Article 13

Information to be provided where personal data are collected from the data subject

Article 13 requires organizations’ ( data controllers) to inform the data subjects (individuals) on how the data collected from them. Article 13 empowers data subjects to make informed decisions and exercise their data subject rights effectively.

Let’s divide the article into 3 paragraphs:

Paragraph 1 specifies the basic information that must be provided.

Paragraph 2 outlines the additional information that must be provided to ensure fair and transparent processing.

Paragraph 3 covers exceptions to the timing of information provision and modifications when the controller intends to further process the data for a purpose other than that for which it was collected.

  1. Paragraph 1 states the fundamental information that must be provided to the data subject. This includes:
  2. The identity and the contact details of the data controller
  3. Contact details of the Data Protection Officer (DPO)
  4. If the controller is not based in the EU, but processes EU residents’ data, they must appoint an EU representative whose details must also be provided.
  5. The controller must clearly explain the reason for collecting and processing the personal data.
  6. The controller must also specify the legal basis under Article 6 of GDPR they are relying on for each purpose (e.g., consent, contract, legal obligation, legitimate interests).
  7. In case of multiple purposes for processing the personal data, each one of the purpose and legal basis separately.
  8. If the processing is based on the legitimate interests of the controller or a third party (Article 6(1)(f)), these interests must be explicitly stated.
  9. The controller must inform the data subject if their personal data will be shared with any other entities.(eg: marketing agencies, other processing entity, etc.)
  10. The data subjects must be informed if their personal data will be transferred outside the EU/EEA.

Paragraph 2 states the additional information that must be provided to the data subject to ensure fair and transparent processing .This includes:

  1. The controller must inform the data subject how long their personal data will be stored. In cases where the duration cannot be specified, the criteria used to determine the period needs to be specified.
  2. The controller must inform the data subject of their rights under GDPR, which include:
  1. Right of access: to obtain a copy of their personal data
  2. Right to rectification: to correct inaccurate personal data
  3. Right to erasure (right to be forgotten): to have their personal data erased under certain circumstances
  4. Right to restriction of processing: to limit how their data is used
  1. The data subject must be made aware of the following:
  1. The right to withdraw consent at any point in time. They should also be made aware that the processing that happened before withdrawal of the content remains lawful.
  2. The right to lodge a complaint. They should be informed about the relevant data protection authority.
  3. The controller must clarify whether providing personal data is:
  1. A statutory requirement (required by law)
  2. A contractual requirement
  3. A requirement necessary to enter into a contract
  1. The data subject is made aware of the necessity or the consequence of not furnishing the personal data for the above situations
  2. The data subject must be informed whether the personal data is used for automated decision-making processes, including profiling.
  3. Right to object to processing: to stop the processing of their data in certain cases
  4. Right to data portability: to receive their data in a structured, commonly used, and machine-readable format.

Paragraph 3 mandates that the data subject must be informed, if the data controller wants to process the personal data for other than the specific purpose for which it was collected.This should be performed before processing the personal data for the new purpose.

Implementation Guidance:

  1. Develop a comprehensive privacy notice that covers the following points but not limited to:
  1. Contact details and address of the data controller
  2. Contact details of the DPO
  3. Transfer of data outside the EU/EEA for processing
  4. Purpose and legal basis of processing
  5. Rights of the data subject ( right to access, modify,delete etc. )
  6. Right to withdraw consent at any point in time
  7. Right to lodge a complaint
  1. The policy should be made easily accessible to the data subject
  2. Develop and implement policies and procedures for the point mentioned in 1.
  3. Regularly keep the privacy notice updated.

Compliance Checklist:

  1. Privacy policy
  2. Privacy notice
  3. Procedure for handing data subject request
  4. Record of Processing Activities (RoPA)

Examples and Use Cases

  1. An online fashion retail website displays a privacy notice for its customers. The Privacy notice is written in simple plain English language. The notice further explains about the purpose of data collection ,the rights of the data subject, the contact details of the DPO, the contact details of the data protection authority etc. 
  2. An online job portal provides a privacy notice to all the applicants on how their data will be used and how long it will be stored etc.
  3. A subscriber wants to unsubscribe a newsletter. The request has been placed to the corresponding website and they have processed the request. They have also informed that all the prior processing before the submission of the request remains lawful and the subscriber will not receive any newsletter henceforth. 
Scroll to Top