and record-keeping breaches, up to £17.5m or 4% global turnover under Article 83(5) for breaches of the basic principles, lawful-basis requirements, data-subject rights, and international-transfer rules.

Territorial Scope

Article 3 of the UK GDPR (as amended by SI 2019/419) applies the Regulation to processing by a controller or processor established in the United Kingdom, regardless of where the processing actually occurs, and to processing of personal data of data subjects in the United Kingdom by a controller or processor not established in the UK where the processing relates to (a) the offering of goods or services to data subjects in the UK or (b) the monitoring of their behaviour as far as that behaviour takes place in the UK. Non-UK controllers caught by Article 3(2) must designate a UK representative under Article 27 unless an exemption applies.

The cumulation post-Brexit is that a single online service offering to UK and EU residents will typically be subject to both the UK GDPR (by Article 3(2) UK GDPR) and the EU GDPR (by Article 3(2) EU GDPR), requiring parallel compliance, parallel representative designations (Article 27 UK + Article 27 EU), and notification routes to both the ICO and the lead EU supervisory authority.

Form Requirements

The privacy notice is an electronic document published on the controller’s website, typically at /privacy, /privacy-policy, or /privacy-notice, linked from every page footer and at every collection surface where personal data is collected (account-signup form, contact form, newsletter sign-up, checkout). For mobile applications the notice must be reachable from the app-store listing and from within the application, in line with platform developer policies and the ICO’s general accessibility expectation that notices be “concise, transparent, intelligible and easily accessible” (Article 12(1)).

There is no statutory frequency requirement for review, but ICO guidance recommends regular review — at least annually and on every material change in processing operations or vendor relationships. The date of last update should be prominently disclosed at the top of the notice, and material changes should be communicated to data subjects contemporaneously through email, in-product banner, or login-page modal.

Article 12(1) requires that information be provided “in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child”. A “layered” notice — a short summary at the collection surface plus a hyperlink to the full notice — is permitted by ICO guidance and is now the prevailing convention. Where the controller offers a service in multiple languages the notice should be provided in each language in which the service is offered.

Required Information — Article 13 (Data Collected From the Data Subject)

Where the controller collects personal data directly from the data subject, Article 13 requires the following information to be provided at the time of collection:

Identity and contact details of the controller — full legal name, registered office address, company number where applicable. If the controller has appointed a UK representative under Article 27, the representative’s contact details must also be provided.
Contact details of the Data Protection Officer where one is appointed under Article 37 — public contact (not the DPO’s personal details). DPO appointment is mandatory for public authorities, controllers whose core activities consist of regular and systematic monitoring of data subjects on a large scale, and controllers processing special-category or criminal-offence data on a large scale (Article 37(1)).
Purposes of the processing and the lawful basis — each separate purpose, mapped to the Article 6 lawful basis on which it relies (consent, contract, legal obligation, vital interests, public task, legitimate interests). Where special-category data is processed, the additional Article 9 condition must also be disclosed; where criminal-offence data is processed, the Schedule 1 DPA 2018 condition.
Legitimate interests pursued where the lawful basis is Article 6(1)(f) — specific interests, not a generic recital. The legitimate-interests assessment (LIA) is good practice and ICO-recommended; not all of it need appear in the public notice but a summary of the balancing exercise is appropriate.
Recipients or categories of recipients of the personal data — processors providing infrastructure, analytics, payment, support, advertising; controllers receiving data through transfer (joint controllers, group companies); recipients in regulated disclosures (HMRC, FCA, ICO, police).
International transfers outside the UK — destination country, the transfer mechanism relied upon (adequacy decision, IDTA, UK Addendum, BCRs, Article 49 derogation), and a means by which the data subject can obtain a copy of the safeguards.
Retention period or criteria used to determine that period — specific durations where possible (“six years from end of last financial year for accounting records”; “two years from last account activity for marketing profiles”; “indefinitely while the account remains active”).
Data subject rights — access (Article 15), rectification (Article 16), erasure (Article 17), restriction (Article 18), portability (Article 20), objection (Article 21), withdrawal of consent (Article 7(3)) where consent is the basis, complaint to the ICO (Article 77).
Statutory or contractual requirement to provide data — whether providing the data is a statutory or contractual requirement, whether the data subject is obliged to provide the data, and the consequences of failure to provide.
Automated decision-making including profiling that produces legal or similarly significant effects on the data subject (Article 22) — the existence of such processing, meaningful information about the logic involved, and the significance and envisaged consequences.

