Article 13 GDPR

← Article 13: Information to be provided where personal data are collected from the data subject →

Chapter 1: General provisions Article 1: Subject-matter and objectives Article 2: Material scope Article 3: Territorial scope Article 4: Definitions Chapter 2: Principles Article 5: Principles relating to processing of personal data Article 6: Lawfulness of processing Article 7: Conditions for consent Article 8: Conditions applicable to child’s consent in relation to information society services Article 9: Processing of special categories of personal data Article 10: Processing of personal data relating to criminal convictions and offences Article 11: Processing which does not require identification Chapter 3: Rights of the data subject Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject Article 13: Information to be provided where personal data are collected from the data subject Article 14: Information to be provided where personal data have not been obtained from the data subject Article 15: Right of access by the data subject Article 16: Right to rectification Article 17: Right to erasure (‘right to be forgotten’) Article 18: Right to restriction of processing Article 19: Notification obligation regarding rectification or erasure of personal data or restriction of processing Article 20: Right to data portability Article 21: Right to object Article 22: Automated individual decision-making, including profiling Article 23: Restrictions Chapter 4: Controller and processor Article 24: Responsibility of the controller Article 25: Data protection by design and by default Article 26: Joint controllers Article 27: Representatives of controllers or processors not established in the Union Article 28: Processor Article 29: Processing under the authority of the controller or processor Article 30: Records of processing activities Article 31: Cooperation with the supervisory authority Article 32: Security of processing Article 33: Notification of a personal data breach to the supervisory authority Article 34: Communication of a personal data breach to the data subject Article 35: Data protection impact assessment Article 36: Prior consultation Article 37: Designation of the data protection officer Article 38: Position of the data protection officer Article 39: Tasks of the data protection officer Article 40: Codes of conduct Article 41: Monitoring of approved codes of conduct Article 42: Certification Article 43: Certification bodies Chapter 5: Transfers of personal data Article 44: General principle for transfers Article 45: Transfers on the basis of an adequacy decision Article 46: Transfers subject to appropriate safeguards Article 47: Binding corporate rules Article 48: Transfers or disclosures not authorised by Union law Article 49: Derogations for specific situations Article 50: International cooperation for the protection of personal data Chapter 6: Supervisory authorities Article 51: Supervisory authority Article 52: Independence Article 53: General conditions for the members of the supervisory authority Article 54: Rules on the establishment of the supervisory authority Article 55: Competence Article 56: Competence of the lead supervisory authority Article 57: Tasks Article 58: Powers Article 59: Activity reports Chapter 7: Cooperation and consistency Article 60: Cooperation between the lead supervisory authority and the other supervisory authorities concerned Article 61: Mutual assistance Article 62: Joint operations of supervisory authorities Article 63: Consistency mechanism Article 64: Opinion of the Board Article 65: Dispute resolution by the Board Article 66: Urgency procedure Article 67: Exchange of information Article 68: European Data Protection Board Article 69: Independence Article 70: Tasks of the Board Article 71: Reports Article 72: Procedure Article 73: Chair Article 74: Tasks of the Chair Article 75: Secretariat Article 76: Confidentiality Chapter 8: Remedies, liability and penalties Article 77: Right to lodge a complaint with a supervisory authority Article 78: Right to an effective judicial remedy against a supervisory authority Article 79: Right to an effective judicial remedy against a controller or processor Article 80: Representation of data subjects Article 81: Suspension of proceedings Article 82: Right to compensation and liability Article 83: General conditions for imposing administrative fines Article 84: Penalties Chapter 9: Specific processing situations Article 85: Processing and freedom of expression and information Article 86: Processing and public access to official documents Article 87: Processing of the national identification number Article 88: Processing in the context of employment Article 89: Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes Article 90: Obligations of secrecy Article 91: Existing data protection rules of churches and religious associations Chapter 10: Delegated and implementing acts Article 92: Exercise of the delegation Article 93: Committee procedure Chapter 11: Final provisions Article 94: Repeal of Directive 95: /46: /EC Article 95: Relationship with Directive 20: 02: /58: /EC Article 96: Relationship with previously concluded Agreements Article 97: Commission reports Article 98: Review of other Union legal acts on data protection Article 99: Entry into force and application

Legal Text

Article 13: Information to be provided where personal data are collected from the data subject

1. Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with all of the following information:

(a) the identity and the contact details of the controller and, where applicable, of the controller's representative;

(b) the contact details of the data protection officer, where applicable;

(c) the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;

(d) where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third party;

(e) the recipients or categories of recipients of the personal data, if any;

(f) where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available.

2. In addition to the information referred to in paragraph 1, the controller shall, at the time when personal data are obtained, provide the data subject with the following further information necessary to ensure fair and transparent processing:

(a) the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;

(b) the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability;

(c) where the processing is based on point (a) of Article 6(1) or point (a) of Article 9(2), the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;

(d) the right to lodge a complaint with a supervisory authority;

(e) whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data;

(f) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

3. Where the controller intends to further process the personal data for a purpose other than that for which the personal data were collected, the controller shall provide the data subject prior to that further processing with information on that other purpose and with any relevant further information as referred to in paragraph 2.

4. Paragraphs 1, 2 and 3 shall not apply where and insofar as the data subject already has the information.

Relevant Recitals

Recital 60: Information Requirements

The principles of fair and transparent processing require that the data subject be informed of the existence of the processing operation and its purposes. The controller should provide the data subject with any further information necessary to ensure fair and transparent processing taking into account the specific circumstances and context in which the personal data are processed. Furthermore, the data subject should be informed of the existence of profiling and the consequences of such profiling. Where the personal data are collected from the data subject, the data subject should also be informed whether he or she is obliged to provide the personal data and of the consequences, where he or she does not provide such data. That information may be provided in combination with standardised icons in order to give in an easily visible, intelligible and clearly legible manner, a meaningful overview of the intended processing. Where the icons are presented electronically, they should be machine-readable.

Recital 61: Time of Information Provision

The information in relation to the processing of personal data relating to the data subject should be given to him or her at the time of collection from the data subject, or, where the personal data are obtained from another source, within a reasonable period, depending on the circumstances of the case. Where personal data can be legitimately disclosed to another recipient, the data subject should be informed when the personal data are first disclosed to the recipient. Where the controller intends to process the personal data for a purpose other than that for which they were collected, the controller should provide the data subject prior to that further processing with information on that other purpose and other necessary information. Where the origin of the personal data cannot be provided to the data subject because various sources have been used, general information should be provided.

Recital 62: Exceptions to Information Requirement

However, it is not necessary to impose the obligation to provide information where the data subject already possesses the information, where the recording or disclosure of the personal data is expressly laid down by law or where the provision of information to the data subject proves to be impossible or would involve a disproportionate effort. The latter could in particular be the case where processing is carried out for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes. In that regard, the number of data subjects, the age of the data and any appropriate safeguards adopted should be taken into consideration.

Commentary

Article 13 GDPR provides for the controller's obligation to inform data subjects about the processing of their personal data. This requirement to initially inform the data subjects plays a core role in realizing the principle of transparency in Article 5(1)(a) GDPR. The information of data subjects is supposed to enable them (at least theoretically) to make informed decisions about the processing of their data (e.g. the use of a service or product and the exercise of their rights under the GDPR).^[1]

The information obligation also requires the controller to go on public record regarding the use of personal data, demanding the consideration of numerous issues relating to the processing activity prior to any request by a data subject.

Article 13 GDPR outlines the controller's obligation to actively provide clear and comprehensive information to individuals about the processing of their personal data and must be read in conjunction with Article 12 GDPR which governs general rules on transparency and modalities applicable to information obligations as well as data subjects rights.^[2]

Article 13 GDPR applies in situations where personal data are collected directly from the data subjects, while Article 14 GDPR applies in all other situations (e.g. when personal data have been obtained from a third party). Both provisions however have a similar structure and content, as they both describe the specific pieces of information that controllers must provide to data subjects.

Article 13 GDPR is divided into 4 paragraphs. The first two paragraphs list elements the controller needs to include in its information to the data subject.^[3]

The third paragraph defines the obligation to notify the data subject when the controller intends to process the data subject's personal data for a purpose other than the purpose for which the data were originally collected (i.e. further processing).

Lastly, the fourth paragraph provides for an exemption of the information obligation in case the data subject already possesses the information.

WP29 and EDPB Guidelines: For this Article, see the following Guidelines:

WP29, ‘Guidelines on Transparency under Regulation 2016/679’, 17/EN WP260 rev.01, 11 April 2018 (available here); and
EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 28 March 2023 (Version 2.1) (available here).

(1) Information the controller shall provide at the time personal data is obtained

Paragraph 1 clarifies the scope of application of Article 13 GDPR. The information in question must be provided when personal data is "collected from the data subject".

