In one sentence. GDPR Article 13 governs what the controller must tell the data subject when collecting data directly from them: identity of controller, DPO contact, purposes and lawful basis, recipients, transfers, retention period, rights, complaint pathway, automated decision-making, and source-of-data details — at the moment of collection, in clear language. Article 14 covers the equivalent obligation when data is collected indirectly from third parties.
Article 13 is the source of every privacy notice you’ve ever read. Most CNIL sanctions for “transparency violations” cite missing Article 13 items: no DPO contact, no retention period, no mention of international transfers, no complaint pathway. The list is closed and exhaustive — every item must appear or the notice is non-compliant.
For its sister provision (data from third parties), see GDPR Article 14 information notices. For the modalities, GDPR Article 12 transparency. For the lawful bases referenced, GDPR Article 6 lawful basis.
Key takeaways
- Article 13 lists 14 mandatory information items for direct collection.
- Information must be provided at the moment of collection — not after.
- Each item must appear in the privacy notice or contextual disclosure (form, banner).
- Layered notices acceptable, but the full information must be reachable in one click.
- Article 14 covers the same obligation when data comes from a third party.
1. Article 13 mandatory items (paragraph 1)
When data is collected directly from the data subject, the controller must provide:
| # | Item | Article |
|---|---|---|
| 1 | Identity and contact details of controller (and rep if non-EU) | 13(1)(a) |
| 2 | Contact details of DPO if designated | 13(1)(b) |
| 3 | Purposes of processing and the lawful basis | 13(1)© |
| 4 | If basis is legitimate interest, the legitimate interest pursued | 13(1)(d) |
| 5 | Recipients or categories of recipients | 13(1)(e) |
| 6 | International transfers, the safeguard mechanism, how to obtain a copy | 13(1)(f) |
2. Additional items (paragraph 2)
To ensure fair and transparent processing:
| # | Item | Article |
|---|---|---|
| 7 | Storage period (or criteria to determine it) | 13(2)(a) |
| 8 | Existence of rights — access, rectification, erasure, restriction, object, portability | 13(2)(b) |
| 9 | Right to withdraw consent (if processing based on consent) | 13(2)© |
| 10 | Right to lodge a complaint with supervisory authority | 13(2)(d) |
| 11 | Whether providing data is statutory / contractual requirement, and consequences of refusing | 13(2)(e) |
| 12 | Existence of automated decision-making (Article 22), the logic, significance, consequences | 13(2)(f) |
| 13 | Where further processing for a different purpose is planned, prior information | 13(3) |
| 14 | Information already known to data subject can be omitted | 13(4) |
3. Layered privacy notices
The EDPB (Guidelines on transparency) endorses layered notices:
- Layer 1: short summary at point of collection (form, banner) — controller name, key purposes, link to full notice
- Layer 2: complete privacy notice on a dedicated page with all 14 items
Conditions:
- Layer 1 must be complete enough for an informed decision (controller, purposes, link to layer 2)
- Layer 2 must be one click away
- Both layers must use clear and plain language
4. Compliant privacy notice structure
A typical Article 13-compliant privacy notice has:
1. Who we are (controller identity, address, DPO contact)
2. What data we collect
3. Why we process it (purposes + lawful bases per purpose)
4. Who receives it (internal teams + named external recipients)
5. International transfers (countries + safeguard mechanism)
6. How long we keep it (per category of data)
7. Your rights (access, rectification, erasure, etc.) — how to exercise
8. Your right to complain to the CNIL/relevant DPA (with link)
9. Required vs optional fields (consequences of refusal)
10. Automated decision-making (logic, significance, consequences) — if any
11. Last updated date + change history
5. Common Article 13 violations sanctioned by CNIL
| Failure | Frequency in sanctions |
|---|---|
| No DPO contact | High |
| No retention period stated | High |
| No mention of international transfers | High |
| Generic “we may share with partners” without naming | High |
| Missing complaint pathway to CNIL | Medium |
| Lawful basis not specified per purpose | Medium |
| Automated decision-making not disclosed | Medium |
| Notice in legalese requiring multiple readings | Medium |
The CNIL’s procédure simplifiée frequently uses Article 13 violations as the lead grounds — they are visible on first inspection of the privacy notice.
