When businesses collect personal data directly from individuals, transparency is essential. People deserve to know who is collecting their data, why, how long it will be stored, and with whom it might be shared. This fundamental requirement is captured in Article 13 of the General Data Protection Regulation (GDPR). It ensures organizations provide clear privacy information at the moment of data collection — not hidden, not delayed, and not complicated.
What Is GDPR Article 13?
GDPR Article 13 outlines the specific information that must be given to a data subject when personal data is collected directly from them. It applies to activities such as:
- Filling out a contact form
- Creating an account on a website
- Signing up for a newsletter
- Applying for a job
- Completing a purchase
- Providing data in person
Unlike Article 14 — which focuses on data obtained from third parties — Article 13 clearly addresses direct collection.
Its main purpose is to uphold transparency, one of the core principles of GDPR.
Why Article 13 Matters
Without transparency, trust disappears. People may feel tricked into sharing information or unaware of risks linked to how their data is used. Article 13 ensures individuals:
- Understand the purpose of data processing
- Know how long their information will be stored
- Can identify who processes their data
- Are aware of their legal rights
- Have control to withdraw consent at any time
Non-compliance can lead to severe consequences — including fines up to 20 million euros or 4% of global turnover, depending on which is higher.
What Information Must Be Provided Under Article 13?
Organizations must supply the following information at the time of data collection:
✔ 1️⃣ Identity and contact details of the controller
Who is responsible for the data and how can the user contact them?
✔ 2️⃣ Contact details of the Data Protection Officer (if applicable)
Required for companies with a mandatory DPO.
✔ 3️⃣ Purpose of processing & legal basis
Why the data is being collected and what law justifies processing (e.g., consent, contract).
✔ 4️⃣ Legitimate interests (if legal basis is legitimate interest)
A clear explanation of the business’s legitimate purpose.
✔ 5️⃣ Recipients or categories of recipients
Who else will receive the data? Internal teams, service partners, mailing providers?
✔ 6️⃣ Data transfer outside the EU
If personal data goes to third countries, what protections exist (e.g., SCCs)?
✔ 7️⃣ Data storage duration or criteria for determining it
How long will the data be kept? Fixed timeline or based on necessity?
✔ 8️⃣ Individual rights
This includes the right to:
- Access data
- Correct data
- Delete data
- Restrict or object to processing
- Data portability
✔ 9️⃣ Right to withdraw consent
Where consent is the legal basis, users must freely revoke it at any time.
✔ Right to lodge a complaint with a supervisory authority
Users must know where to complain if their rights are violated.
✔ 1️⃣1️⃣ If providing data is mandatory and consequences of not providing it
For example: without an address, a product cannot be delivered.
✔ 1️⃣2️⃣ Automated decision-making (if used)
Especially profiling that creates legal or significant effects for the data subject.
All of this information is typically included in Privacy Notices or Privacy Policies.
How Must Article 13 Information Be Presented?
Legal jargon frustrates users and violates GDPR principles. The notice must be:
- Easily accessible — not hidden behind layers of pages
- Written in clear language — no complicated legal wording
- Provided before or during data collection
- Specific to the context — not overly broad or unrelated to the data being collected
Example: a newsletter sign-up form must explain how emails will be used for marketing, how often emails will be sent, and how users can unsubscribe.
When Do Companies Violate Article 13?
Organizations commonly make the following mistakes:
- Providing privacy information after data collection
- Using pre-checked consent boxes or assuming consent
- Storing the data longer than declared
- Using the data for purposes not communicated
- Hiding crucial information deep in legal documents
Even incomplete or unclear privacy notices can lead to enforcement action.
Examples of GDPR Article 13 in Action
Below are real-life type examples to understand how Article 13 is applied in everyday scenarios.
Example 1: Online Newsletter Signup
A user enters their email to receive marketing updates.
The privacy notice must say:
- Who collects the email (company name + contact information)
- Purpose: sending promotional updates regarding the company’s products
- Legal basis: consent
- Data will not be shared with third parties except email service providers
- They can unsubscribe at any time
- Data is stored until they withdraw consent
- They have rights to access, delete, or object
If the company later uses the email list for targeted advertising through partners — this is a violation unless users were informed and consented.
Example 2: Job Application Through a Company Website
Applicants upload resumes and personal details directly.
The company must explain:
- Personal data will be reviewed by HR and hiring managers
- Legal basis: contract or legitimate interest
- Retention period for unsuccessful applicants (e.g., 6–12 months)
- Whether the data will be shared with recruitment agencies or cloud-storage providers
- Data subject rights and how to exercise them
If the company wants to keep CVs for future positions, explicit consent is required.
Example 3: In-Store Customer Loyalty Program
Customers provide their name and phone number at checkout.
Article 13 requires informing them:
- Purpose: rewards, promotional campaigns
- How their contact information will be used
- The right to opt-out
- Who receives the data (e.g., marketing system providers)
If the store secretly sells or shares numbers with advertisers — that is a serious breach.
Example 4: Contact Form on a Business Website
When users fill out a contact form:
- All required fields must be justified — asking for unnecessary information violates GDPR
- Privacy notice must clarify why the data is needed (e.g., customer support)
If a company collects data for support but uses it for unrelated sales without disclosure — this again breaks Article 13.
Example 5: Mobile App Using Geo-Location Data
Apps collecting location in real time must clearly state:
- Why location is required (e.g., navigation, local services)
- Whether it's stored or only processed temporarily
- Who can access the location data — external mapping providers?
- If behavioral profiling is conducted based on location
Hidden tracking with no notice has resulted in major fines under GDPR.
How Businesses Can Ensure Article 13 Compliance
A robust compliance checklist includes:
- Keeping privacy notices visible and readable
- Reviewing texts regularly — especially when data purposes change
- Using tailored privacy messages at each data collection point
- Documenting legal basis for every processing activity
- Training employees responsible for handling personal data
Compliance is not static — it must evolve as operations change.
GDPR Article 13 Summary
Below is an easy-to-remember breakdown:
GDPR Article 13 applies when: ✔ Personal data is collected directly from the data subject
Organizations must inform users about:
- Identity and contact of controller
- DPO contact if applicable
- Reasons and legal basis for processing
- Recipients of the data
- International transfers
- Storage duration
- Data subject rights
- Consent withdrawal
- Complaints procedure
- Mandatory vs optional data
- Automated decision-making if used
Information must be:
- Clear, transparent, and given at or before the time of collection
- Easily accessible and user-friendly
Failure to comply can lead to high administrative fines and severe damage to reputation.
Final Thoughts
Transparency is the foundation of trustworthy data handling. GDPR Article 13 ensures that every individual has clear insight into their personal information — not after submission but before they choose to share it.
Rather than treating compliance as a bureaucratic hurdle, smart organizations view Article 13 as an opportunity:
- To build customers’ confidence
- To demonstrate responsible data governance
- To differentiate themselves as trustworthy brands
Privacy is not just a legal box to check — it is a promise between a business and its users.