Understanding Article 13 of GDPR
Article 13 of GDPR provides guidance to organizations as to what information they need to provide individuals prior to collecting their personal data.
Information organizations need to provide before collecting personal data (Article 13(1) GDPR)
What information should organizations provide or disclose to individuals before collecting their personal information?
Article 13(1) of GDPR provides the necessary guidance in that regard.
The regulation requires that, at the time when personal data are obtained, companies should provide individuals with the following information:
- Identity of the company collecting the data and contact details (Article 13(1)(a) GDPR)
- Contact details of the data protection officer if the company has one (Article 13(1)(b) GDPR)
- What is the purpose of collecting personal data and the legal basis for the processing (Article 13(1)(c) GDPR)
- If the processing is necessary for the legitimate interest pursued by the company based on Article 6(1)(f), the details of the legitimate interest should be disclosed (Article 13(1)(d) GDPR)
- Who are the recipients or category of recipients (Article 13(1)(e) GDPR)
- If the company intends to transfer personal data to a third country having an adequacy decision or not or make reference to the appropriate safeguards such as a legally binding and enforceable contract or binding corporate rules (Article 13(1)(f) GDPR)
Information to be provided for fair and transparent processing (Article 13(2) GDPR)
In addition to the mandatory information to be provided to an individual prior to collecting, processing and storing their personal data, companies are required to give the following information to ensure fair and transparent processing of the personal data:
- For how long personal data will be stored (Article 13(2)(a) GDPR)
- Advise the person that they have the right to access their data, request the rectification, the erasure, restrict its processing, object to its processing and the right to data portability (Article 13(2)(b) GDPR)
- If the processing is based on the individual’s consent, notification as to the person having the right to withdraw his or her consent without affecting the legality of the processing that was done prior to the withdrawal (Article 13(2)(c) GDPR)
- The person’s right to file a complaint with a supervisory authority (Article 13(2)(d) GDPR)
- Notification of the need for personal data is a legal requirement or a contractual one, or necessary for the organization to enter into a contract with the person along with the possible consequences if the information is not given (Article 13(2)(e) GDPR)
- Information about the logic of any automated decision-making, including profiling, impacting the person along with possible consequences (Article 13(2)(f) GDPR)
Processing for other purposes (Article 13(3) GDPR)
If a company intends to use a person’s personal information for any other reason than the purpose based on which personal information was initially collected, the company must inform the individual of the new purpose and all the relevant information as required under Article 13(2).
When Article 13 does not apply (Article 13(4) GDPR)
In the event that a person already all the information required under Articles 13(1), 13(2) and 13(3), a company is not required to give the information again.
Recitals applicable to Article 13 of GDPR
Relevant Recitals: 60, 61, 62
GDPR Regulation article-by-article overview
Read our comprehensive overview of the GDPR Regulation, article by article, where we summarize each of the 99 articles contained in GDPR to give you a complete understanding of its content.
Cited Legislation in Article 13 or relevant recitals
GDPR Text: Article 13 of GDPR and Relevant Recitals
GDPR Text Source: EUR-Lex
Official GDPR Text: General Data Protection Regulation
Official GDPR Title: REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), corrected by Corrigendum, OJL 127, 23.5.2018, p. 2 ((EU) 2016/679)