What information must a responsible person under Article 13 of the GDPR communicate to the data subject?

The responsible party must provide information about the purposes of data processing, the persons responsible, the recipients of the data, and the duration of data storage. Furthermore, they must explain the right to access, rectification, erasure, and objection.

What additional information is required according to Article 13 of the GDPR for a fair and transparent processing?

In addition to the core information, the responsible party must disclose details regarding the duration of data storage, the right to access information, as well as the right to withdraw consent or the right to lodge a complaint with a supervisory authority. Information about automated decisions must also be provided if necessary.

What must a company do when it collects personal data from a person?

The company must fully inform the affected person as to who has the data, why it is needed, and to whom it could be passed on. This information must be transparent and understandable.

What rights does a data subject have regarding their data?

The affected person has the right to obtain information about the processing of their data, to view it, to correct it, or even to have it deleted. This is an important component of transparency.

Why is information provided to the affected person important during data collection?

The information is essential to ensure a fair and transparent processing. It allows the affected person to make informed decisions about the sharing of their data and to exercise their rights.

Article 13 GDPR: Information Obligation on Collection of Personal Data from the Data Subject

The Article 13 of the General Data Protection Regulation (GDPR) is a legal provision for information duty when collecting personal data from the affected person. It takes an important position in the GDPR Act, as it serves as a regulation for a data protection declaration. It states:

Legal text (bold added)

(1) When personal data are collected from the data subject, the controller shall inform the data subject at the time of collection of these data as follows:

a) the name and contact details of the controller, and if applicable, those of his representative;

b) if applicable, the contact details of the data protection officer;

c) the purposes, for which the personal data are to be processed, as well as the legal basis for the processing;

d) if the processing is based on Article 6(1)(f), the legitimate interests which are pursued by the controller or a third party;

e) where applicable, the recipients or categories of recipients of the personal data and

f) if applicable, the controller's intention to transfer personal data to a third country or an international organisation, as well as the existence or absence of an adequacy decision by the Commission or, in the case of transfers referred to Article 46, Article 47, or Article 49(1)(2), a reference to the appropriate or suitable safeguards and the possibility of obtaining a copy of them or where they are available. [Meaning transfers to insecure third countries, such as the USA]

(2) In addition to the information pursuant to paragraph 1, the controller shall, at the time of the collection of such data, provide the data subject with the following further information which is necessary to ensure fair and transparent processing:

a) the duration, for which the personal data are stored or, if this is not possible, the criteria for setting this duration;

b) the existence of a right to access by the controller of the relevant personal data, as well as the right to correction or erasure or restriction of processing or a right to object to processing, as well as the right to data portability;

c) if the processing is based on Article 6(1)(a) or Article 9(2)(a), the existence of a right to withdraw consent at any time, without affecting the lawfulness of the processing based on consent before its withdrawal;

d) the existence of a right to lodge a complaint with a supervisory authority;

e) whether the provision of personal data is legally or contractually required for a Contract Conclusion, whether the data subject is obliged to provide the personal data, and what possible consequences would result from the Non-Provision;

f) the existence of automated decision-making, including profiling, in accordance with Article 22 paragraphs 1 and 4, and – at least in these cases – meaningful information about the involved logic, as well as the scope and intended effects of such processing for the data subject.

(3) If the controller intends to process the personal data for another purpose than the one for which the personal data was collected, he shall, prior to that further processing, provide the data subject with information about that other purpose and all other relevant information pursuant to paragraph 2.

(4) Subsections 1, 2, and 3 do not apply if and to the extent that the data subject already possesses the information.

Full text of the law

Common Terms (normalized): Data(12), personal(10), Processing(8), affected(7), Person(7), Responsible Party(6), Information(6), Purpose(3).

Comments

As Article 5(1)(b) GDPR states, the information provided for the purposes pursuant to the above paragraph (c) must be done so for specified, explicit and legitimate purposes. In accordance with Article 5(1)(a) GDPR, lawful processing is required, which must be carried out in good faith. In conjunction with the ECJ ruling on Planet49, this results in the fact that (at least) for technically unnecessary cookies, their purposes must be stated. Cookies always process personal data, as my investigation found.

In Art. 13 (1) e GDPR there is no real choice, either to name the recipients of data or the categories of recipients. Rather, the recipients must be specified as precisely as possible. A controller can probably name categories of recipients if this seems sensible for informing a data subject (e.g., more overview). In particular, this may suffice when general, blanket data protection notices are given. However, if a data subject explicitly asks about the exact recipients, these should presumably be named quite specifically (cf. Fine against WhatsApp, e.g., Rn. 426f), since a controller must know the recipients. See also further comments in Art. 15 GDPR and the references given there.

"The principles of fair and transparent processing require that the data subject be informed about the existence of the processing operation and its purposes. The controller should provide the data subject with all further information necessary, taking into account the specific circumstances and context in which the personal data is processed, to ensure fair and transparent processing."

Recital 60 GDPR

A template for standard texts can be taken from my Data Protection Declaration. The texts are to be adapted to individual needs. The person responsible for the website on which the sample texts are used is liable themselves.

Also interesting

General Data Protection Regulation (GDPR) in general
Article 5 GDPR: Principles for data processing ([1])
Article 6 GDPR: Legal bases for processing ([1])
Article 7 GDPR: Conditions for Consent ([1])
Art. 12 GDPR: Transparent Information
Article 15 GDPR: Right to Information ([1])
Article 26 GDPR: Joint Responsibility ([1])

Key takeaways of this article

If your data is collected, you must be informed who has your data, why it is needed, and to whom it could be passed on.

When companies store data from individuals, they must inform those individuals about how the data will be used, how long it will be stored, and what rights the individuals have (e.g., to view, correct, or delete the data).

If you process data, you must inform those affected about who exactly receives this data.

About these key statements