Skip to content
AuditFront
Art.13 GDPR

GDPR Art.13: Information to Be Provided Where Data Is Collected from the Data Subject

What This Control Requires

Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with all of the following information: (a) the identity and the contact details of the controller and, where applicable, of the controller's representative; (b) the contact details of the data protection officer, where applicable; (c) the purposes of the processing for which the personal data are intended as well as the legal basis for the processing; (d) where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third party; (e) the recipients or categories of recipients of the personal data, if any; (f) where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation.

In Plain Language

Whenever someone hands you their personal data directly - filling in a form, signing up for a service, making a purchase - you must tell them exactly what you are going to do with it, right then and there. Not buried in a link three clicks deep. Not in a follow-up email two weeks later. The required information comes in two tiers. Tier one (Article 13(1)) covers the essentials: who you are, your DPO's contact details, what you are processing and why, your legal basis, any legitimate interests relied upon, who receives the data, and whether it goes outside the EU. Tier two (Article 13(2)) adds retention periods, data subject rights, the right to withdraw consent, the right to complain to a DPA, whether providing the data is mandatory, and details of any automated decision-making or profiling. This is the legal foundation for every privacy notice on your website, in your app, and on your paper forms. Having a notice is not enough - it must be presented proactively at the right moment and actually contain all the mandated elements in a format people can understand.

How to Implement

Map every data collection point across your organisation: website forms, mobile app screens, in-store interactions, phone calls where data is recorded, paper forms, and anything else where individuals provide you with their own data. For each one, check whether the right Article 13 information is presented at the right time. Write compliant privacy notices for each collection context. A general website privacy policy is a start, but specific contexts need tailored notices. Your employee privacy notice will look very different from your customer-facing one. Make sure each notice covers every element from both Article 13(1) and 13(2), written for the specific audience. Use a layered approach for digital channels. Layer one: a concise summary right at the collection point covering who you are, what you are collecting and why, and key rights. Layer two: the full privacy notice, one clear link away. Layer three: detailed supplementary information on specific topics if needed. The first layer must be genuinely visible - not hidden inside terms and conditions nobody reads. Set up a process to update notices when processing changes. New purpose, new recipient, new retention period - any change to a required element triggers an update obligation. Keep version histories of all privacy notices and record how and when changes were communicated to data subjects. Test your notices with real people. Run readability assessments, check navigation and accessibility on digital channels, and verify that individuals can actually find and understand the key information - especially their rights and how to exercise them. Use the feedback to improve. Privacy notices are never truly finished.

Evidence Your Auditor Will Request

  • Inventory of all data collection points with corresponding privacy notices
  • Privacy notices for each collection context containing all Article 13 required elements
  • Evidence of layered notice approach for digital channels
  • Version control records showing privacy notice updates when processing changes
  • Usability testing results or readability assessments for privacy notices

Common Mistakes

  • Privacy notices missing one or more required information elements, particularly retention periods or legitimate interests details
  • Privacy notice not provided at the time of data collection but only accessible deep within a website
  • Generic one-size-fits-all privacy notice that does not address specific processing contexts
  • Privacy notices not updated when processing activities or recipients change
  • Information about automated decision-making and profiling omitted despite such processing taking place

Related Controls Across Frameworks

Framework Control ID Relationship
ISO 27001 A.5.34 Related

Frequently Asked Questions

When exactly must Article 13 information be provided?
At the moment you collect the data - not after. For an online form, that means before or at the point of submission. For in-person collection, it means when the data is handed over. For phone calls, you can inform verbally at the start of the call or send a link immediately after. The point is that people should know what they are agreeing to before their data enters your systems.
Do we need separate privacy notices for different groups of data subjects?
You can technically put everything into one document, but it usually creates a mess that nobody reads. Separate notices for distinct groups - customers, employees, job applicants, website visitors - are almost always clearer and more effective. Each group has different processing activities and different concerns, and a tailored notice does a far better job of meeting the transparency requirement.
What if we do not have a DPO - do we still need to include DPO contact details?
If Article 37 does not require you to appoint a DPO and you have not voluntarily designated one, you can skip the DPO contact details. But you still need to include the controller's identity and contact information, and you should provide a clear point of contact for data protection queries. People need someone to reach out to.

Track GDPR compliance in one place

AuditFront helps you manage every GDPR control, collect evidence, and stay audit-ready.

Start Free Assessment