UK

A company didn't have a privacy notice when collecting my data. Is this a breach?

GDPR Art 13
Key provision
UK GDPR
Governing law
ICO guidance
Enforcement body
72 hours
Breach reporting window
The Short Answer

Yes, it is likely a breach of UK data protection law. Companies must provide a privacy notice at the time personal data is collected.

What the Law Says

Under UK data protection law, organisations must give individuals clear, concise information about how their personal data will be used — at the time the data is collected.

The UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 require controllers to provide a privacy notice before or at the time of collecting personal data from an individual.

This notice must include specific details such as the controller’s identity and contact details, the purposes and legal basis for processing, data retention periods, and individuals’ rights — including the right to complain to the Information Commissioner’s Office (ICO).

Failure to provide this information breaches Article 13 of the UK GDPR, which forms part of domestic law under the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019.

Statutory Text

Where personal data are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with all of the following information…

UK GDPR, Art 13(1) — Information to be provided where personal data are collected from the data subject
Statutory Text

The information referred to in paragraph 1 shall be provided… in a concise, transparent, intelligible and easily accessible form, using clear and plain language.

UK GDPR, Art 12(1) — Transparent information, communication and modalities for the exercise of the rights of the data subject

What to Do

1

Check whether any privacy information was provided — even if not labelled 'privacy notice' (e.g., terms & conditions, sign-up forms, or website footers).

2

Contact the company in writing, requesting the missing privacy information and asking how your data is being used.

3

If unsatisfied, report the issue to the Information Commissioner’s Office (ICO) via their online complaint form.

4

You may also request erasure of your data (‘right to be forgotten’) or object to its processing if no lawful basis was disclosed.

Sources

statuteUK GDPR, Art 13 — Information to be provided where personal data are collected from the data subjectstatuteUK GDPR, Art 12 — Transparent information, communication and modalities for the exercise of the rights of the data subjectstatuteData Protection Act 2018

Not legal advice. This article is general information based on publicly available sources, written for educational purposes. Laws change and individual situations vary. Consult a licensed attorney in your jurisdiction before acting on anything you read here. Last reviewed: 2026-06-08.