Missing or hard-to-find privacy notice / transparency information
Max: EUR 20M / 4% turnover
We verify this via Violation ID: nl-gdpr-transparency-missing-privacy-notice
Forensic Hub
Technical annex
Privacy statement 2026 requirements (GDPR)
Technical checklist for privacy notice quality: retention periods, controller/DPO contact, and rights handling proof.
Document ref
REF-GDPR-2026
Legal basis
Regulation (EU) 2016/679 (GDPR), with transparency and data subject rights focus
Audit status
VERIFIED BY COMPLIANCE-NU
Privacy statement 2026 requirementsRetention periods NLDPO mandatory check
Scare trigger
Core notice failures remain one of the fastest triggers for complaints and corrective regulator action.
Injected violations
Under this legal framework, these technical failure patterns are repeatedly observed.
Privacy notice missing contact details (controller/DPO where required)
Max: EUR 20M / 4% turnover
We verify this via Violation ID: nl-gdpr-transparency-missing-contact-dpo
Missing retention period information in privacy notice
Max: EUR 20M / 4% turnover
We verify this via Violation ID: nl-gdpr-retention-missing
No clear DSAR channel (data subject rights contact) (risk flag)
Max: EUR 20M / 4% turnover
We verify this via Violation ID: nl-gdpr-rights-no-dsar-channel
Calculated risk snippet
GDPR transparency exposure model
Maximum = max(fixed ceiling, turnover percentage).
Indicative max exposure
€20M
Non-optional items for 2026
Notices must clearly state processing purpose, legal basis, recipient classes, and retention periods by data category.
Controller and DPO contact routes must be easy to find and operational, not merely documented.
Operational checks for teams
Run monthly notice-diff checks and link policy updates to releases that modify data flows.
Validate that access, erasure, and objection requests can be processed and evidenced end-to-end.
Master index