Collection from the data subject

Collection occurs whenever personal data comes into the possession of the controller. This includes operations such as receiving data included in a paper or digital form, collecting IP addresses and associated actions, reading cookies, or gathering usage data from a device (e.g. a fitness tracker) or application.^[4]

This requirement necessitates a certain contextual relationship between the action of collecting data and the physical or digital presence of the data subject. This includes personal data that: a data subject consciously provides to a data controller (e.g. when completing an online form); or a data controller collects from a data subject by observation without the knowledge of the data subject (e.g. using automated data capturing devices or surveillance cameras, network equipment, Wi-Fi tracking, RFID or other types of sensors).^[5] In practice, it can be rather unclear if personal data were collected from the data subject or not.^[6]

At the time when personal data is obtained

The information must be given "at the time data is obtained". The wording of the law therefore requires information at least parallel to the beginning of the processing operation.^[7] The idea of the legislator is that in case where information is directly obtained from the data subject, the controller and the data subjects are in some kind of contact with each other which enables the controller to provide the information in the course of the data collection.

In effect, the information must be provided to the data subject prior to the data collection.^[8] Otherwise, it would run counter to the purpose of the information obligation (e.g. informing the data subject whether they are obliged to provide the information is only meaningful prior to the collection).

"As regards timing of the provision of this information, providing it in a timely manner is a vital element of the transparency obligation and the obligation to process data fairly."

WP29, ‘Guidelines on Transparency under Regulation 2016/679’, 17/EN WP260 rev.01, 11 April 2018, margin number 27.

Obviously, there are some cases where this poses difficulties to the controller. E.g. in case the data subject, on its own initiative, sends some personal data to the controller without any prior communication. In such a case the information should be provided without undue delay to the data subject.^[9]

Ex-ante information

Because the initial information must be provided to the data subject when personal data is first obtained (or in case of Article 14 GDPR, at least close in time to the collection)^[10], any information provided under Article 13 and Article 14 GDPR is necessarily an ex-ante information that should clearly reflect the intentions of the controller but is potentially subject to change. This means that not all provided information must necessarily become applicable to the personal data of the data subject. A controller could for example inform about different processing activities that are reasonably likely but not certain to materialise (e.g. instructing a debt collection agency to collect outstanding debts).

Similarly, some information might change during the processing activity (e.g. a controller could exchange a processor). With the principles of transparency and fairness in mind, such change after the initial information requires the information of the data subject about the intentions of the controller, as well as possible future processing of personal data.

In reality, personal data could be used in a different way, for example because certain described processing operations never occurred or the controller (for lawful or unlawful reasons) deviated from the information given under Article 13 and Article 14 GDPR. Obviously the controller has to update and inform the data subjects if such situations occur and may even need to proactively inform them (see below paragraph 3 for the change of purposes).

"Changes to a privacy statement/notice that should always be communicated to data subjects include inter alia: a change in processing purpose; a change to the identity of the controller; or a change as to how data subjects can exercise their rights in relation to the processing. Conversely, an example of changes to a privacy statement/notice which are not considered by WP29 to be substantive or material, include corrections of misspellings, or stylistic/ grammatical flaws. Since most existing customers or users will only glance over communications of changes to privacy statements/notices, the controller should take all measures necessary to ensure that these changes are communicated in such a way that ensures that most recipients will actually notice them. This means, for example, that a notification of changes should always be communicated by way of an appropriate modality (e.g. email, hard copy letter, pop-up on a webpage or other modality which will effectively bring the changes to the attention of the data subject) specifically devoted to those changes (e.g. not together with direct marketing content), with such a communication meeting the Article 12 GDPR requirements of being concise, transparent, intelligible, easily accessible and using clear and plain language. References in the privacy statement/notice to the effect that the data subject should regularly check the privacy statement/notice for changes or updates are considered not only insufficient but also unfair in the context of Article 5(1)(a)."

WP29, ‘Guidelines on Transparency under Regulation 2016/679’, 17/EN WP260 rev.01, 11 April 2018, margin number 29 (available here).

Contrary to the ex-ante information obligation, data subjects always have the option to request information about the actual use of their personal data from an ex-post perspective via the right to access under Article 15 GDPR. This would also reveal if certain options (e.g. sharing with others) was actually taking place and may also allow to provide more specific information as the actual use of the personal data of a specific data subject.

For example: The controller may only make personal data available to an external recipient in rare cases (e.g. if a user does not pay his bills) which cannot be ruled out ex-ante. If a data subjects makes a request at a later stage, the controller can clarify that the personal data of the specific data subject was in fact not disclosed.

Information must be provided

The controller has to provide the information to the data subjects. The controller is therefore required to proactively furnish the information to the data subject.^[11]

"This means that the data controller must take active steps to furnish the information in question to the data subject or to actively direct the data subject to the location of it (e.g. by way of a direct link, use of a QR code, etc.). The data subject must not have to actively search for information covered by these articles amongst other information, such as terms and conditions of use of a website or app."

WP29, ‘Guidelines on Transparency under Regulation 2016/679’, 17/EN WP260 rev.01, 11 April 2018, margin number 33.

The provision of the information must also comply with the requirements of Article 12(1) GDPR; in particular, it must be provided in a transparent, easily accessible form. Consequently, it must be distinguishable from other information, such as the terms of use of a website or the clauses of a contract.^[12]

The information required by Article 13 (or Article 14) GDPR should be provided in a single document.^[13] Such document is commonly referred to as privacy notice or privacy policy and can be provided in written or electronic form (often as an annex to a contract, a hard-copy document or an online multilayered document).

To avoid discrepancies and ensure a uniform and sufficient level of information of the data subjects, the EU legislator did not leave the content of such information to the discretion of controllers. Hence, Article 13(1) GDPR meticulously lists which elements must be provided to the data subjects when personal data are obtained.

(a) Identity and contact details of the controller or the controller's representative

Identity

The first piece of information that must be provided to the data subject is the identity of the controller. This information is a prerequisite for the data subject to be able to understand who processes their personal data. The information about the controller's identity should include the full name of the controller (e.g. the name of a company as it is registered in the company’s register).^[14]

Contact details

The controller's contact details are necessary for the data subjects to get in touch with the controller and to further exercise their rights under the GDPR. The contact details must enable data subjects to easily contact the controller and should include different forms of communications.

"This information should allow for easy identification of the controller and preferably allow for different forms of communications with the data controller (e.g. phone number, email, postal address, etc)."

WP29, ‘Guidelines on Transparency under Regulation 2016/679’, 17/EN WP260 rev.01, 11 April 2018, p. 35.

While at least a postal address must be provided under which the controller is reachable, electronic contact details might be necessary as well.^[15] This conclusion is supported by logical and systematic reasons. Primarily, providing an electronic contact point could be necessary in order to comply with the controller's obligation to facilitate the exercise of data subjects' rights under Article 12(2) GDPR. For example, it would would a, potentially unlawful, burden to require a data subject residing in Europe to contact a far-away controller via regular mail in order to exercise their GDPR rights. Also, depending on the location of the controller, various practical obstacles could arise, including the slowness of regular mail, especially when back-and-forth communication with the controller is necessary. Moreover, such means could entail significant costs for the data subject whilst the exercise of GDPR rights is in principle "free of charge" (Article 12(5) GDPR).

While online contact forms, chat bots or alike do not constitute "contact details" as required by Article 13(1)(a) GDPR, some controllers, offer such options. In particular, when using an online contact form, data subjects are usually required to fill in some mandatory fields, such as a name, email address or the nature of the request which might be in conflict with the principle of data minimisation under Article 5(1)(c) GDPR. In any case, such tools can be used in order to provide data subjects an easy way to contact the controller but the data subject must be able to contact the controller without having to create an account.^[16] Therefore, these tools may serve as additional means that the controller may provide to facilitate contacts with the data subjects.^[17]

Where applicable, of the controller's representative

Article 13(1)(a) GDPR further requires that, where applicable, the identity and contact details of the controller's representative are provided. This refers to the representative as defined in Article 4(17) GDPR that needs to be designated by controllers not established in the Union (see Article 27 GDPR).^[18]

(b) Contact details of the data protection officer

In accordance with Article 13(1)(b) GDPR, the controller has to provide the contact details of its data protection officer ("DPO"), if the controller has appointed one. Article 37 GDPR may require that a controller designates a DPO who has the duty to oversee the processing activities conducted by the controller and to act as a point of contact for the data subjects.^[19] However, the obligation to inform data subjects about the DPO's contact details is also applicable if the controller appointed a DPO without being required to do so.^[20]

The contact details of the DPO should include information allowing data subjects to reach the DPO in an easy way.^[21] This may include a postal address, a dedicated telephone number, and/or a dedicated e-mail address.^[22] It is not necessary to include the DPO's name in the information provided to data subjects.^[23]

The tasks of a DPO listed in Article 39 GDPR do not indicate that the DPO would usually respond to questions or the exercise of rights by the data subjects. However, the DPO does serve as a contact point for the authorities and may be informed about potential non-compliance of the controller by the wider public. The provision of the contract details should allow to perform these tasks.

(c) Purposes, personal data and legal basis

According to Article 13(1)(c), controllers must specify the purposes for which the collected personal data are intended as well as the corresponding legal basis.

