ISMS Copilot
ISMS Copilot

GDPR policy and notice generation with ISMS Copilot

Draft Article 13 and 14 privacy notices, the Article 30 ROPA, and a defensible retention schedule.

Start Free TrialSee it in action

Drafting Art. 13/14 notices and the ROPA

GDPR transparency depends on where the data came from, and ISMS Copilot handles the distinction. Article 13 governs information provided when personal data is collected directly from the data subject; Article 14 governs information when data is obtained from another source — and adds the source and the disclosure-timing rules Article 13 does not. The assistant drafts the correct notice for each collection point with the mandatory elements: controller identity, purposes, legal basis, recipients, retention, and data-subject rights. It then builds the Article 30 records of processing activities, capturing purposes, categories of data and data subjects, recipients, transfers, and security measures in the structure supervisory authorities request. From the ROPA it derives a retention schedule, tying each retention period to a documented purpose rather than an arbitrary default. You confirm legal bases and purposes; the assistant removes the drafting load and keeps the documents consistent with each other.

Explore the GDPR Copilot

Why teams use ISMS Copilot for GDPR documentation

  • Draft Article 13 notices for direct collection and Article 14 notices for indirect collection correctly
  • Build the Article 30 ROPA in the structure supervisory authorities expect
  • Derive a retention schedule where each period is tied to a documented purpose
  • Keep notices, ROPA, and retention schedule consistent with one another

Frequently Asked Questions

What is the difference between Article 13 and Article 14 notices?

Article 13 applies when you collect personal data directly from the data subject. Article 14 applies when you obtain it from another source and additionally requires you to state the source and respect specific disclosure timing. ISMS Copilot drafts the right one for each collection point.

Can it generate the Article 30 ROPA?

Yes. ISMS Copilot builds records of processing activities capturing purposes, data and subject categories, recipients, transfers, retention, and security measures in the format supervisory authorities request.

How does it handle retention periods?

ISMS Copilot derives a retention schedule from the ROPA so each period is justified by a documented processing purpose rather than an arbitrary default, which is what regulators expect to see.

Ready to streamline your compliance work?

Built for speed, accuracy, and audit-ready output.

Try ISMS Copilot 2.0