Where personal data is collected for a new purpose different from the original purpose, Article 13(3) requires the controller to provide information about that new purpose, plus the other Article 13(2) items, prior to the further processing.

Required Information — Article 14 (Data Not Collected From the Data Subject)

Where personal data is not obtained directly from the data subject — for example, data acquired from a data broker, a credit-reference agency, a public register, or a referrer — Article 14 applies. The information to be provided is substantially the same as Article 13 with two additions: (a) the categories of personal data concerned must be disclosed (Article 14(1)(d)), and (b) the source of the personal data and whether it came from publicly accessible sources must be disclosed (Article 14(2)(f)).

The information must be provided within a reasonable period of obtaining the data and at latest within one month (Article 14(3)(a)); or, if used to communicate with the data subject, at the time of the first communication (Article 14(3)(b)); or, if disclosure to another recipient is envisaged, at the time of first disclosure (Article 14(3)(c)).

Limited exemptions in Article 14(5) apply where (i) the data subject already has the information, (ii) provision proves impossible or would involve a disproportionate effort (with safeguards), (iii) the data is obtained or disclosure is expressly laid down by law, or (iv) the data is subject to professional secrecy. Reliance on the disproportionate-effort exemption is narrow and should be supported by a documented assessment.

Lawful Bases — Article 6

Every processing operation must rely on at least one of the six Article 6 lawful bases. The chosen basis must be identified before processing begins, must be fairly disclosed in the privacy notice, and cannot be swapped retroactively if the original basis fails.

Consent (Article 6(1)(a)) — freely given, specific, informed, unambiguous indication by a statement or clear affirmative action (Article 4(11)). Withdrawable at any time without detriment (Article 7(3)). Pre-ticked boxes and opt-out designs fail the standard. Consent is the appropriate basis for non-essential cookies (under PECR reg 6 overlay), opt-in marketing communications, and processing of special-category data where another Article 9 condition is unavailable.
Contract (Article 6(1)(b)) — processing necessary for the performance of a contract to which the data subject is a party, or pre-contractual steps taken at the data subject’s request. “Necessary” is read strictly — bundling unrelated processing into a contract does not bring it within Article 6(1)(b).
Legal obligation (Article 6(1)(c)) — processing necessary to comply with a legal obligation to which the controller is subject under UK law. Tax-record retention (Finance Acts), Companies Act recordkeeping, AML obligations (MLR 2017), and statutory disclosures to regulators are typical examples.
Vital interests (Article 6(1)(d)) — processing necessary to protect the vital interests of the data subject or another natural person. Effectively limited to life-threatening situations.
Public task (Article 6(1)(e)) — processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority. Used principally by public authorities under DPA 2018 s.8.
Legitimate interests (Article 6(1)(f)) — processing necessary for the legitimate interests of the controller or a third party, except where overridden by the interests, fundamental rights or freedoms of the data subject. Requires a documented three-part balancing test: purpose, necessity, balance. Not available to public authorities for their official tasks. The legitimate-interests basis is the workhorse for fraud-prevention, network security, internal administration, and direct marketing to existing customers (subject to PECR opt-in rules for the electronic-marketing surface).

Special-Category Data — Article 9

Article 9 prohibits processing of “special categories of personal data” — racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, data concerning a natural person’s sex life or sexual orientation — except where one of the Article 9(2) conditions applies. The most commercially significant are explicit consent (Article 9(2)(a)), processing necessary for employment, social-security or social-protection law (Article 9(2)(b)), vital interests of a person physically or legally incapable of giving consent (Article 9(2)(c)), data manifestly made public by the data subject (Article 9(2)(e)), and substantial public interest with a basis in UK law and appropriate safeguards (Article 9(2)(g)).

DPA 2018 Schedule 1 enumerates the conditions for Article 9(2)(b), (g), (h), (i) and (j) and adds Appropriate Policy Document requirements for several of them (Schedule 1 Part 4). A privacy notice that processes special-category data must disclose both the Article 6 basis and the Article 9 condition.

Criminal-Offence Data — Article 10

Personal data relating to criminal convictions and offences may only be processed under the control of official authority or where authorised by UK law providing appropriate safeguards. DPA 2018 s.10 and Schedule 1 set out the available conditions, which include consent, employment law, vital interests, judicial acts, fraud prevention, and a number of substantial-public-interest conditions. Appropriate Policy Document requirements apply.

