GDPR : Article 13 - Information to be provided where personal data are collected from the data subject

by Avinash V


The General Data Protection Regulation (GDPR) stands as a cornerstone of modern privacy legislation, wielding a profound impact on organizations that engage in the collection, processing, or storage of personal data belonging to European Union (EU) citizens.

Central to the GDPR framework is the principle of transparency, which places an onus on data controllers to communicate with data subjects about the intricacies of their personal data processing. This article 13 of GDPR embarks on an in-depth exploration of the pivotal components that must be conveyed to data subjects when soliciting their personal data, as mandated by GDPR.

GDPR : Article 13 -  Information to be provided where personal data are collected from the data subject

Comprehensive Identification of Data Controller and Contact Details

The foundational requirement imposed by GDPR is that data controllers provide an all-encompassing identification of themselves, as well as a comprehensive suite of contact details to facilitate meaningful communication with data subjects. This entails disclosing the legal name of the organization, any pertinent legal representatives, and an array of accessible contact information, which can encompass physical addresses, telephone numbers, and email addresses.

Articulation of Purpose Behind Data Processing

An imperative facet of GDPR compliance is the articulation of the precise objectives driving the collection of personal data. The communication of these purposes should be both lucid and succinct, shunning any inclination toward ambiguity. For instance, in cases where personal data is harvested for marketing endeavors, data subjects ought to be unambiguously apprised of this intended purpose.

Evidencing the Legal Rationale Underpinning Data Processing

The legal rationale substantiating data processing activities necessitates explicit elucidation. Data controllers are duty-bound to expound upon the legal basis that justifies the processing of personal data. Such bases might encompass consent acquisition, contractual obligation fulfillment, adherence to legal mandates, preservation of vital interests, execution of tasks pursued in the public interest or in the capacity of official authority, and the pursuit of legitimate interests championed by the data controller or a third party.

Elaboration of Personal Data Recipients

Transparency is manifest through the revelation of personal data recipients. Data subjects are entitled to a disclosure of the individuals or entities, such as third-party processors or service providers, that will be entrusted with processing their data on behalf of the data controller. This disclosure bolsters clarity and facilitates data subjects' comprehension of the information flow.

Pronouncement of Data Retention Period

Transparency is fortified through the explicit enunciation of the temporal expanse for which personal data shall be retained. Herein, data controllers should stipulate the criteria instrumental in shaping this retention period and any associated factors that might wield an influence upon the temporal duration of data retention.

GDPR Implementation Toolkit

 Exposition of Data Subject Rights

GDPR confers an array of rights upon data subjects, encompassing but not limited to the right to access, rectify, erase, restrict processing, data portability, and object to processing. Data controllers must undertake to enlighten data subjects about these rights and, concurrently, illuminate the pathways through which these rights can be exercised. This could take the form of a dedicated section outlining each right, along with the provision of contact particulars to facilitate the lodgment of related requests.

Acknowledging Automated Decision-Making

Should the ambit of data processing encompass automated decision-making, inclusive of profiling, data subjects merit cognizance of this facet. Furthermore, they ought to be privy to a substantive exposé delineating the cognitive frameworks entailed, the weightiness, and the plausible aftermath of such processing endeavors.

Facilitating the Right to Lodge Complaints

Data subjects retain the prerogative to lodge grievances with supervisory authorities in circumstances where they posit that their data protection rights have been transgressed. To this end, data controllers assume the mantle of furnishing insights concerning the pertinent supervisory authority and the step-by-step blueprint governing the lodgment of complaints.

Illuminating Data Transfers to Third Countries

In scenarios where the cross-border transmission of personal data is contemplated, encompassing nations beyond the European Union (EU) precincts or the European Economic Area (EEA), data subjects warrant illumination regarding this development. Concomitantly, data controllers are beholden to communicate the safeguards in place that endeavor to shield the sanctity of data during its sojourn across these geographical boundaries.


Organizations create an atmosphere where data subjects are empowered to make wise decisions about their personal data by providing clear and comprehensive information. The principles of trust and goodwill bloom in this mutually beneficial paradigm, ensuring not only the compliance of enterprises but also the creation of a real stronghold of privacy respect in the contemporary data-driven era.

GDPR Implementation Toolkit