Skip to main content

Privacy Notices Overview

Privacy Notices help privacy, legal, and data-governance teams keep the catalog aligned with GDPR-style processing disclosures. In Qarion, a privacy notice is a versioned policy record that owns one or more processing purposes. Data products point to those purposes from their compliance metadata, which lets the RoPA dashboard show which products are covered, which products are missing a lawful basis, and which mappings need follow-up.

Use Privacy Notices when you need to:

  • Maintain a controlled list of active, draft, and archived privacy notices.
  • Define the processing purposes that products are allowed to use.
  • Link catalog products to a lawful basis, retention period, data-subject categories, and processing purpose.
  • Review space-level or organization-level Records of Processing Activities (RoPA).
  • Export RoPA evidence for legal review, audits, or remediation planning.

Where Privacy Work Happens

SurfaceRouteUse it for
Privacy Notices/privacy-noticesCreate, search, edit, archive, or delete privacy notices in the current space. Organization scope shows an aggregated, read-only list across spaces.
Privacy Notice Detail/privacy-notices/{noticeId}Review notice metadata, open the hosted policy URL, and maintain the processing purposes attached to the notice.
RoPA Dashboard/ropa-dashboardReview product coverage, compliance gaps, purpose mappings, lawful basis, retention, owners, recipients, and exportable RoPA evidence.
Product edit compliance sectionProduct detail edit flowAttach products to a lawful basis, processing purpose, retention period, and data-subject categories.

Notice Lifecycle

Privacy notice lifecycle is represented by the notice status and validity dates.

StatusMeaningRecommended admin behavior
DRAFTA notice version is being prepared and is not yet the governing policy.Use while legal, DPO, or product owners are reviewing wording and purpose coverage. Keep products mapped to the current active version until the draft is approved.
ACTIVEThe notice version currently governs the linked processing purposes.Set valid_from, keep content_url pointed at the published policy text, and confirm products are mapped to purposes under the active notice.
ARCHIVEDThe notice version has been superseded but remains available for audit history.Set valid_to, keep the URL available where possible, and confirm new or edited products no longer point at retired purposes.

Qarion does not add a separate privacy-notice approval workflow in the current UI. Treat the status change from DRAFT to ACTIVE as the publish control, and keep your team convention explicit: who reviews the policy text, who changes the status, and when the older version is archived.

Create And Publish A Notice

  1. Open /privacy-notices in the space that owns the processing activities.
  2. Create a notice with a name, version, status, hosted content_url, and optional validity dates.
  3. Keep new notices in DRAFT while policy text, purpose coverage, and product mappings are being reviewed.
  4. Open the notice detail page and add processing purposes. Each purpose needs a name; descriptions and the is_essential flag help reviewers distinguish strictly necessary processing from optional or consent-driven processing.
  5. When review is complete, set the approved version to ACTIVE, set valid_from, and archive the superseded version with valid_to when applicable.
  6. Review /ropa-dashboard for unmapped products, missing lawful basis values, and compliance gaps.

Products are linked to privacy notices through processing purposes. Edit the product and update the compliance fields:

Product fieldWhy it matters
Lawful basisExplains the legal basis for processing, such as Consent, Contract, Legal Obligation, Public Task, Vital Interests, or Legitimate Interests.
Processing purposeSelects a purpose from a privacy notice. This is the field that maps the product into RoPA coverage.
Retention periodRecords how long the product data is retained.
Data-subject categoriesLists the people represented in the data, such as Customers, Employees, or Applicants.

RoPA rows also enrich the product with catalog context such as environment, sensitivity, owner, data categories, and active recipients. If a product has PII or PHI sensitivity but no lawful basis, Qarion marks the row as a compliance gap.

Review RoPA Coverage

Use the RoPA dashboard to monitor privacy documentation quality across a space or, when available, across the selected organization.

The dashboard includes:

  • Summary counts for total products, mapped products, unmapped products, missing lawful basis, and compliance gaps.
  • Search across product names, lawful basis values, and processing purposes.
  • Filters for lawful basis, environment, sensitivity, and mapping status.
  • Product links for drilling back into the catalog record.
  • Owner links for follow-up with accountable users.
  • CSV export for audit packets and offline review.

Use mapping_status=unmapped or the unmapped filter first during cleanup. Then review rows with missing lawful basis or compliance-gap indicators before publishing a notice version as active.

Organization Scope

Privacy Notices and RoPA support both space and organization review:

  • Space scope is the operational view. Create, edit, delete, and purpose-management actions happen in the current space.
  • Organization scope aggregates notices and RoPA rows across spaces. Use it to find inconsistent purpose naming, missing mappings, and space-level remediation owners. Edit the source notice or product in the owning space.

Administrator Responsibilities

Privacy administrators should own these operating controls:

  • Keep notice versions, validity windows, and hosted policy URLs current.
  • Maintain a clear processing-purpose catalogue under each active notice.
  • Coordinate legal or DPO review before changing a notice from DRAFT to ACTIVE.
  • Archive superseded versions instead of overwriting policy history.
  • Review RoPA coverage after new products, schema sensitivity changes, data contracts, or purpose changes.
  • Follow up on products with missing lawful basis, missing processing purpose, or PII/PHI compliance gaps.
  • Export RoPA evidence before audits and confirm exported data reflects the intended scope.

Troubleshooting

SymptomCheck
A product is missing from a notice's coverageEdit the product and confirm it has a processing purpose selected from the expected notice.
A RoPA row is marked unmappedThe product does not have a processing purpose. Add or correct the product compliance metadata.
A compliance gap appearsThe product likely has PII or PHI sensitivity and no lawful basis. Set the lawful basis or review the sensitivity classification.
Organization scope shows a notice you cannot editOrganization scope is an aggregated view. Switch to the source space shown on the row and edit the notice there.
The policy link is unavailableUpdate the notice content_url to a reachable HTTPS URL for the published policy text.