Data Subject Rights — Articles 15-22

The UK GDPR confers a non-exhaustive set of rights on data subjects, exercised against the controller. The privacy notice must enumerate each applicable right and provide a mechanism for exercising it. Responses are due within one month of receipt of the request, extendable by a further two months for complex or numerous requests (Article 12(3)).

Right of access (Article 15) — also known as the subject access request (SAR). A copy of the personal data, plus the Article 15(1) information (similar in scope to Article 13/14 but for the specific data subject). A first copy must be provided free of charge; reasonable fees may be charged for further copies (Article 15(3)). Manifestly unfounded or excessive requests may be refused or charged a reasonable fee (Article 12(5)).
Right to rectification (Article 16) — correction of inaccurate personal data and completion of incomplete data.
Right to erasure (Article 17) — also “right to be forgotten”. Available where the data is no longer necessary, the data subject withdraws consent and no other basis applies, the data subject objects under Article 21 and there are no overriding legitimate grounds, the data has been unlawfully processed, erasure is required for compliance with a legal obligation, or the data was collected from a child in relation to an information-society service. Several exemptions apply (Article 17(3)) including freedom of expression, legal claims, and public-health/public-interest research.
Right to restriction (Article 18) — temporary marking of data while a dispute is resolved.
Right to portability (Article 20) — transfer of data the data subject has provided to the controller, where processing is based on consent or contract and is carried out by automated means, in a structured, commonly used and machine-readable format.
Right to object (Article 21) — applies to processing based on legitimate interests (Article 6(1)(f)) or public task (Article 6(1)(e)). For direct marketing, the right to object is absolute (Article 21(2)-(3)) and must be honoured without further balancing.
Right not to be subject to automated decision-making (Article 22) — including profiling, that produces legal effects or similarly significant effects. Three exceptions: necessary for a contract, authorised by law with safeguards, based on explicit consent.

A data subject also has the right to complain to the Information Commissioner under Article 77 and the right to judicial remedy against a controller or processor (Article 79) or against the supervisory authority (Article 78).

Children’s Data

DPA 2018 s.9 sets the age threshold for valid consent to an information-society service offered directly to a child at 13 years — lower than the EU GDPR default of 16. Below that age, parental consent is required and reasonable efforts must be made to verify that consent (Article 8 UK GDPR + DPA 2018 s.9).

The ICO Age Appropriate Design Code — also called the Children’s Code — is a statutory code of practice under DPA 2018 s.123. It applies to information-society services “likely to be accessed by” children and prescribes fifteen standards including high default privacy settings, data minimisation, profiling restrictions, geolocation-default-off, and parental-controls transparency. The Code has been in force since 2 September 2021 (12-month transition from publication on 2 September 2020). The ICO treats the Code as a key benchmark for its child-protection enforcement priorities.

International Transfers

Chapter V of the UK GDPR (Articles 44-50) governs transfers of personal data to countries outside the United Kingdom. The 2019 and 2020 EU Exit Regulations adapted the chapter for UK use.

Adequacy regulations under Article 45 / DPA 2018 s.17A — the UK has confirmed the adequacy of every country and territory that benefits from an EU Commission adequacy decision (including the EEA, Andorra, Argentina, Canada commercial, Faroe Islands, Guernsey, Isle of Man, Israel, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, and Uruguay). The UK-US Data Bridge — laid before Parliament as the Data Protection (Adequacy) (United States of America) Regulations 2023 and the corresponding extension of the EU-US Data Privacy Framework — provides an adequacy regulation for transfers to certified US organisations as from 12 October 2023.

Article 46 safeguards — where no adequacy decision applies. The principal instruments are:

International Data Transfer Agreement (IDTA) — the standalone UK transfer agreement published by the ICO and in force from 21 March 2022.
UK Addendum to the EU SCCs — the bolt-on addendum permitting use of the 4 June 2021 EU Commission Standard Contractual Clauses for UK transfers, also in force from 21 March 2022.
Binding Corporate Rules (BCRs) approved by the ICO under Article 47.

Article 49 derogations for specific situations — explicit consent, contract performance, important public-interest reasons, legal claims, vital interests, public-register transfers. Derogations are interpreted strictly and cannot serve as a routine transfer mechanism.

