The GDPR requires that data controllers provide information to data subjects about the personal data which they collect and process. This template has been drafted to assist with the disclosure obligations in relation to individual customers and the personnel of corporate customers.
The notice lays out the different types of personal data that could be processed, and the legal basis of that proceeding in relation to each category of personal data. For example, processing may be based on consent, the performance of a contract, or legitimate interests. In this last case, the specific interests should be identified in the notice.
If data is collected from some person other than the data subject, then the method of data collection should be described. In this case, the data controller must provide the notice to the data subject "within a reasonable period after obtaining the personal data, but at the latest within one month, having regard to the specific circumstances in which the personal data are processed" (Article 14(3), GDPR).
The people to whom the data is disclosed to should also be identified in the notice, as should details of international transfers (outside the EEA).