ɫ

Book a demo

Data Processing Notice Template for England and Wales

Generate a bespoke document

  • England and Wales
  • Scotland
  • Northern Ireland
  • Ireland
  • United States
  • Alabama (USA)
  • Alaska (USA)
  • Arizona (USA)
  • Arkansas (USA)
  • California (USA)
  • Colorado (USA)
  • Connecticut (USA)
  • Delaware (USA)
  • Florida (USA)
  • Georgia (USA)
  • Hawaii (USA)
  • Idaho (USA)
  • Illinois (USA)
  • Indiana (USA)
  • Iowa (USA)
  • Kansas (USA)
  • Kentucky (USA)
  • Louisiana (USA)
  • Maine (USA)
  • Maryland (USA)
  • Massachusetts (USA)
  • Michigan (USA)
  • Minnesota (USA)
  • Mississippi (USA)
  • Missouri (USA)
  • Montana (USA)
  • Nebraska (USA)
  • Nevada (USA)
  • New Hampshire (USA)
  • New Jersey (USA)
  • New Mexico (USA)
  • New York (USA)
  • North Carolina (USA)
  • North Dakota (USA)
  • Ohio (USA)
  • Oklahoma (USA)
  • Oregon (USA)
  • Pennsylvania (USA)
  • Rhode Island (USA)
  • South Carolina (USA)
  • South Dakota (USA)
  • Tennessee (USA)
  • Texas (USA)
  • Utah (USA)
  • Vermont (USA)
  • Virginia (USA)
  • Washington (USA)
  • West Virginia (USA)
  • Wisconsin (USA)
  • Wyoming (USA)
  • Austria
  • Denmark
  • France
  • Germany
  • Lithuania
  • Luxembourg
  • Malta
  • Netherlands
  • Poland
  • Portugal
  • Romania
  • Slovakia
  • Slovenia
  • Spain
  • Sweden
  • Switzerland
  • Australia
  • New Zealand
  • Singapore
  • Hong Kong
  • India
  • Malaysia
  • Pakistan
  • United Arab Emirates
  • Qatar
  • Saudi Arabia
  • South Africa
  • Nigeria
  • Canada
  • Brasil
  • Monaco
  • Bermuda
  • Cayman Islands
  • Gibraltar
  • Isle of Man
  • Mauritius

What is a Data Processing Notice?

A Data Processing Notice is required whenever an organization processes personal data in England and Wales. This document fulfills the transparency obligations under the UK GDPR and Data Protection Act 2018, providing data subjects with clear information about how their personal data is handled. It must be provided at the time personal data is collected and should be easily accessible, written in clear language, and contain all information required by Articles 13 and 14 of the UK GDPR. The notice forms a crucial part of an organization's data protection compliance framework.

Frequently Asked Questions

Is a Data Processing Notice legally required under UK GDPR in England and Wales?

Yes, a Data Processing Notice is legally required under Articles 13 and 14 of the UK GDPR and the Data Protection Act 2018 in England and Wales. You must provide this notice to data subjects when collecting their personal data to fulfill your transparency obligations. Failure to provide this notice can result in significant fines from the Information Commissioner's Office (ICO).

Can I be fined for not having a proper Data Processing Notice in England and Wales?

Yes, the ICO can impose fines up to £17.5 million or 4% of annual global turnover (whichever is higher) for failing to provide adequate transparency information under UK GDPR. Even incomplete or inadequate notices can result in enforcement action. The ICO considers transparency failures serious breaches that undermine individuals' data protection rights.

How is a Data Processing Notice different from a Privacy Policy under UK law?

A Data Processing Notice is specifically required under Articles 13 and 14 of UK GDPR and must be provided at the point of data collection, containing mandatory information like lawful basis and retention periods. A Privacy Policy is broader, often covering website use and cookies, and can be accessed separately. The Data Processing Notice has stricter legal requirements and timing obligations under UK data protection law.

How long does it typically take to prepare a compliant Data Processing Notice?

For straightforward data processing activities, creating a Data Processing Notice typically takes 2-4 hours using a template. More complex processing involving multiple lawful bases, international transfers, or sensitive data can take 1-2 days. Factor in additional time for internal review and ensuring all mandatory UK GDPR elements are accurately included.