6. Special cases
Mobile apps
Notice must be available before the user consents to install / first use the app. The standard practice: in-app first-launch notice + permanent link in settings.
Connected devices / IoT
Information must be provided through an accessible channel — companion app, paper insert, QR code linking to web notice.
Forms (paper or digital)
Notice in proximity to the form fields, not buried in terms of service. CNIL has sanctioned forms where the notice was a separate document the user never saw.
Cookies and trackers
Notice triggered by the consent banner. Must reach all 14 Article 13 items even if the cookie banner shows only a summary. See bandeau cookies CNIL FR.
7. Article 13 vs Article 14: when each applies
| Source of data | Article applies | Trigger |
|---|---|---|
| Directly from data subject | 13 | At the moment of collection |
| Indirectly from a third party | 14 | Within reasonable period, no later than 1 month, OR at first communication, OR when first disclosed to another recipient |
If your processing involves both — most do — both articles apply.
8. Exemptions (Article 13(4))
The notice obligation doesn’t apply where the data subject already has the information. The bar for “already has” is high — generic awareness doesn’t count. The controller must be able to demonstrate the data subject has actually received the specific information.
In practice: the exemption applies in narrow cases (e.g., a returning customer who recently received an updated notice). Don’t rely on this exemption broadly.
9. Enforcement
| Year | Sanction | Article 13 violation |
|---|---|---|
| 2019 | Google (CNIL) — €50M | Information not easily accessible |
| 2021 | WhatsApp Ireland (DPC) — €225M | Inadequate transparency |
| 2022 | Discord (CNIL) — €800K | Insufficient retention period information |
| 2023 | Brico Privé (CNIL) — €50K | Multiple Article 13 omissions |
| 2024 | Several SMB sanctions €5K-€50K each | Missing DPO contact, vague lawful basis |
Article 83(5)(b) places Article 13 violations at the top tier — up to €20M or 4% of global turnover.
10. Tooling
Legiscope generates Article 13-compliant privacy notices from your ROPA — automatically populates the 14 mandatory items from the underlying processing records. For a SaaS with 10+ collection points (signup, support, marketing forms), the time saving is significant.
For related guides: GDPR Article 12 transparency, GDPR Article 14 information from third parties, GDPR information notices, GDPR consent wording examples.
Conclusion
Article 13 is the contract between the controller and the data subject at the moment of collection. The 14 items are not optional. The notice doesn’t need to be long — it needs to be complete, clear, and accessible. Most violations are omissions, not active misrepresentations: build a checklist once, audit notices quarterly.
FAQ
What information must I include in a privacy notice under GDPR Article 13?
14 items: controller identity, DPO contact, purposes and lawful basis, recipients, international transfers, retention period, rights (access, rectification, erasure, restriction, objection, portability), withdrawal of consent, complaint to supervisory authority, statutory/contractual requirements, automated decision-making, further-processing notice, source-of-data details.
When must Article 13 information be provided?
At the moment data is collected from the data subject — not after. For online forms, the notice must be available before the user submits. For mobile apps, before first use.
Can I use a layered privacy notice?
Yes. The EDPB endorses layered notices — short summary at point of collection + full notice one click away. Both layers must use clear and plain language. The summary alone is not enough.
What’s the difference between Articles 13 and 14?
Article 13 covers data collected directly from the data subject. Article 14 covers data collected indirectly (from third parties, public sources, partners). The information items are largely the same but timing differs.
Are there exemptions to Article 13?
Article 13(4) exempts the obligation where the data subject already has the information. The bar is high — generic awareness doesn’t count. Don’t rely on this exemption broadly.
Legiscope automates this for you
Stop doing compliance manually. Legiscope's AI handles ROPA creation, DPA audits, and gap analysis — in minutes, not weeks.
Start free trial