Purposes

Article 5(1)(b) GDPR requires that personal data is collected for specified, explicit and legitimate purposes.^[24] The controller must disclose them to the data subject, to ensure that the data subject can assess why their data is processed and whether they consider the purpose of the processing lawful. The information about the purpose has to be detailed enough to enable such an assessment.^[25] The EDPB provided useful examples of insufficient and sufficient declarations of the purpose:

Poor Practice Examples
The following phrases are not sufficiently clear as to the purposes of processing:
-“We may use your personal data to develop new services” (as it is unclear what the “services” are or how the data will help develop them);
-“We may use your personal data for research purposes (as it is unclear what kind of “research” this refers to); and
-“We may use your personal data to offer personalised services” (as it is unclear what the “personalisation” entails).

Good Practice Examples
-“We will retain your shopping history and use details of the products you have previously purchased to make suggestions to you for other products which we believe you will also be interested in ” (it is clear that what types of data will be processed, that the data subject will be subject to targeted advertisements for products and that their data will be used to enable this);
-“We will retain and evaluate information on your recent visits to our website and how you move around different sections of our website for analytics purposes to understand how people use our website so that we can make it more intuitive” (it is clear what type of data will be processed and the type of analysis which the controller is going to undertake); and
-“We will keep a record of the articles on our website that you have clicked on and use that information to target advertising on this website to you that is relevant to your interests, which we have identified based on articles you have read” (it is clear what the personalisation entails and how the interests attributed to the data subject have been identified).

WP29, ‘Guidelines on Transparency under Regulation 2016/679’, 17/EN WP260 rev.01, 11 April 2018, margin number 12.

Legal basis

Any processing activity must be based on a legal basis found in Article 6(1) GDPR. The controller is under the obligation to inform data subjects about the particular legal basis invoked to process their personal data. Where special categories of personal data are processed, the controller has to additionally name the relevant exemption in Article 9(2) GDPR allowing for that processing. Where personal data relating to criminal matters are being processed under Article 10 GDPR (e.g. copy of the criminal record of a job applicant), the controller should also indicate, in addition to the legal basis applicable under Article 6(1) GDPR, what is the relevant EU or Member State law allowing such processing to be carried out.^[26]

It should be noted that specific legal bases demand additional provided information (e.g. in case of Article 6(1)(f) GDPR, the legitimate interest pursued). Further, it might be necessary to explain the requirements of the invoked legal basis to data subjects. E.g. if the processing of personal data is necessary to comply with a legal obligation (Article 6(1)(c) GDPR), the controller should name the legal obligation.^[27]

Personal data

Unlike Article 14(1)(d) GDPR, Article 13 GDPR does not provide for the obligation to inform about the categories of personal data, since, in case the personal data are collected from the data subject directly, it is assumed that the data subject is aware of the specific information collected by the controller.^[28] However, in order to increase transparency, it is recommended to describe the categories of processed personal data even when data are collected from the data subject and the information is provided in accordance with Article 13 GDPR. Regularly, controllers with larger amounts of personal data disclose a first layer of information that names certain groups of personal data (like contact details, information about your orders, payment information). In a second layer, the information is then specified down to the specific data points (like name, email address or credit card number).

Grouping and linking of purposes, personal data and legal basis

In case a controller processes the personal data of data subjects for multiple purposes and on the basis of several legal bases, it is important to clarify in a transparent manner which personal data is possessed for which purpose on which legal basis. Simply listing all categories of personal data, all purposes and all legal bases without disclosing the necessary relationship between the information is insufficient.^[29] In contrary, a mere list of types of personal data, various legal bases under Article 6(1) GDPR and another long list of purposes would provide almost no actual information to the data subject. In particular, a data subject would not be able to asses if it can withdraw consent under Article 7(3), object under Article 21 GDPR or if the processing is in fact compliant with the principles of Article 5(1) GDPR.

For example: A pharmacy collects health data and address data of clients. It uses the address data for marketing (sending newsletters each month and postal mail for Christmas) and the health data only insofar as necessary to sell products, charge the health insurance companies, and to comply with the legal obligation to keep records. A privacy policy that does not link the different types of personal data, with the legal basis and the purpose (e.g. data: email / legal basis: consent / purpose: marketing) would suggest that the pharmacy could use health data for marketing purposes under a (non-existent) legal obligation under Article 6(1)(c) GDPR. Such information is not transparent and does not facilitate the exercise of rights.

Therefore, compliance with Article 13 GDPR demands that the information to data subjects makes the relationship between the different parts of the information transparent. The obligation to such a link can also be inferred from the GDPR’s transparency obligations in Article 5(1)(a) GDPR and the requirement to provide the information in a concise, transparent, intelligible and easily accessible form, using clear and plain language (Article 12(1) GDPR).

In practice, to reconcile the obligation to provide both complete and concise information to the data subjects^[30], many controllers provide this information in the form of a table with different rows and columns clearly distinguishing between the different purposes of the processing and their corresponding legal basis. This table may be added within the privacy notice of the controller, or as an annex to it.

For example: A streaming provider includes a table in the privacy policy, where each line holds the information about the purposes, the legal basis and the relevant type of personal data. This way any data subject can identify which personal data is used for which purpose and under which legal basis.

(d) Legitimate interests

When a controller relies on a legitimate interest for the processing of personal data, as provided for under Article 6(1)(f) GDPR, the data subjects must be properly informed about the nature of that specific interest, as required by Article 13(1)(d) GDPR.

"Article 13(1)(d) requires the controller directly to inform the data subjects of the legitimate interest pursued at the time when the data is collected, otherwise that collection cannot be justified on the basis of point (f) of the first subparagraph of Article 6(1) of that regulation."

CJEU - C-394/23 Mousse, margin number 52.

For example: "A controller, on the basis of a legitimate interest, processes the IP address of data subjects to filter DDOS attacks and other security threats. At the same time, the controller also uses this personal data for advertisement purposes. The controller's specific interest behind that processing should be clearly explained in the privacy notice, to ensure that a data subject can understand the legitimate interest relied upon. A data subject may accept that security is a legitimate interest, but may take the view that advertisement is not."

With this information, the data subject can indeed assess whether the interest invoked by the controller is truly legitimate and if the processing is proportionate, taking into account the objective pursued by the controller, and the impact that it can have on its own rights and interests.^[31] If the data subject finds that the processing is disproportionate, it may challenge the reliance on Article 6(1)(f) GDPR or at least exercise the right to object under Article 21 GDPR. If the information provided to the data subject is incomplete or unclear, the controller can be fined for breach of Article 13(1)(d) GDPR.^[32]

The EDPB seems to consider it also necessary that the controller provides the data subject with information from the balancing test, which the controller must normally carry out under Article 6(1)(f) GDPR before collecting the personal data.^[33]

"[T]he controller can also provide the data subject with information from the balancing test in advance of any collection of personal data. To avoid information fatigue, this can be included within a layered privacy statement/notice. In any case, information to the data subjects should make it clear that they can obtain information on the balancing test upon request. This is essential to ensure effective transparency and to allow data subjects to dispel possible doubts as to whether the balancing test has been carried out fairly by the controller or assess whether they might have grounds to file a complaint with a supervisory authority. Such transparency obligation also follows from the accountability principle in Article 5(2) GDPR, which requires the controller to be able to demonstrate compliance with each of the principles set out in Article 5(1) GDPR, including the lawfulness principle."

EDPB, 'Guidelines 1/2024 on processing of personal data based on Article 6(1)(f) GDPR', 8 October 2024 (Version 1), margin number 68; footnotes omitted.

The data subjects might need the information as a precondition to effectively exercise their right under Article 21(1) GDPR. If a data subject is not aware if a specific circumstance was considered by the controller, it is hard to raise a "particular situation" that was not considered as required under Article 21(1) GDPR. It seems equally hard to challenge the balancing assessment under Article 6(1)(f) GDPR if it is not disclosed. Therefore, it can be argued that the balancing test must also be disclosed.^[34]

(e) Recipients or categories of recipients

Article 13(1)(e) GDPR provides that when controllers disclose personal data to internal or external recipients, they should identify such recipients. The term "recipient" is defined in Article 4(9) GDPR as any entity to which personal data is factually disclosed. The legal role of the recipient is irrelevant. It is not necessary for the recipient to be a third party as defined in Article 4(10) GDPR. Therefore, for example processors are also considered recipients.^[35] There may be exemptions for certain public authorities receiving personal data under Article 4(9) GDPR.

For example: In a privacy notice addressed to the employees of a company, all recipients of the employee's data should be identified. Meaning any external party that has factual access to the information, such as the processors, external service companies or an external accountant.

