GDPR · Personal Data · Information

GDPR – How to inform data subjects?

Informing data subjects is mandatory if your startup processes personal data. The GDPR requires information to be provided in a clear, precise, readable and easily accessible manner.

✍️ Kelly Hazan 📅 Published October 6, 2021 🔄 Updated May 22, 2026 ⏱ 6 min read

STARTUPS — LEARN HOW TO INFORM YOUR USERS!

Informing data subjects is mandatory if your startup processes personal data. The GDPR requires information to be provided in a clear and precise manner. How should you inform the individuals whose personal data you process? What information must be provided?

1. WHAT OBLIGATION DOES THE GDPR IMPOSE?

Under Articles 13 (direct collection) and 14 (indirect collection) of the GDPR, the data controller is required to inform data subjects of the processing carried out on their personal data, whether the data is collected directly from the data subject or indirectly (for example: publicly available data or data from social networks).

2. WHAT INFORMATION MUST THE COMPANY PROVIDE TO DATA SUBJECTS?

Under the GDPR, the following information must appear in an information notice:

Identity and contact details of the data controller
Where applicable, identity and contact details of the data controller's representative
Where applicable, contact details of the Data Protection Officer ("DPO")
Purposes of the processing
Legal basis for the processing (consent, performance of a contract, compliance with a legal obligation, etc.)
Whether the provision of personal data is mandatory or optional, and the consequences for the individual of not providing the data
Where applicable, the legitimate interests pursued by the data controller or a third party, if the processing is necessary for those legitimate interests
Recipients or categories of recipients of the personal data, where they exist
Details of transfers of data to third countries and the associated safeguards
Retention period for the personal data, or the criteria used to determine that period
Reference to each of the rights of data subjects (access, rectification, erasure, restriction of processing, objection, portability, etc.)
Reference to the right to withdraw consent at any time, where applicable
Reference to the right to lodge a complaint with a supervisory authority
Reference to the existence of automated decision-making, where it exists, including profiling
In the case of indirect collection: categories and sources of the data collected

Warning: Startups processing personal data of individuals located in France must pay attention to the application of Article 116 of the French Data Protection Act (Loi Informatique et Libertés). This article requires an information notice to be displayed below forms and questionnaires.

This information notice, often displayed below contact forms on websites, must specify:

whether responses are mandatory or optional;
the identity of the data controller and, where applicable, their representative;
the purpose(s) of the processing for which the data is intended;
the rights available to data subjects (e.g., the right of access, rectification and deletion of their personal data).

📋 Personal Data · ALF

Need help with your GDPR compliance?

Information notices, privacy policy, forms, processing register, contracts and subprocessing arrangements: get support from African Legal Factory.

3. WHAT FORM CAN THIS INFORMATION NOTICE TAKE?

While the GDPR does not prescribe a specific format for the information notice, it must be readable, easily accessible, clear and understandable. For employees, it may take the form of a clause in the employment contract, an email sent individually to each employee, a notice displayed on employee information boards, or an information sheet on the company's intranet or a folder accessible to all staff.

For partners, service providers and shareholders, it may take the form of a notice included in contracts, at the bottom of emails, correspondence or collection forms addressed to them.

This information may therefore take the form of:

a Privacy Policy for personal data processing carried out via a website;
an internal policy for employees;
information notices at the bottom of forms, quotes or emails;
a personal data protection clause in employment, client or service provider/supplier contracts.

4. OUR RECOMMENDATIONS

Our recommendations:

Avoid copying existing privacy policies that are not tailored to the personal data processing activities carried out by your startup and that are sometimes out of date;
Prioritize a readable, understandable and easily accessible format;
Use simple and clear language;
Provide information at different stages of the user journey;
Prioritize key information and communicate it to the data subject at the time of account creation, directly on the registration page;
On that same page, link to a comprehensive information notice via a hyperlink (e.g., a link to a Privacy Policy);
Keep information notices up to date.

5. WHAT SANCTIONS APPLY?

Personal data protection authorities can carry out remote inspections and therefore sanction a startup if its website does not properly inform data subjects!

The sanctions provided for under the GDPR for failure to inform data subjects are 4% of the startup's total annual worldwide turnover or a fine of €20 million — whichever is higher.

References

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC;
Guidelines, recommendations and best practices published by the European Data Protection Board (EDPB);
Guidelines of the Article 29 Working Party (WP29) endorsed by the EDPB.

📋 ALF Legal Assistance

I would like support with my personal data protection compliance

Fill in the form to be contacted by the African Legal Factory team regarding your information notices, privacy policies, contracts or GDPR obligations.

Author

African Legal Factory

By completing this contact form, African Legal Factory collects and processes your personal data as data controller in order to respond to your enquiries. You have the right to access, rectify, object to, erase, restrict, port your data, and to provide instructions regarding its handling after your death.

For more information on the processing of your personal data, please consult our Privacy Policy.

