The General Data Protection Regulation (GDPR) has been applicable since May 2018 and aims to further harmonize data protection law in the European Union. Processing personal data based on individuals’ consent is lawful under the GDPR only if such consent meets certain requirements and is “informed,” in particular. However, complex privacy notice design and individual cognitive limitations challenge data subjects’ ability to make elaborate consent decisions. Risk-based communication may address these issues. Literature review: Most research focuses on isolated aspects of risk in processing personal data, such as the actors involved, specific events leading to risk formation, or distinctive (context-dependent) consequences. We propose a model combining these approaches as the basis for context-independent risk communication. Research questions: 1. What are relevant information categories for risk communication in the processing of personal data online? 2. Which potentially adverse consequences can arise from specific events in the processing of personal data online? 3. How can consequences in the processing of personal data be avoided or mitigated? Research methodology: The GDPR was examined through a systematic qualitative content analysis. The results inform the analysis of 32 interviews with privacy, data protection, and information security experts from academia, Non-Governmental Organizations, the public, and the private sector. Results: Risk-relevant information categories, specific consequences, and relations between them are identified, along with strategies for risk mitigation. The study concludes with a specified framework for perceived risk in processing personal data. Conclusion: The results provide controllers, regulatory bodies, data subjects, and experts in the field of professional communication with information on risk formation in personal data processing. Based on our analysis, we propose information categories for risk communication, which expand the current regulatory information requirements.