Accessibility statement

Drafting GDPR compliant privacy notices 

Whenever the University of York gathers or receives personal or special category data, it should provide a privacy notice to the data subject. This is not a new requirement under data protection legislation. However, the GDPR does introduce more granular requirements for notices. For a full breakdown of all required elements see GDPR Compliant Privacy Notice Checklist (MS Word , 16kb).

In order to ensure consistency across the University, a template privacy notice has been produced to provide standard wording for those elements that will be generic to all University activities. The template can be accessed here. Individual departments will, however, need to ensure local notices explain: 

  1. why data is being gathered;
  2. what legal basis is being relied on to process data; 
  3. whether data will be shared with a third party and, if so, why. 

In terms of a worked example; 

Privacy Notice

The information provided on this form will be used by the Information Governance Office to ...

You will need to provide a clear description of purpose here e.g. consider your application and, if successful, enrol you to the programme; send you regular newsletter updates about information compliance; better understand your experience of studying at a distance and allow us to identify ways to improve provisions for distance learners.

Data will be processed because ...  

You will need to explain the legal basis for processing here e.g. you have given us your consent; it is necessary for the performance of a contract with you; we have a legal obligation to do so. For a full list of grounds see here.

Data will be shared with ... for the following purposes ... 

Insert a list of all external bodies, agencies, service providers etc. that you will share the data with and/or list all internal departments that will use the data for distinct purposes. Ensure the rationale for sharing is clearly articulated. 

Data will be transferred ...

You will need to explain whether data will be transferred internationally here, i.e. outside of the European Economic Area e.g. to the United States under Privacy Shield; to Australia using Model Contract Clauses. As a general rule, get in touch with if you intend to transfer data internationally. 

You will also need to tell individuals whether their data will be subject to automated decision making (including profiling) and, if so, advise how decisions will be made. You should also tell them about the significance and consequence of any automated decision. 

For the remainder of this privacy notice see, General Privacy Notice

If you are unsure how to determine the legal basis for processing, please contact for advice.