Must I include specific lawful basis information in my Data Processing Notice under UK GDPR?

Yes, UK GDPR Article 13 requires you to specify the lawful basis for processing (such as consent, contract, or legitimate interests) in your Data Processing Notice. You must clearly explain which of the six lawful bases applies to each processing purpose. For legitimate interests, you must also explain what those interests are and why they override the individual's rights.

Can I use the same Data Processing Notice for employees and customers in England and Wales?

Generally no, as employee and customer data processing typically involves different lawful bases, purposes, and retention periods under UK employment and commercial law. Employee data processing often relies on contract or legal obligation bases, while customer processing may use consent or legitimate interests. Create separate notices or clearly differentiated sections to ensure accuracy and compliance.

When exactly must I provide the Data Processing Notice to individuals under UK law?

Under UK GDPR Articles 13 and 14, you must provide the Data Processing Notice at the time you collect personal data directly from the individual, or within one month if you obtain data from other sources. For website users, this means providing the notice before or during data collection, not after. The notice must be easily accessible and provided in clear, plain language.

Reviewed by

Legal Engineer, GenieAI

A lawyer, legal researcher and legal tech founder, Swetha has built AI products deployed inside Tier 1 firms and enterprises. She ensures GenieAI's alignment with the latest regulation and executes testing on the legal robustness of Genie output.

Reviewed by

Legal Engineer, GenieAI

A Skadden-trained M&A lawyer, Imad advised on cross-border transactions and contractual risk before moving into legal AI. He reviews GenieAI's output for compliance and enforceability across our 150+ supported jurisdictions, as well as facilitating external benchmarking.

Jurisdiction

England and Wales

Reviewed by

&

Publisher

GenieAI

Category

Privacy Notice

Sector

Business

Cost

Free to use

Last updated

About the Data Processing Notice

A Data Processing Notice is a fundamental document required under England and Wales data protection law that informs individuals about how their personal data is collected, used, and protected. This transparency document ensures your organization complies with the UK GDPR and Data Protection Act 2018 by providing clear information to data subjects about your data processing activities.

When do you need this document?

You must provide a Data Processing Notice whenever you collect personal data from individuals, whether directly or indirectly. This applies when customers fill out forms on your website, employees provide personal information during recruitment, clients sign contracts that involve data processing, or when you obtain personal data from third-party sources. The notice must be provided at the point of data collection or within one month if data is obtained from other sources. Without this notice, your organization risks significant ICO fines and enforcement action for failing to meet transparency obligations.

Key legal considerations

Your Data Processing Notice must contain specific information required by Articles 13 and 14 of the UK GDPR. This includes your identity as data controller, the types of personal data being processed, the purposes and legal bases for processing, data retention periods, and information about data subject rights. You must also disclose any third-party recipients of the data, international transfers, and your contact details. The notice should be written in plain English, easily accessible, and provided free of charge. If you change your processing activities, you must update the notice and inform affected data subjects. Consider including information about automated decision-making, profiling activities, and the source of data if not collected directly from individuals.

Legal requirements in England and Wales

Under the UK GDPR and Data Protection Act 2018, Data Processing Notices must comply with strict transparency requirements enforced by the Information Commissioner's Office (ICO). The notice must be provided before or at the time of data collection, with specific timeframes for indirect collection scenarios. Your organization must ensure the information is presented in a concise, transparent, and easily understandable format, using clear and plain language appropriate for your audience. The ICO's guidance emphasizes layered privacy notices for complex processing activities, allowing individuals to access detailed information when needed. Failure to provide adequate transparency information can result in administrative fines of up to 4% of annual global turnover or £17.5 million, whichever is higher, plus potential enforcement orders and reputational damage.

GOVERNING LAW

Applicable law

This Data Processing Notice is drafted to comply with England and Wales law. Key legislation includes:

Explore 208,390+ legal templates

Explore 208,390+ legal templates

Genie's Security Promise

Genie is the safest place to draft. Here's how we prioritise your privacy and security.

Your data is private:

We do not train on your data; Genie's AI improves independently

All data stored on Genie is private to your organisation

Your documents are protected:

Your documents are protected by ultra-secure 256-bit encryption

We are ISO27001 certified, so your data is secure

Organizational security:

You retain IP ownership of your documents and their information

You have full control over your data and who gets to see it