The wording of Article 13(1)(e) GDPR refers to "recipients or categories of recipients of the personal data" which leaves it open if (or when) it is sufficient to name the categories of recipients rather than the specific recipients. In light of the principles of fairness and transparency, controllers should provide information on the individual third party recipients, so that the data subjects are aware of the persons with whom their data will be shared externally and exercise their rights also against the recipients directly.^[36]

"The actual (named) recipients of the personal data, or the categories of recipients, must be provided. In accordance with the principle of fairness, controllers must provide information on the recipients that is most meaningful for data subjects. In practice, this will generally be the named recipients, so that data subjects know exactly who has their personal data. If controllers opt to provide the categories of recipients, the information should be as specific as possible by indicating the type of recipient (i.e. by reference to the activities it carries out), the industry, sector and sub-sector and the location of the recipients."

WP29, ‘Guidelines on Transparency under Regulation 2016/679’, 17/EN WP260 rev.01, 11 April 2018, p. 37.

Only if it is not possible to identify all the recipients (for example, because the recipients may not be foreseeable or are not known by the controller, which may be the case for a public database), the controllers must at least identify the categories of recipients of the personal data.^[37] In such case, the WP29 considers that this information should be as specific as possible by including a reference to the activities they carry out, the industry, sector/sub-sector and the location of the recipients.^[38] Just naming generic groups like "partners" or "third parties" is not sufficient.

For example: A controller runs a public database, that the data subject entered its information in. The controller uses two processors, that are known to him, but some of the data can also be retrieved by any user of the service. The privacy policy should name the individual known processors (e.g. "Web Service Provider A, Example Road 1, Member State X") but also refer to the unknown recipients as a category of recipients (e.g. "any user of the service").

To ensure that the information is both complete, concise and intelligible, controllers can establish a table of recipients, where the different recipients of the personal data are named, or - if categories of recipients are mentioned instead - their qualification is indicated as clearly and narrow as possible. In line with the requirements under Article 12 GDPR, the controller must also link which personal data are available to which recipient, if only certain data are shared.

For example: An online shop may inform that all data are stored with a specific hosting provider, consumer requests are stored with a provider of a CRM system and only the address information is shared with a postal service.

(f) International transfers

Article 13(1)(f) GDPR covers information on transfers of personal data to international organisations or third countries, e.g. any country located outside of the European Economic Area (EEA).^[39] In case of data transfers to third countries (which are regulated in Articles 44 to 50 GDPR), controllers should inform data subjects about the existence of such transfers, name all the relevant countries, and specify the safeguards relied upon.

For example: A controller transfers personal data to a business partner located in Japan. It must list Japan as being one of the transfer location, and mention whether such transfer is based on the Commission's adequacy decision between the EU and Japan,^[40] or on standard contractual clauses signed with the data importer or another legal basis.^[41]

Besides mentioning the third countries or international organisations where data importers are located, the controller must also inform the data subject about the means by which to obtain a copy of the applicable safeguards. For example, if the applicable safeguard is an adequacy decision adopted by the Commission pursuant to Article 45 GDPR, the controller could add an hyperlink^[42] redirecting the data subject towards the relevant decision as published on EURlex (the official website of EU legislation). Or, if the applicable safeguard is a transfer agreement signed by the controller and the data importer containing the standard contractual clauses referred to in Article 46(2)(c) GDPR, the controller could equally provide a link to the document or state that the data subjects may obtain a copy of the agreement upon request, for example by sending an email to the controller.^[43]

It is worth noting at this stage that data importers are necessarily recipients of personal data in the sense of Article 4(9) GDPR. Hence, all data importers to which personal data are transferred should have already been identified by the controller pursuant to Article 13(1)(e) GDPR, as discussed here above.

(2) Obligation to provide further information

The second paragraph of Article 13 GDPR provides for an additional set of information that must be provided to the data subjects at the time of the collection of their personal data.

The distinction between the set of mandatory information listed in the first paragraph and in the second paragraph of Article 13 GDPR is to be explained from the drafting process, where the Council suggested that paragraph 2 should only be provided in certain situations,^[44] while the European Parliament insisted that paragraphs 1 and 2 must always be provided. This was achieved by turning a condition ("such further information that is necessary to ensure fair and transparent processing") to an explanation ("to ensure fair and transparent processing"). The fact that the list is split in two paragraphs is hence purely due to the political process and does not have any practical consequences for the controllers or for the data subjects.^[45] The obligations in both paragraphs are equally binding to the controller.

(a) Retention period

Article 13(2)(a) GDPR stipulates that the controller must inform the data subjects about the period for which their personal data will be stored (e.g. the 'retention period' or 'storage period'). If it is not possible for the controller to disclose a specific date or amount of time (for example, because the retention period may depend on factors that are not determined), the criteria used to determine that period should at least be given.

For example: A controller selling goods online could indicate that the personal data of the data subjects will be stored "for 7 years after their purchase under our legal obligation to keep tax records", or that customer service interactions will be kept "for a period of 3 months from the last message we received from you".

By making it mandatory for the controller to publish clear retention periods, Article 13(2)(a) GDPR requires the controller to publicly declare its compliance with the principle of storage limitation enshrined in Article 5(1)(e) GDPR, which requires the deletion or anonymisation of personal data when it is not necessary anymore to achieve the purpose.

For example: A controller states that the retention period of the personal data is 5 years, "after which the data will be archived". This would breach the data minimisation principle. Rather, the archiving period should be included within the retention period.

With the provided information, data subjects should be capable to assess the duration for which their personal data will be processed by the controller.^[46]

As different categories of personal data may be needed for shorter or longer periods of time, depending on the purpose of the processing, controllers should distinguish between those categories and stipulate the applicable retention period for each of them. Furthermore, the retention periods - or the criteria used to calculate them - should be specific enough for the data subjects to be able to at least form an idea of how long their personal data will be kept before being deleted or anonymised.

For example: It would not be sufficient for the data controller to generically state that personal data will be kept as long as necessary for the legitimate purposes of the company. Similarly, if a controller provides that the data will be stored to comply with a legal obligation, it should specify which legal obligation it refers to.^[47]

In principle, the information about the period for which the personal data will be stored includes also some information about the time when the information is collected. However, in case of Article 13, when the data are collected from the data subject, it can often be assumed that the data subject is aware about the time of the beginning of the processing.^[48]

(b) Information about data subject's rights

Many data subjects are not aware of their rights. The controller is therefore required to inform the data subjects about (most of) their rights under data protection law, namely their right to access, rectification, erasure, restriction of processing, data portability and their right to object. It is not enough to merely inform a data subject about the existence of those rights, the controller should also include “a summary of what each right involves and how the data subject can take steps to exercise it and any limitations on the right”.^[49] Controllers can enumerate these rights in the privacy notice and then refer the data subjects to an annex or another page where those rights and the manner in which they can be exercised are explained in more detail. In addition to this, the GDPR requires controllers to explicitly bring the right to object to the data subject’s attention at the latest at the time of first communication with the data subject, in a clear manner, and separately from any other information.^[50] This can be done, for example, the first time an email is sent to the data subject in the context of direct marketing.

Regarding the right to object and data portability, the controller should assess whether the conditions of those rights apply to the specific processing activity. If not, it might omit this information in order to avoid making the impression that the data subjects had rights that do not exist for the specific processing activity.^[51]

(c) Information about the right to withdraw consent

According to Article 13(2)(c), the controller must inform the data subject about the existence of the right to withdraw consent at any time, when the legal basis for the processing of the personal data was the consent of the data subject.^[52] The same requirement can be found in Article 7(3) GDPR. In addition, Article 7(3) GDPR requires that this information must be given "prior to consent".

For example: A data subject subscribes to a newsletter and is asked for consent to get emails. The consent request should include a hint that the consent can be withdrawn at any time.

The information about the possibility to withdraw consent should also include information about the fact that the withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.^[53]

If the legal basis of the specific processing activity is not consent, the controller should not inform about the possibility to withdraw consent in order to avoid making the data subject assume it has this right, when they actually do not have this possibility.^[54]

(d) The right to lodge a complaint

Article 13(2)(d) GDPR provides that the data subject should be informed about the existence of the right to lodge a complaint with a supervisory authority under Article 77 GDPR. The complaint may be filed, inter alia, with the supervisory authority in the Member State of the data subject's habitual residence, place of work or of an alleged infringement of the GDPR.^[55] In order to facilitate the exercise of data subjects rights, the controller might provide contact details of a supervisory authority. And while suggesting that the lead supervisory authority of the controller is (solely) competent, is a common false statement; in cases where the controller is active in various member states it can be sufficient and helpful to provide the lead supervisory authority's contact details.^[56]

(e) Contractual or statutory requirement

Article 13(2)(e) GDPR requires that the controller informs the data subject whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data, and the possible consequences of failure to provide such data. The aim of the provision is to make it clear to data subjects which elements are (1) purely optional and may not be provided, (2) which may not be provided but may lead to a negative consequence for the data subject and (3) which information is strictly required.^[57]

For example: An online shop may require the name and postal address of a customer because it is necessary for the delivery of the order. To clearly identify which fields are “required” and which are not, the online store adds the common star symbol (*) to the required fields.

