GDPR Privacy Notice Requirements for SaaS Companies

Your privacy notice is the most visible artifact of your GDPR compliance program. It’s the document your users, customers, and employees actually read (or at least scroll through). It’s what regulators check first. And it’s where the gap between what you say you do and what you actually do becomes uncomfortably visible.

GDPR’s transparency principle — enshrined in Articles 12, 13, and 14 — requires you to tell people clearly, concisely, and in plain language what you do with their personal data. A privacy notice isn’t a legal formality you write once and forget. It’s a living document that must accurately reflect your current processing activities, updated whenever those activities change.

For SaaS companies, privacy notices are particularly nuanced. You likely have multiple audiences (website visitors, free trial users, paying customers, enterprise clients, employees) and multiple types of processing happening simultaneously. This guide walks through the mandatory elements, best practices for SaaS, and how to keep your notice accurate as your product evolves.

Privacy Notice vs. Privacy Policy

These terms are often used interchangeably, but they mean different things:

• Privacy notice (external-facing): The information you provide to data subjects about how you process their personal data. This is what GDPR regulates under Articles 13 and 14. It faces outward — it’s for the people whose data you process.

• Privacy policy (internal-facing): Your organization’s internal rules and procedures for handling personal data. This is an operational document for your team — it governs how employees should collect, store, share, and delete personal data.

GDPR specifically requires the notice, not the policy. When we talk about “what must be on your website,” we’re talking about the privacy notice. The internal policy supports it but isn’t what gets published.

What Must a Privacy Notice Include?

When You Collect Data Directly — Article 13

When you collect personal data directly from the data subject (sign-up forms, contact forms, cookie consent, account creation), your privacy notice must include all of the following at the time of collection:

1. Identity and contact details of the controller. Your company name, registered address, and a way to contact you about data protection matters. If you’re part of a group of companies, clarify which entity is the controller.

2. DPO contact details. If you’ve appointed a Data Protection Officer, provide their contact information. This can be a generic email address (dpo@company.com) rather than a named individual.

3. Purposes and lawful basis for processing. For each category of processing, state what you’re doing with the data and which lawful basis you rely on. Don’t bundle everything under one vague purpose — be specific. “To provide the service you requested” is a purpose. “To send you marketing emails” is a different purpose with potentially a different lawful basis.

4. Legitimate interests (if applicable). If you rely on legitimate interest as your lawful basis for any processing activity, you must describe what that legitimate interest is. “Product improvement” isn’t specific enough. “Analyzing aggregated usage patterns to identify and fix usability issues” is better.

5. Recipients or categories of recipients. Who do you share personal data with? Name specific categories: cloud hosting providers, payment processors, email marketing platforms, analytics services, customer support tools. You don’t necessarily need to name every vendor, but the categories should be meaningful — “third parties” alone is too vague.

6. International transfers and safeguards. If personal data is transferred outside the EEA, state which countries and what safeguards are in place. Reference the specific mechanism: adequacy decision, Standard Contractual Clauses, EU–US Data Privacy Framework. See our international data transfers guide for details.

7. Retention periods. How long do you keep each category of data? Provide specific periods or the criteria used to determine them. “As long as necessary” fails the transparency test. “For the duration of your account plus 30 days” is transparent. Our data retention guide helps you define these periods.

8. Data subject rights. Inform people of their rights under GDPR: access, rectification, erasure, restriction of processing, data portability, and objection. Explain how they can exercise these rights (email address, in-app settings, a dedicated request form).

9. Right to withdraw consent. If any processing is based on consent, you must inform people that they can withdraw consent at any time without affecting the lawfulness of processing before withdrawal. Tell them how to withdraw (unsubscribe link, account settings, contacting you).

10. Right to lodge a complaint. Data subjects have the right to complain to a supervisory authority. You should name the relevant authority (or authorities, if you operate across multiple EU member states) and provide their contact details or website.

11. Statutory or contractual requirement. State whether providing personal data is a legal or contractual requirement, whether the data subject is obligated to provide it, and the consequences of not providing it. For a SaaS sign-up, this might be: “Providing your email address is necessary to create an account. Without it, we cannot provide the service.”

12. Automated decision-making and profiling. If you make decisions based solely on automated processing (including profiling) that produce legal or similarly significant effects, you must inform data subjects of that fact, the logic involved, and the significance and consequences. For most SaaS companies, this applies if you use automated credit scoring, fraud detection that blocks access, or algorithmic content moderation.

When Data Isn’t Collected Directly — Article 14

When you obtain personal data from a source other than the data subject — from a business partner, a data broker, a public source, or from your customer (as a processor being asked to provide controller-level transparency) — Article 14 adds:

• The source of the data — Where did you get it? Name the specific source or category of source.
• The categories of personal data — Since you didn’t collect it from the person directly, they may not know what data you have. Be explicit.

Article 14 information must be provided within a reasonable period after obtaining the data, and no later than one month. If you plan to use the data to communicate with the person, provide the notice at the latest when the first communication occurs.

Privacy Notice Best Practices for SaaS

Use Layered Notices

A single, monolithic privacy notice that covers every processing activity in dense legal prose is technically compliant but practically useless. Nobody reads it, which defeats the transparency purpose.