Form : I would like ALF to provide me with legal assistance

We provide legal support for all your business law issues. Fill in this online form to be immediately contacted by our teams.

En remplissant ce formulaire de contact, African Legal Factory recueille et traite vos données à caractère personnel en tant que responsable de traitement afin de répondre à toutes vos interrogations. Vous disposez sur vos données d’un droit d’accès, de rectification, d’opposition, à l’effacement, à la limitation, à la portabilité et de donner des directives sur le sort de vos données après votre décès. Pour plus d’information relative au traitement de vos données personnelles veuillez consulter notre Politique de Confidentialité. [Privacy Policy]

Cookie	Duration	Description
__stripe_mid		Stripe sets this cookie to process payments.
__stripe_sid		Stripe sets this cookie to process payments.
_abck		This cookie is used to detect and defend against replay attempts. This cookie manages interaction with online robots and takes appropriate action.
ak_bmsc		This cookie is used by Akamai to optimize site security by distinguishing between humans and robots.
bm_sz		This cookie is set by the Akamai Bot Manager provider. This cookie is used to manage interaction with online bots. It also contributes to fraud prevention.
cookielawinfo-checkbox-analytics		Defined by the GDPR Cookie Consent plugin, this cookie is used to record user consent for cookies in the "Analytics" category .
cookielawinfo-checkbox-functional		Defined by the GDPR Cookie Consent plugin, this cookie is used to store user consent for cookies in the "Functional" category.
cookielawinfo-checkbox-indispensable		The cookie is set by the GDPR cookie consent plugin to record the user's consent for cookies in the "Indispensable" category.
cookielawinfo-checkbox-necessary		Defined by the GDPR Cookie Consent plugin, this cookie is used to record the user's consent for cookies in the "Necessary" category .
cookielawinfo-checkbox-others		Defined by the GDPR Cookie Consent plugin, this cookie is used to store user consent for cookies in the "Other" category.
CookieLawInfoConsent		Saves the state of the default button for the corresponding category and the state of the CCAC. It only works in coordination with the primary cookie.
redux_blast		This cookie is necessary for the operation of certain WordPress theme elements that make the website appear in the most optimal way for the visitor's device.

Cookie	Duration	Description
_ga		The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also tracks site usage for the site analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_ga_5BN1MYEN2Y		This cookie is set by Google Analytics.
_gat_gtag_UA_157972103_1		Defined by Google to distinguish users.
_gid		Installed by Google Analytics, the _gid cookie stores information about how visitors use a website, while creating an analytical report of site performance. The data collected includes the number of visitors, where they come from and the pages they visit anonymously.
CONSENT		YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.
last_pys_landing_page		Anonymous cookie used to facilitate the "PixelYourSite" plugin that manages our analytics services.
last_pysTrafficSource		Anonymous cookie used to facilitate the "PixelYourSite" plugin that manages our analytics services.
pys_first_visit		Anonymous cookie used to facilitate the "PixelYourSite" plugin that manages our analytics services.
pys_landing_page		Anonymous cookie used to facilitate the "PixelYourSite" plugin that manages our analytics services.
pys_session_limit		Anonymous cookie used to facilitate the "PixelYourSite" plugin that manages our analytics services.
pys_start_session		Anonymous cookie used to facilitate the "PixelYourSite" plugin that manages our analytics services.

Cookie	Duration	Description
_mcid		This is a Mailchimp functionality cookie used to evaluate UI/UX interaction with its platform.
bm_sv		This cookie is required for Akamai's cache function. A cache is used by the website to optimize the response time between the visitor and the website. The cache is usually stored on the visitor's browser. User bandwidth results are stored in this cookie to ensure that the bandwidth test is not repeated for the same user multiple times for the Akamai cache function.
cookies.js		No description available.
m		This cookie is set by stripe.
mailchimp_landing_site		This cookie is set by MailChimp to record the page the user visited for the first time.
pysTrafficSource		Anonymous cookie used to facilitate the "PixelYourSite" plugin that manages our analytics services.
stm_lms_courses_watched		No description
wmc_current_currency		save currency settings.
wp_woocommerce_session_b80c8f798ec84ed7476594d4acafc57c		Contains a unique code for each customer, so you know where to find the basket data in the database for each customer.

GDPR – How to inform data subjects?

1. WHAT OBLIGATION DOES THE GDPR IMPOSE?

2. WHAT INFORMATION MUST THE COMPANY PROVIDE TO DATA SUBJECTS?

Need help with your GDPR compliance?

3. WHAT FORM CAN THIS INFORMATION NOTICE TAKE?

4. OUR RECOMMENDATIONS

5. WHAT SANCTIONS APPLY?

References

I would like support with my personal data protection compliance

Author

Related articles and resources

Complying with the European GDPR regulation

Declaring personal data processing in Morocco

Understanding personal data protection in Senegal

Receive the latest African legal news

Form : I would like ALF to provide me with legal assistance