In case there is a statutory or contractual requirement of the data subject to provide the data, the controller should disclose the specific provision requiring the provision if personal data.^[58]

The controller must also inform the data subject about any possible consequences of not providing information - should they exist. In many cases, the consequences may be trivial, but in certain cases there is no legal duty to provide information, but the lack of the relevant information may lead to a negative consequence for the data subject.^[59]

For example: For certain job positions or professional qualifications, a controller may be required by law to verify that the applicant does not have any criminal record. There is no legal duty to provide such information, but failure to provide such data may bar the data subject from obtaining that position or qualification.

For example: A bank requires certain documentation to grant a loan. Providing certain information (e.g. an ID) is legally required based on various banking regulations. Other information is optional, but would likely lead to a much better credit rate for the customer (e.g. records about securities, income and alike). Finally, some information is merely used to "improve customer service", such as filling out a customer service questionnaire by the bank, and is purely optional. The three categories must be clearly communicated to the data subject, to ensure that they make the right choices.

Independent of Article 13(2)(e) GDPR, controllers who oblige a data subject to provide personal data when the latter are not required by law or necessary for the performance of a contract may be in breach of Article 5(1)(c) GDPR. Furthermore, controllers that suggest that data which is optional is necessary, may violate the principle of lawfulness, fairness and transparency (Article 5(1)(a) GDPR) and may obtain uninformed (therefore invalid) consent.

(f) Automated Decision-Making

Article 13(2)(f) GDPR requires the controller to inform data subjects about the existence of automated-decision making (including profiling), as referred to in Article 22(1) and (4) GDPR. At least in those cases, the controller has to further provide meaningful information about the logic involved, as well as the significance and envisaged consequences of such processing for the data subject.

Automated decision-making ... referred to in Article 22(1) and (4)

For further details on the definition of automated decision-making see Commentary on Article 22 GDPR. For the definition of profiling, see Article 4(4) GDPR. In short, automated decision-making requires three constitutive elements: (1) a decision; (2) taken solely by automated mean (i.e. without any human involved in the decision-making process); (3) which produces legal effects or similarly significant effects on the data subject.

For example: A recruiter solely relies on an algorithm to select the best profile, among a pool of candidates for a job offer. The use of such an algorithm will qualify as automated decision-making under the GDPR.

As made clear by Article 13(2)(f) GDPR, in the event a controller makes use of automated decision-making, the data subjects must be informed about its existence. More particularly, the controller is under the duty to provide the data subject with "meaningful information about the logic involved" and on the "significance and the envisaged consequences" of such forms of processing.

Meaningful information about the logic involved

According to the WP29, "meaningful" means that the controller should inform the data subject in simple ways about the rationale behind the automated decision-making including profiling but not necessarily give a ”complex explanation of the algorithms used or disclosure of the full algorithm”. Furthermore, “[t]he controller should provide the data subject with general information (notably, on factors taken into account for the decision-making process, and on their respective ‘weight’ on an aggregate level)”.^[60] The rationale behind this reinforced right to information lies in the complexity of algorithms and machine-learning, which sometimes operate in obscure ways, and may not be perceivable or understandable for data subjects. Given that the purpose of that provision is to ensure that the data subject obtains "meaningful information" about the automated decision-making, simply disclosing the code behind the automated decision-making or providing a complex explanation of the algorithms would in principle not be suitable or sufficient. Rather, the controller should highlight the criteria on the basis of which the decision is made, so that the data subject can understand the main reasons behind the decision. In line with Article 12(1) GDPR, such information should be concise yet complete, intelligible, and given in clear and plain language.^[61]

Similarly, the CJEU, in connection to Article 15(1)(h) GDPR, held that "the mere communication of a complex mathematical formula, such as an algorithm, or [...] the detailed description of all the steps in automated decision-making" would not constitute a sufficiently concise and intelligible explanation and therefore violate Article 12(1) GDPR.^[62]

"‘[M]eaningful information about the logic involved’ in automated decision-making […] covers all relevant information concerning the procedure and principles relating to the use of personal data with a view to obtaining, by automated means, a specific result, the obligation of transparency also requiring that information be provided in a concise, transparent, intelligible and easily accessible form."

CJEU - C‑203/22 - Dun & Bradstreet Austria, margin number 50 regarding Article 15(1)(h) GDPR.

The CJEU also held (regarding Article 15(1)(h) GDPR) that the purpose of the right is to enable the data subject to exercise the rights listed in Article 22(3) GDPR, namely the right to express their point of view on that decision and to contest it.^[63] The same can be assumed for the corresponding information obligation of the controller.

Significance and envisaged consequences

The controller is also required to inform the data subject about the "significance and envisaged consequences" of the processing. These two terms, which are likely synonymous, pertain to the decision that is made or prepared based on the data processing. The controller must describe what will be decided upon based on the data processing, what decision-making options are available, and how processing results may impact or potentially lead to certain decisions.^[64]

For example: An online shop implements a fraud detection feature which automatically disables the "buy now, pay later" option for orders where the billing address is different to the shipment address. The shop provider considers this to constitute lawful automatic decision making under Article 22 GDPR and wants to inform data subjects accordingly. Regarding the significance and envisaged consequences of such processing for the data subject, it discloses that only the specific order is affected and not future orders by the same customer. Also, customers might have to pay prior to receiving the goods in case they want to diverging addresses.

At least in the cases of Article 22(1) and (4)

The use of the wording "[a]t least in those cases" seems to be the result of political negotiations and causes some confusion. It literally means that the information under Article 13(2)(f) GDPR (logic involved, significance and envisaged consequences) "may" also be provided if the automated decision-making or profiling does not meet the requirements set forth in Article 22(1) GDPR. Obviously, a controller "may" always provide more information. The reading of the provision as a free choice by the controller would make this element of the law redundant.

"If the automated decision-making and profiling does not meet the Article 22(1) definition it is nevertheless good practice to provide the above information."

[https://ec.europa.eu/newsroom/article29/items/612053 WP29, ‘Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679', 3 October 2017, p. 25.]

However, as the WP29 points out, the “general principle that data subjects should not be taken by surprise by the processing of their personal data, [and that this] equally appl[ies] to profiling generally (not just profiling which is captured by Article 22)”.^[65] Thus, in application of the above general GDPR principles, automated decision-making, including profiling, even if not falling under Article 22(1) or (4) GDPR, should be disclosed and explained to ensure fair and transparent processing.^[66]

(3) Information about the change of purposes

Further processing

It should be recalled that Article 5(1)(b) GDPR establishes the principle of purpose limitation according to which personal data must only be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Usually, the processing of personal data for purposes other than those for which the personal data were initially collected (further processing) is only allowed where the new processing operation is compatible with the purposes for which the personal data were initially collected.^[67] See Article 6(4) GDPR for further details on the general lawfulness of further processing.

Article 13(3) GDPR requires the controller to inform data subjects in case it decides to process personal data for a novel purpose, independent of the question whether the new purpose is a "compatible" purpose or not since also "compatible" purposes are new purposes.^[68]

Prior to that further processing

More specifically, under this provision, a controller who intends to process personal data for a different purpose, must inform the data subject about the new purpose prior to that further processing.

For example: A retailer processes its customer's personal data for the purpose of fulfilling its contract with the customer. However, during the business relationship, the controller decides to transfer the amounts owed by its customer to a bank to receive earlier payment. The controller has to inform its customer about the processing of their personal data for this new purpose before the processing activity is started.

The provision does not specify the necessary duration between the information about the further processing and the start of the further processing. However, the period should give the data subject sufficient time to evaluate the lawfulness of the further processing and exercise their data subjects rights. Therefore, the more intrusive the new processing purpose is, the earlier such an information should take place.^[69]

Covered information

Article 13(3) GDPR requires the controller to provide the data subject with information on the envisaged other purpose and with any relevant further information as referred to in Article 13(2) GDPR. In other words, the purpose, as well as all the information mentioned in Article 13(2) GDPR, must be provided to the data subject unless parts of the information do not exist or are not applicable in the specific case.^[70]

"[I]n order to be transparent, fair and accountable, controllers should consider making information available to data subjects in their privacy statement/notice on the compatibility analysis carried out under Article 6.4 where a legal basis other than consent or national/ EU law is relied on for the new processing purpose. (In other words, an explanation as to how the processing for the other purpose(s) is compatible with the original purpose). This is to allow data subjects the opportunity to consider the compatibility of the further processing and the safeguards provided and to decide whether to exercise their rights e.g. the right to restriction of processing or the right to object to processing, amongst others. Where controllers choose not to include such information in a privacy notice/statement, WP29 recommends that they make it clear to data subjects that they can obtain the information on request."

WP29, ‘Guidelines on Transparency under Regulation 2016/679’, 17/EN WP260 rev.01, 11 April 2018, margin number 47.