Following the Court of Justice’s Schrems II judgment (C-311/18), retained as UK law, exporters relying on Article 46 safeguards must conduct a Transfer Risk Assessment (TRA) to assess whether the destination country’s law and practice provides essentially equivalent protection and, where necessary, implement supplementary measures (technical, contractual, organisational). The ICO has published a TRA tool to support this assessment.

Direct marketing rules are layered. The UK GDPR governs the personal-data processing aspect, requiring a lawful basis (consent or legitimate interests) and disclosure in the privacy notice. PECR governs the electronic-channel aspect with stricter consent rules:

Reg 22 PECR — unsolicited marketing email or SMS to individual subscribers requires prior opt-in consent. The “soft opt-in” exemption applies to existing customers who provided their contact details in the context of the sale of a product or service, where the marketing relates to similar products and services and the data subject was given a simple opt-out at collection and at every subsequent message.
Reg 21 PECR — unsolicited live marketing calls require opt-in consent or screening against the Telephone Preference Service.
Reg 19 PECR — fully-automated marketing calls require prior opt-in consent in every case.

The Article 21 UK GDPR absolute right to object to direct marketing also applies — at any time, free of charge, and without justification.

Enforcement and Recent Cases

The Information Commissioner has issued substantial monetary penalty notices since the UK GDPR came into force:

Clearview AI Inc — £7,552,800 penalty notice, 18 May 2022, for unlawful scraping of UK residents’ images for facial-recognition database (penalty subsequently set aside on jurisdictional grounds by the First-tier Tribunal in October 2023; ICO appealed to the Upper Tribunal).
British Airways — £20 million, 16 October 2020, for failure to implement appropriate security measures resulting in the 2018 web-skimming breach affecting more than 400,000 customers.
Marriott International Inc — £18.4 million, 30 October 2020, for failure to safeguard data in the post-Starwood acquisition processing environment.
TikTok Information Technologies UK Limited — £12.7 million, 4 April 2023, for unlawful processing of UK children’s personal data and failure to provide a child-appropriate privacy notice under the Children’s Code.

A Data Protection and Digital Information Bill was introduced in 2022-23 and would have made a number of reforms to the UK regime (simpler legitimate-interests recognition, replacement of DPO with Senior Responsible Individual, expanded research provisions). The Bill fell with the dissolution of Parliament in May 2024 ahead of the July 2024 General Election. Revival of some elements in a successor data-reform Bill is anticipated.

Sample Privacy-Notice Structure

A compliant UK privacy notice typically follows this structure:

Last updated: [Date]. Summary of material changes.
Who we are. Controller legal name, registered office, company number, contact email, postal address. UK representative details where applicable. DPO contact details where appointed.
What personal data we collect, from where, and for what purposes. Categories of data × sources × purposes × Article 6 lawful basis (and Article 9 / DPA Schedule 1 condition where applicable).
Who we share your data with. Categories of recipients — processors, joint controllers, regulators, professional advisers.
International transfers. Destinations and transfer mechanism (adequacy, IDTA, Addendum to SCCs, BCR, Article 49 derogation).
How long we keep your data. Per-category retention periods or criteria.
Your rights. Each enumerated UK GDPR right, the mechanism for exercising it, the response timeframe, the right to complain to the ICO.
Children’s data. Where the service is likely to be accessed by children, the Children’s Code disclosures (parental-consent mechanism, default settings, profiling, geolocation).
Cookies and similar technologies. Cross-reference to the cookies policy.
Marketing and electronic communications. Lawful basis, channels, opt-out mechanism, PECR position.
Security. Summary of technical and organisational measures (encryption, access controls, audit logging, vendor due diligence).
Changes to this notice. How material changes will be communicated.
Complaints. ICO contact details — postal address Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF; helpline 0303 123 1113; webform.

Bibliography

Cross-references

Cookies Policy — PECR overlay on device-storage and tracking
Website Terms of Use — companion contractual document
Consumer Contract Terms — CRA 2015 + Consumer Contracts Regulations 2013
Accessibility Statement — Equality Act + PSBAR companion
English contract law basics — common-law fundamentals
Standard boilerplate clauses — recurring contractual provisions

Disclaimer: Handbook content is informational, not legal advice. UK data-protection law is actively reformed and the ICO’s published guidance evolves on a rolling basis. Always consult a solicitor admitted in England and Wales or a privacy specialist regulated by the ICO for binding decisions about your specific processing operations. Last verified 2026-05-11.