Layered notices solve this. The approach:

• Layer 1: Short notice. A brief summary highlighting the most important information — who you are, what you collect, why, and how to contact you. This appears at the point of data collection (sign-up page, cookie banner).
• Layer 2: Full notice. The comprehensive privacy notice with all Article 13/14 elements. Linked from the short notice for anyone who wants the details.
• Layer 3: Just-in-time notices. Contextual notices that appear when specific processing occurs — e.g., when enabling a new feature that uses location data, when activating an integration, or when a user first encounters analytics tracking.

Write in Plain Language

Article 12 requires that privacy information be provided in “a concise, transparent, intelligible and easily accessible form, using clear and plain language.” This isn’t aspirational — it’s mandatory.

Guidelines:

• Use short sentences. Aim for a reading level accessible to a general audience.
• Avoid legal jargon. “We” and “you” are better than “the controller” and “the data subject.”
• Explain technical concepts. If you mention “Standard Contractual Clauses,” briefly explain what they are.
• Use headings and bullet points. Make the notice scannable.
• Test readability. Tools like the Flesch-Kincaid readability test give you an objective measure.

Provide Just-in-Time Notices at Collection Points

Don’t rely solely on a privacy notice page buried in your website footer. When you collect data, tell people right there:

• Sign-up forms: Brief text explaining what you’ll do with their email and linking to the full notice.
• Cookie consent: Clear explanation of which cookies you use and why, with granular controls.
• Feature activation: When a user enables a feature that introduces new data processing (e.g., connecting a third-party integration), explain what data will be shared and with whom.
• Support interactions: If you record support calls or retain chat transcripts, inform users at the start.

Handle Multi-Product Notices Thoughtfully

If your company offers multiple products or services, decide whether to:

• Maintain a single notice that covers everything (simpler to maintain but potentially overwhelming)
• Create product-specific notices (more relevant to each user but more to manage)
• Use a modular approach (a common base notice with product-specific addendums)

The right approach depends on how different your products’ data processing is. If they share infrastructure and vendors, a single notice with product-specific sections usually works. If they’re fundamentally different, separate notices may be clearer.

Version and Communicate Changes

When your privacy notice changes, GDPR doesn’t specify an exact notification procedure, but good practice includes:

• Maintaining a version history with dates and a summary of changes
• Notifying users of material changes via email or in-app notification
• Giving users a reasonable period to review changes before they take effect
• Keeping previous versions accessible for reference

Common Privacy Notice Mistakes

Copy-pasting from another company. This is disturbingly common — and it guarantees inaccuracy. Your privacy notice must reflect your processing, not someone else’s. If your notice mentions data processing activities you don’t perform, or omits ones you do, it fails the accuracy test.

Not updating when processing changes. You launch a new feature that collects geolocation data. You switch analytics providers. You expand to a new market. Each of these should trigger a privacy notice review. The notice that was accurate six months ago may not be accurate today.

Missing required information. The most commonly omitted elements: retention periods, specific lawful bases for each purpose, legitimate interest descriptions, international transfer mechanisms, and automated decision-making disclosures. Check every mandatory element against your notice.

Burying the notice behind multiple clicks. Your privacy notice should be accessible from any page on your website — typically via a footer link. If users need to navigate through multiple pages to find it, you’re not meeting the “easily accessible” requirement.

Using vague, catch-all language. “We may share your data with third parties for business purposes” tells the reader nothing. Who are these third parties? What business purposes? The more specific your notice, the more transparent — and the more trustworthy — you appear.

Not covering all data sources. Your website collects data. Your product collects data. Your marketing campaigns collect data. Your sales team collects data. Your HR department collects data. Your privacy notice needs to address all of these — or you need separate notices for separate audiences (employees, customers, website visitors).

Keeping Your Privacy Notice Up to Date

Triggers for Review

Set up a process so that privacy notice reviews happen automatically when:

• A new vendor is onboarded that processes personal data
• A new product feature collects or processes new types of data
• You enter a new geographic market
• A data subject right process changes
• Your lawful basis for a processing activity changes
• A supervisory authority issues relevant guidance
• Your company undergoes a merger, acquisition, or restructuring

Review Cadence

Beyond trigger-based reviews, schedule regular check-ups:

• Quarterly: Quick scan to verify accuracy against current processing
• Annually: Comprehensive review with input from product, engineering, marketing, and legal teams

Documentation

Keep a record of every privacy notice version, the changes made, the reason for the changes, and the date the update was published. This demonstrates accountability and helps you track how your processing has evolved over time.

How GRCTrail Monitors Privacy Notices

GRCTrail helps you keep your privacy notice aligned with your actual processing:

Privacy notice monitoring. Track your published privacy notice against your ROPA and processing activities. When your processing changes, GRCTrail flags potential inconsistencies that need a notice update.

Change detection alerts. Get notified when your privacy notice needs attention — whether due to a new vendor, a new data type, or a changed lawful basis.

Connected to your ROPA. Your privacy notice and your Record of Processing Activities should tell the same story. GRCTrail keeps them linked so discrepancies are visible immediately.

Never miss a privacy notice update →

Related Guides

• GDPR Compliance Checklist — The full compliance framework
• Consent Management — When and how to collect consent
• Records of Processing Activities (ROPA) — Documenting your processing
• The Six Lawful Bases — Choosing the right legal ground
• DPO Role and Requirements — When you need a Data Protection Officer

Get started with GRCTrail →