(4) Exemptions

The data subject already has the information

Article 13(4) GDPR covers situations where the data subject was already provided with the information, either because the controller has already provided it in the past, or because a third party did it on its behalf (for example, a processor). In that scenario, of course, the controller is exempted from the obligation to provide the same information a second time. However, the principle of accountability requires data controllers to demonstrate and document what information the data subject already has, how and when they received it, and ensure that it is not outdated. Furthermore, even if the data subject has previously been provided with only parts of the information covered by Article 13 GDPR, the data controller still has an obligation to supplement missing information to ensure that the data subject has a complete set of information as listed in Article 13 GDPR.^[71]

In order for this exemption to apply, the information the data subject already has, must comply with the formal requirements of Article 12 GDPR; i.e. the information must have been provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language. Otherwise the formal requirements could be circumvented by this exemption.^[72]

Exemptions by Union or Member State law

In certain cases, Article 23 GDPR may be used by the Union or by Member States to exempt controllers in certain situations or sectors from duties under Article 13 GDPR (such as undercover journalism). See Commentary on Article 23 GDPR for more information on exemptions by Union or Member State law.

Additional information duties

It it important to note that other Articles of the GDPR also include information duties, such as the duty in Article 7(3) to inform about the right to withdraw consent, the duty in Article 21(4) to inform about the right to object or Article 49(1) GDPR, last paragraph on the reliance on the "compelling legitimate interests" to transfer personal data to a third country.

Decisions

→ You can find all related decisions in Category:Article 13 GDPR

References

↑ Compare WP29, ‘Guidelines on Transparency under Regulation 2016/679’, 17/EN WP260 rev.01, 11 April 2018, margin number 4 (available here).
↑ Compare WP29, ‘Guidelines on Transparency under Regulation 2016/679’, 17/EN WP260 rev.01, 11 April 2018, margin numner 7 et seqq. (available here).
↑ The division of the information requirements in two separate paragraphs does not limit or reduce the effect of the obligation in any of the two paragraphs, see Commentary on Article 13(2) GDPR for more details.
↑ Dix, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 13 GDPR, margin number 5 (C.H. Beck 2025, 2nd Edition).
↑ WP29, ‘Guidelines on Transparency under Regulation 2016/679’, 17/EN WP260 rev.01, 11 April 2018, margin number 26 (available here).
↑ See Bäcker, in Kühling, Buchner, DS-GVO BDSG, Article 13 GDPR, margin numbers 13 et seqq. (C.H. Beck 2024, 4th Edition) with further references.
↑ Bäcker, in Kühling, Buchner, DS-GVO BDSG, Article 13 GDPR, margin number 12 (C.H. Beck 2024, 4th Edition).
↑ Mester, in Taeger, Gabel, DSGVO - BDSG - TTSG, Article 13 GDPR, margin number 34 with further references (C.H. Beck 2022, 4th Edition).
↑ Knyrim, in Ehmann, Selmayr, DS-GVO, Article 13 GDPR, margin numbers 11 (C.H. Beck 2024, 3rd Edition).
↑ See commentary on Article 14 (3) GDPR.
↑ WP29, ‘Guidelines on Transparency under Regulation 2016/679’, 17/EN WP260 rev.01, 11 April 2018, margin number 33 (available here).
↑ See also, Zanfir-Fortuna, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 13, p. 427 (Oxford University Press 2020).
↑ WP29, ‘Guidelines on Transparency under Regulation 2016/679’, 17/EN WP260 rev.01, 11 April 2018, margin number 17 (available here).
↑ Knyrim, in Ehmann, Selmayr, DS-GVO, Article 13 GDPR, margin numbers 43 (C.H. Beck 2024, 3rd Edition).
↑ Bäcker, in Kühling, Buchner, DS-GVO BDSG, Article 13 GDPR, margin numbers 22 (C.H. Beck 2024, 4th Edition); In practice, Article 5(1)(c) of the eCommerce Directive 2000/31/EC requires an email address for any 'service provider' as defined there which reduces the threshold for providing this information in the privacy notice as well.
↑ See also commentary on Article 12(2) GDPR.
↑ Compare WP29, ‘Guidelines on Data Protection Officers (‘DPOs’)’, 16/EN WP243 rev.01, 5 April 2017, p. 13 (available here).
↑ Bäcker, in Kühling, Buchner, DS-GVO BDSG, Article 13 GDPR, margin numbers 22 (C.H. Beck 2024, 4th Edition).
↑ See Commentary on Article 37 GDPR to Article 39 GDPR.
↑ Franck, in Gola, Heckmann, DSGVO BDSG, Article 13 GDPR, margin number 11 (C.H. Beck 2022, 3rd Edition).
↑ For more information on the provision of contact details see already Article 13(1)(a) GDPR.
↑ WP29, ‘Guidelines on Data Protection Officers (‘DPOs’)’, 16/EN WP243 rev.01, 5 April 2017, p. 13 (available here).
↑ Bäcker, in Kühling, Buchner, DS-GVO BDSG, Article 13 GDPR, margin numbers 20 (C.H. Beck 2024, 4th Edition).
↑ See the commentary on Article 5(1)(b) GDPR for more details.
↑ Mester, in Taeger, Gabel, DSGVO - BDSG - TTSG, Article 13, margin number 10 (C.H. Beck 2022, 4th Edition); WP29, ‘Guidelines on Transparency under Regulation 2016/679’, 17/EN WP260 rev.01, 11 April 2018, margin number 12 (available here).
↑ WP29, ‘Guidelines on Transparency under Regulation 2016/679’, 17/EN WP260 rev.01, 11 April 2018, pp. 35-36 (available here).
↑ Illibauer, in Knyrim, DatKomm, Article 13 GDPR, margin numbers 28 (Manz 2024).
↑ Franck, in Gola, Heckmann, DSGVO BDSG, Article 13 GDPR, margin number 4 (C.H. Beck 2022, 3rd Edition).
↑ Franck, in Gola, Heckmann, DSGVO BDSG, Article 13 GDPR, margin number 6 (C.H. Beck 2022, 3rd Edition).
↑ Article 12(1) GDPR provides in particular that the information should be "concise, transparent, intelligible and easily accessible".
↑ Knyrim, in Ehmann, Selmayr, DS-GVO, Article 13 GDPR, margin numbers 49 (C.H. Beck 2024, 3rd Edition).
↑ EDPB, ‘Binding decision 1/2021 on the dispute arisen on the draft decision of the Irish Supervisory Authority regarding WhatsApp Ireland under Article 65(1)(a) GDPR’, 28 July 2021, pp. 16-17 (available here).
↑ EDPB, 'Guidelines 1/2024 on processing of personal data based on Article 6(1)(f) GDPR', 8 October 2024 (Version 1), margin number 68 (available here); see also WP29, ‘Guidelines on Transparency under Regulation 2016/679’, 17/EN WP260 rev.01, 11 April 2018, p. 36 (available here).
↑ See for example Bäcker, in Kühling, Buchner, DS-GVO BDSG, Article 13 GDPR, margin number 20 (C.H. Beck 2024, 4th Edition).
↑ WP29, ‘Guidelines on Transparency under Regulation 2016/679’, 17/EN WP260 rev.01, 11 April 2018, p. 46 (available here).; Bäcker, in Kühling, Buchner, DS-GVO BDSG, Article 13 GDPR, margin number 28 (C.H. Beck 2024, 4th Edition).
↑ Compare Eßer, in Eßer, Kramer, Lewinski, DSGVO, Article 13 GDPR, margin number 30 (C.H. Beck 2024, 8th Edition); see also CJEU, Case C-154/21, Österreichische Post AG, 12 January 2023, margin number 44 et seqq (available here).
↑ Bäcker, in Kühling, Buchner, DS-GVO BDSG, Article 13, margin number 30 (C.H. Beck 2024, 4th Edition).
↑ WP29, ‘Guidelines on Transparency under Regulation 2016/679’, 17/EN WP260 rev.01, 11 April 2018, p. 37 (available here).
↑ The European Economic Area (EEA) comprises the 27 Member States of the EU, plus Iceland, Liechtenstein and Norway. See Agreement on the European Economic Area, 3 January 1994, p. 3 (available here).
↑ Commission Implementing Decision (EU) 2019/419 of 23 January 2019 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate protection of personal data by Japan under the Act on the Protection of Personal Information (available here).
↑ Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (available here).
↑ WP29, ‘Guidelines on Transparency under Regulation 2016/679’, 17/EN WP260 rev.01, 11 April 2018, pp. 37-38 (available here).
↑ Hence, this shows the importance to provide the contact details of the controller and the DPO (where applicable), as provided for in Article 13(1)(a) and Article 13(1)(b) GDPR.
↑ See General Approach by the Council at https://data.consilium.europa.eu/doc/document/ST-9565-2015-INIT/en/pdf.
↑ Zanfir-Fortuna, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 13 GDPR, p. 428 (Oxford University Press 2020); WP29, ‘Guidelines on Transparency under Regulation 2016/679’, 17/EN WP260 rev.01, 11 April 2018, margin number 23 (available here).
↑ WP29, ‘Guidelines on Transparency under Regulation 2016/679’, 17/EN WP260 rev.01, 11 April 2018, p. 38 (available here).
↑ WP29, ‘Guidelines on Transparency under Regulation 2016/679’, 17/EN WP260 rev.01, 11 April 2018, p. 38 (available here).
↑ Illibauer, in Knyrim, DatKomm, Article 13 GDPR, margin numbers 24 (Manz 2024).
↑ WP29, ‘Guidelines on Transparency under Regulation 2016/679’, 17/EN WP260 rev.01, 11 April 2018, p. 39 (available here).
↑ Article 21(4) GDPR and Recital 70 GDPR, which applies in the case of direct marketing.
↑ Illibauer, in Knyrim, DatKomm, Article 13 GDPR, margin numbers 48 (Manz 2024).
↑ For information on consent see Commentary on Articles 4(11), 6(1)(a) and 7(3) GDPR.
↑ Paal, Hennemann, in Paal, Pauly, DS-GVO, Article 13, margin number 28 (C.H. Beck 2021, 3rd Edition).
↑ Kühling, Buchner, in Kühling, Buchner, DS-GVO BDSG, Article 7 GDPR, margin number 17 (C.H. Beck 2024, 4th Edition).
↑ WP29, ‘Guidelines on Transparency under Regulation 2016/679’, 17/EN WP260 rev.01, 11 April 2018, p. 39 (available here). For more information regarding this right, please refer to the Commentary on Article 77 GDPR.
↑ Franck, in Gola, Heckmann, DSGVO BDSG, Article 13 GDPR, margin number 27 (C.H. Beck 2022, 3rd Edition).
↑ Bäcker, in Kühling, Buchner, DS-GVO BDSG, Article 13 GDPR, margin numbers 41 et seqq. (C.H. Beck 2024, 4th Edition).
↑ Franck, in Gola, Heckmann, DSGVO BDSG, Article 13 GDPR, margin number 28 (C.H. Beck 2022, 3rd Edition).
↑ Bäcker, in Kühling, Buchner, DS-GVO BDSG, Article 13 GDPR, margin numbers 46 (C.H. Beck 2024, 4th Edition).
↑ WP29, ‘Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679’, 17/EN WP251 rev.01, 3 October 2017, p. 25 and 27 (available here).
↑ The extend to the obligation to provide meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing is subject to a lot of debate. See, among others, Malgieri and Comandé, ‘Why a Right to Legibility of Automated Decision-Making Exists in the General Data Protection Regulation’, International Data Privacy Law 7, no. 4 (1 November 2017), p. 243–65 (available here); Goodman and Flaxman, ‘EU Regulations on Algorithmic Decision-Making and a “right to Explanation” (available here); Edwards and Veale, ‘Slave to the Algorithm? Why a 'Right to an Explanation' Is Probably Not the Remedy You Are Looking For’, Duke Law & Technology Review (available here); Wachter, Mittelstadt, Floridi; ‘Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation’, in International Data Privacy Law, Volume 7, Issue 2, pp. 76–99 (available here); Selbst and Powles, Meaningful information and the right to explanation, International Data Privacy Law, Volume 7, Issue 4, 1 November 2017, Pages 233–242 (available here).
↑ CJEU, Case C-203/22, Dun & Bradstreet, 27 February 2025, margin number 48 and 59 (available here).
↑ CJEU, Case C-203/22, Dun & Bradstreet, 27 February 2025, margin number 55 (available here).
↑ Bäcker, in Kühling, Buchner, DS-GVO BDSG, Article 13 GDPR, margin number 55 (C.H. Beck 2024, 4th Edition).
↑ WP29, ‘Guidelines on Transparency under Regulation 2016/679’, 17/EN WP260 rev.01, 11 April 2018, p. 22 (available here).
↑ Compare Mester, in Taeger, Gabel, DSGVO - BDSG - TTSG, Article 13 GDPR, margin number 28 (C.H. Beck 2022, 4th Edition); Bäcker, in Kühling, Buchner, DS-GVO BDSG, Article 13 GDPR, margin numbers 53 (C.H. Beck 2024, 4th Edition).
↑ Recital 50 GDPR.
↑ Dix, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 13 GDPR, margin number 22 (C.H. Beck 2015, 2nd Edition).
↑ Dix, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 13 GDPR, margin numbers 22 (NOMOS 2025, 2nd Edition); see also WP29, ‘Guidelines on Transparency under Regulation 2016/679’, 17/EN WP260 rev.01, 11 April 2018, margin number 48 (available here).
↑ WP29, ‘Guidelines on Transparency under Regulation 2016/679’, 17/EN WP260 rev.01, 11 April 2018, margin number 46 (available here).
↑ WP29, ‘Guidelines on Transparency under Regulation 2016/679’, 17/EN WP260 rev.01, 11 April 2018, margin number 56 (available here).
↑ Bäcker, in Kühling, Buchner, DS-GVO BDSG, Article 13 GDPR, margin numbers 28 (C.H. Beck 2024, 4th Edition).

