EU GDPR – Article 13 (Information to Be Provided Where Personal Data Are Collected From the Data Subject)

Abstract

In today’s digital environment, personal data is collected constantly, sometimes knowingly, sometimes passively. Against this backdrop, EU GDPR Article 13 serves as a cornerstone of transparency and fairness. It establishes a clear obligation for organisations to inform individuals whenever their personal data is collected directly from them. More importantly, it ensures that individuals understand who is collecting their data, why it is being collected, how it will be used, and what rights they can exercise. As a result, Article 13 strengthens trust, promotes accountability, and reinforces the fundamental rights of data subjects within the European Union.

Explanation

Article 13 applies whenever personal data is collected directly from the data subject, such as through online forms, sign-ups, surveys, job applications, or in-store registrations. The regulation mandates that controllers must inform individuals about how their data will be processed before or at the moment of collection.

The objective is simple but powerful: individuals should never be left in the dark about what happens to their personal data. GDPR replaces vague privacy notices with a structured set of mandatory disclosures that must be provided in clear, concise, and accessible language.

Failure to comply with Article 13 does not just violate transparency requirements, it can undermine the lawfulness of the entire data processing activity. In many cases, if proper information is not provided, consent may be considered invalid, exposing organisations to regulatory penalties and reputational damage.

Key Points

Under Article 13, the data controller must provide the following information to the data subject:

1. Identity and contact details of the data controller and, where applicable, the data protection officer (DPO).
2. Purpose of processing and the legal basis (such as consent, contract, or legitimate interest).
3. Recipients or categories of recipients of the personal data.
4. Information about international data transfers, including safeguards in place.
5. Retention period or criteria used to determine how long data will be stored.
6. Data subject rights, including access, rectification, erasure, restriction, portability, and objection.
7. The right to withdraw consent at any time, if consent is the legal basis.
8. The right to lodge a complaint with a supervisory authority.
9. Whether providing data is mandatory or optional, and possible consequences of refusal.
10. Information about automated decision-making, including profiling, if applicable.

These disclosures must be easily understandable and should not be hidden behind complex legal language.

General Activation Steps

To activate compliance with Article 13, organisations should take a structured approach:

1. Map data collection points: identify all data collection touchpoints. This includes websites, mobile applications, customer service interactions, physical forms, and email communications.
2. Draft clear privacy notices: Create privacy notices tailored to each data collection scenario. Avoid one-size-fits-all policies where possible.
3. Ensure timing compliance: Present the information before or at the moment of data collection, not afterward.
4. Use plain language: GDPR requires clarity. Notices should be understandable to non-experts and accessible to all users.
5. Maintain version control: Keep records of privacy notice updates and ensure users always see the latest version.
6. Train staff: Employees involved in data collection should understand what information must be communicated and how.

Use Cases

Article 13 applies across many real-world scenarios, including:

1. Website registration forms: Users signing up for accounts must be informed about data usage, retention, and rights before submission.
2. Marketing subscriptions: Email sign-ups must clearly explain how contact data will be used and how consent can be withdrawn.
3. Employment applications: Job applicants must receive transparency notices explaining how their CVs and personal data will be processed.
4. Customer support interactions: When customers provide personal data via chat or email, Article 13 information must be readily available.
5. In-store loyalty programs: Physical data collection still falls under GDPR, requiring printed or digital transparency notices.

Dependencies

Article 13 is closely linked to several other GDPR provisions:

1. Article 5 (Principles of Processing): Transparency, fairness, and lawfulness are reinforced through Article 13 disclosures.
2. Article 6 (Lawfulness of Processing): Legal bases for processing must be clearly communicated to data subjects.
3. Article 7 (Consent): Valid consent relies on individuals being properly informed under Article 13.
4. Article 12 (Transparent Communication): Sets the standards for how information must be delivered clear, concise, and accessible.
5. Article 14: Complements Article 13 by covering situations where data is collected indirectly.

Understanding these dependencies ensures holistic GDPR compliance rather than isolated implementation.

Tools and Technologies

To efficiently comply with Article 13, organisations rely on various tools:

1. Privacy Notice Generators: Help draft GDPR-compliant notices tailored to specific processing activities.
2. Consent Management Platforms (CMPs): Ensure transparency and allow users to manage consent preferences easily.
3. Website Content Management Systems (CMS): Enable timely updates and visibility of privacy notices at data collection points.
4. Data Mapping Tools: Identify where and how personal data is collected across systems.
5. Compliance Management Software: Centralises documentation, audits, and regulatory reporting.

These tools help operationalise transparency requirements and reduce manual compliance risks.

Let’s Wrap

In conclusion, EU GDPR Article 13 is a critical pillar of data protection law, placing transparency at the heart of personal data processing. By requiring clear and timely information whenever data is collected directly from individuals, it empowers data subjects and reinforces their fundamental rights.

For organisations, compliance with Article 13 goes beyond avoiding penalties, it strengthens trust, enhances credibility, and supports ethical data practices. Ultimately, transparency is not just a legal duty under GDPR; it is a strategic advantage in building lasting relationships with users.

When implemented correctly, Article 13 ensures that data protection is not hidden behind policies but actively communicated, understood, and respected.

---

For further reading:

• EU GDPR – Article 12 (Transparent Information, Communication, and Modalities for Exercising Data Subject Rights)
• EU GDPR – Article 11 (Processing Which Does Not Require Identification)
• EU GDPR-Article 10 (Processing Personal Data Related to Criminal Convictions and Offenses)
• EU GDPR-Article 9 (Processing Special Categories of Personal Data)
• EU GDPR – Article 8 (Conditions Applicable to Child’s Consent in Information Society Services)
• EU GDPR – Article 7 (Conditions for Consent)
• EU GDPR – Article 6 (Lawfulness of Processing)
• EU GDPR – Article 5 (Principles Relating to Processing of Personal Data)
• EU GDPR – Article 4 (Definitions)
• EU GDPR – Article 3 (Territorial Scope)
• EU GDPR- Article 2 (Material Scope)
• EU GDPR- Article 01 (Subject-matter and objectives)
• Why choose Virtual Learning?
• Benefits of Online Education
• Data Modeling – Identifiers / Keys
• Content Modeling – Controlled Vocabularies and Format
• Data Modeling – Arity of Relationships