[1] Compare WP29, ‘Guidelines on Transparency under Regulation 2016/679’, 17/EN WP260 rev.01, 11 April 2018, margin number 4 (available here).

[2] Compare WP29, ‘Guidelines on Transparency under Regulation 2016/679’, 17/EN WP260 rev.01, 11 April 2018, margin numner 7 et seqq. (available here).

[3] The division of the information requirements in two separate paragraphs does not limit or reduce the effect of the obligation in any of the two paragraphs, see Commentary on Article 13(2) GDPR for more details.

[4] Dix, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 13 GDPR, margin number 5 (C.H. Beck 2025, 2nd Edition).

[5] WP29, ‘Guidelines on Transparency under Regulation 2016/679’, 17/EN WP260 rev.01, 11 April 2018, margin number 26 (available here).

[6] See Bäcker, in Kühling, Buchner, DS-GVO BDSG, Article 13 GDPR, margin numbers 13 et seqq. (C.H. Beck 2024, 4th Edition) with further references.

[7] Bäcker, in Kühling, Buchner, DS-GVO BDSG, Article 13 GDPR, margin number 12 (C.H. Beck 2024, 4th Edition).

[8] Mester, in Taeger, Gabel, DSGVO - BDSG - TTSG, Article 13 GDPR, margin number 34 with further references (C.H. Beck 2022, 4th Edition).

[9] Knyrim, in Ehmann, Selmayr, DS-GVO, Article 13 GDPR, margin numbers 11 (C.H. Beck 2024, 3rd Edition).

[10] See commentary on Article 14 (3) GDPR.

[11] WP29, ‘Guidelines on Transparency under Regulation 2016/679’, 17/EN WP260 rev.01, 11 April 2018, margin number 33 (available here).

[12] See also, Zanfir-Fortuna, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 13, p. 427 (Oxford University Press 2020).

[13] WP29, ‘Guidelines on Transparency under Regulation 2016/679’, 17/EN WP260 rev.01, 11 April 2018, margin number 17 (available here).

[14] Knyrim, in Ehmann, Selmayr, DS-GVO, Article 13 GDPR, margin numbers 43 (C.H. Beck 2024, 3rd Edition).

[15] Bäcker, in Kühling, Buchner, DS-GVO BDSG, Article 13 GDPR, margin numbers 22 (C.H. Beck 2024, 4th Edition); In practice, Article 5(1)(c) of the eCommerce Directive 2000/31/EC requires an email address for any 'service provider' as defined there which reduces the threshold for providing this information in the privacy notice as well.

[16] See also commentary on Article 12(2) GDPR.

[17] Compare WP29, ‘Guidelines on Data Protection Officers (‘DPOs’)’, 16/EN WP243 rev.01, 5 April 2017, p. 13 (available here).

[18] Bäcker, in Kühling, Buchner, DS-GVO BDSG, Article 13 GDPR, margin numbers 22 (C.H. Beck 2024, 4th Edition).

[19] See Commentary on Article 37 GDPR to Article 39 GDPR.

[20] Franck, in Gola, Heckmann, DSGVO BDSG, Article 13 GDPR, margin number 11 (C.H. Beck 2022, 3rd Edition).

[21] For more information on the provision of contact details see already Article 13(1)(a) GDPR.

[22] WP29, ‘Guidelines on Data Protection Officers (‘DPOs’)’, 16/EN WP243 rev.01, 5 April 2017, p. 13 (available here).

[23] Bäcker, in Kühling, Buchner, DS-GVO BDSG, Article 13 GDPR, margin numbers 20 (C.H. Beck 2024, 4th Edition).

[24] See the commentary on Article 5(1)(b) GDPR for more details.

[25] Mester, in Taeger, Gabel, DSGVO - BDSG - TTSG, Article 13, margin number 10 (C.H. Beck 2022, 4th Edition); WP29, ‘Guidelines on Transparency under Regulation 2016/679’, 17/EN WP260 rev.01, 11 April 2018, margin number 12 (available here).

[26] WP29, ‘Guidelines on Transparency under Regulation 2016/679’, 17/EN WP260 rev.01, 11 April 2018, pp. 35-36 (available here).

[27] Illibauer, in Knyrim, DatKomm, Article 13 GDPR, margin numbers 28 (Manz 2024).

[28] Franck, in Gola, Heckmann, DSGVO BDSG, Article 13 GDPR, margin number 4 (C.H. Beck 2022, 3rd Edition).

[29] Franck, in Gola, Heckmann, DSGVO BDSG, Article 13 GDPR, margin number 6 (C.H. Beck 2022, 3rd Edition).

[30] Article 12(1) GDPR provides in particular that the information should be "concise, transparent, intelligible and easily accessible".

[31] Knyrim, in Ehmann, Selmayr, DS-GVO, Article 13 GDPR, margin numbers 49 (C.H. Beck 2024, 3rd Edition).

[32] EDPB, ‘Binding decision 1/2021 on the dispute arisen on the draft decision of the Irish Supervisory Authority regarding WhatsApp Ireland under Article 65(1)(a) GDPR’, 28 July 2021, pp. 16-17 (available here).

[33] EDPB, 'Guidelines 1/2024 on processing of personal data based on Article 6(1)(f) GDPR', 8 October 2024 (Version 1), margin number 68 (available here); see also WP29, ‘Guidelines on Transparency under Regulation 2016/679’, 17/EN WP260 rev.01, 11 April 2018, p. 36 (available here).

[34] See for example Bäcker, in Kühling, Buchner, DS-GVO BDSG, Article 13 GDPR, margin number 20 (C.H. Beck 2024, 4th Edition).

[35] WP29, ‘Guidelines on Transparency under Regulation 2016/679’, 17/EN WP260 rev.01, 11 April 2018, p. 46 (available here).; Bäcker, in Kühling, Buchner, DS-GVO BDSG, Article 13 GDPR, margin number 28 (C.H. Beck 2024, 4th Edition).

[36] Compare Eßer, in Eßer, Kramer, Lewinski, DSGVO, Article 13 GDPR, margin number 30 (C.H. Beck 2024, 8th Edition); see also CJEU, Case C-154/21, Österreichische Post AG, 12 January 2023, margin number 44 et seqq (available here).

[37] Bäcker, in Kühling, Buchner, DS-GVO BDSG, Article 13, margin number 30 (C.H. Beck 2024, 4th Edition).

[38] WP29, ‘Guidelines on Transparency under Regulation 2016/679’, 17/EN WP260 rev.01, 11 April 2018, p. 37 (available here).

[39] The European Economic Area (EEA) comprises the 27 Member States of the EU, plus Iceland, Liechtenstein and Norway. See Agreement on the European Economic Area, 3 January 1994, p. 3 (available here).

[40] Commission Implementing Decision (EU) 2019/419 of 23 January 2019 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate protection of personal data by Japan under the Act on the Protection of Personal Information (available here).

[41] Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (available here).

[42] WP29, ‘Guidelines on Transparency under Regulation 2016/679’, 17/EN WP260 rev.01, 11 April 2018, pp. 37-38 (available here).

[43] Hence, this shows the importance to provide the contact details of the controller and the DPO (where applicable), as provided for in Article 13(1)(a) and Article 13(1)(b) GDPR.

[44] See General Approach by the Council at https://data.consilium.europa.eu/doc/document/ST-9565-2015-INIT/en/pdf.

[45] Zanfir-Fortuna, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 13 GDPR, p. 428 (Oxford University Press 2020); WP29, ‘Guidelines on Transparency under Regulation 2016/679’, 17/EN WP260 rev.01, 11 April 2018, margin number 23 (available here).

[46] WP29, ‘Guidelines on Transparency under Regulation 2016/679’, 17/EN WP260 rev.01, 11 April 2018, p. 38 (available here).

[47] WP29, ‘Guidelines on Transparency under Regulation 2016/679’, 17/EN WP260 rev.01, 11 April 2018, p. 38 (available here).

[48] Illibauer, in Knyrim, DatKomm, Article 13 GDPR, margin numbers 24 (Manz 2024).

[49] WP29, ‘Guidelines on Transparency under Regulation 2016/679’, 17/EN WP260 rev.01, 11 April 2018, p. 39 (available here).

[50] Article 21(4) GDPR and Recital 70 GDPR, which applies in the case of direct marketing.

[51] Illibauer, in Knyrim, DatKomm, Article 13 GDPR, margin numbers 48 (Manz 2024).

[52] For information on consent see Commentary on Articles 4(11), 6(1)(a) and 7(3) GDPR.

[53] Paal, Hennemann, in Paal, Pauly, DS-GVO, Article 13, margin number 28 (C.H. Beck 2021, 3rd Edition).

[54] Kühling, Buchner, in Kühling, Buchner, DS-GVO BDSG, Article 7 GDPR, margin number 17 (C.H. Beck 2024, 4th Edition).

[55] WP29, ‘Guidelines on Transparency under Regulation 2016/679’, 17/EN WP260 rev.01, 11 April 2018, p. 39 (available here). For more information regarding this right, please refer to the Commentary on Article 77 GDPR.

[56] Franck, in Gola, Heckmann, DSGVO BDSG, Article 13 GDPR, margin number 27 (C.H. Beck 2022, 3rd Edition).

[57] Bäcker, in Kühling, Buchner, DS-GVO BDSG, Article 13 GDPR, margin numbers 41 et seqq. (C.H. Beck 2024, 4th Edition).

[58] Franck, in Gola, Heckmann, DSGVO BDSG, Article 13 GDPR, margin number 28 (C.H. Beck 2022, 3rd Edition).

[59] Bäcker, in Kühling, Buchner, DS-GVO BDSG, Article 13 GDPR, margin numbers 46 (C.H. Beck 2024, 4th Edition).

[60] WP29, ‘Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679’, 17/EN WP251 rev.01, 3 October 2017, p. 25 and 27 (available here).

[61] The extend to the obligation to provide meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing is subject to a lot of debate. See, among others, Malgieri and Comandé, ‘Why a Right to Legibility of Automated Decision-Making Exists in the General Data Protection Regulation’, International Data Privacy Law 7, no. 4 (1 November 2017), p. 243–65 (available here); Goodman and Flaxman, ‘EU Regulations on Algorithmic Decision-Making and a “right to Explanation” (available here); Edwards and Veale, ‘Slave to the Algorithm? Why a 'Right to an Explanation' Is Probably Not the Remedy You Are Looking For’, Duke Law & Technology Review (available here); Wachter, Mittelstadt, Floridi; ‘Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation’, in International Data Privacy Law, Volume 7, Issue 2, pp. 76–99 (available here); Selbst and Powles, Meaningful information and the right to explanation, International Data Privacy Law, Volume 7, Issue 4, 1 November 2017, Pages 233–242 (available here).

[62] CJEU, Case C-203/22, Dun & Bradstreet, 27 February 2025, margin number 48 and 59 (available here).

[63] CJEU, Case C-203/22, Dun & Bradstreet, 27 February 2025, margin number 55 (available here).

[64] Bäcker, in Kühling, Buchner, DS-GVO BDSG, Article 13 GDPR, margin number 55 (C.H. Beck 2024, 4th Edition).

[65] WP29, ‘Guidelines on Transparency under Regulation 2016/679’, 17/EN WP260 rev.01, 11 April 2018, p. 22 (available here).

[66] Compare Mester, in Taeger, Gabel, DSGVO - BDSG - TTSG, Article 13 GDPR, margin number 28 (C.H. Beck 2022, 4th Edition); Bäcker, in Kühling, Buchner, DS-GVO BDSG, Article 13 GDPR, margin numbers 53 (C.H. Beck 2024, 4th Edition).

[67] Recital 50 GDPR.

[68] Dix, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 13 GDPR, margin number 22 (C.H. Beck 2015, 2nd Edition).

[69] Dix, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 13 GDPR, margin numbers 22 (NOMOS 2025, 2nd Edition); see also WP29, ‘Guidelines on Transparency under Regulation 2016/679’, 17/EN WP260 rev.01, 11 April 2018, margin number 48 (available here).

[70] WP29, ‘Guidelines on Transparency under Regulation 2016/679’, 17/EN WP260 rev.01, 11 April 2018, margin number 46 (available here).

[71] WP29, ‘Guidelines on Transparency under Regulation 2016/679’, 17/EN WP260 rev.01, 11 April 2018, margin number 56 (available here).

[72] Bäcker, in Kühling, Buchner, DS-GVO BDSG, Article 13 GDPR, margin numbers 28 (C.H. Beck 2024, 4th Edition).

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

[14]

[15]

[16]

[17]

[18]

[19]

[20]

[21]

[22]

[23]

[24]

[25]

[26]

[27]

[28]

[29]

[30]

[31]

[32]

[33]

[34]

[35]

[36]

[37]

[38]

[39]

[40]

[41]

[42]

[43]

[44]

[45]

[46]

[47]

[48]

[49]

[50]

[51]

[52]

[53]

[54]

[55]

[56]

[57]

[58]

[59]

[60]

[61]

[62]

[63]

[64]

[65]

[66]

[67]

[68]

[69]

[70]

[71]

[72]