Understanding GDPR Article 13 Compliance: Your Guide to Transparent Data Processing
GDPR Article 13 deals with the often extensive amount of information that needs to be provided to data subjects, by controllers, both at point of collection and throughout the processing operation.
GDPR Article 13 Legal Text
EU GDPR Version
Information to be provided where personal data are collected from the data subject
- Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with all of the following information:
- The identity and the contact details of the controller and, where applicable, of the controller’s representative;
- The contact details of the data protection officer, where applicable;
- The purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
- Where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third party;
- The recipients or categories of recipients of the personal data, if any;
- Where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available.
- In addition to the information referred to in paragraph 1, the controller shall, at the time when personal data are obtained, provide the data subject with the following further information necessary to ensure fair and transparent processing:
- The period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
- The existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability;
- Where the processing is based on point (a) of Article 6(1) or point (a) of Article 9(2), the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
- The right to lodge a complaint with a supervisory authority;
- Whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data;
- The existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
- Where the controller intends to further process the personal data for a purpose other than that for which the personal data were collected, the controller shall provide the data subject prior to that further processing with information on that other purpose and with any relevant further information as referred to in paragraph 2.
- Paragraphs 1, 2 and 3 shall not apply where and insofar as the data subject already has the information.
ISO 27001 made easy
An 81% Headstart from day one
We’ve done the hard work for you, giving you an 81% Headstart from the moment you log on. All you have to do is fill in the blanks.
UK GDPR Version
Article 13: Information to be provided where personal data are collected from the data subject
- Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with all of the following information:
- The identity and the contact details of the controller and, where applicable, of the controller’s representative;
- The contact details of the data protection officer, where applicable;
- The purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
- Where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third party;
- The recipients or categories of recipients of the personal data, if any;
- Where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation and the existence or absence of relevant adequacy regulations under section 17A of the 2018 Act, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available.
- In addition to the information referred to in paragraph 1, the controller shall, at the time when personal data are obtained, provide the data subject with the following further information necessary to ensure fair and transparent processing:
- The period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
- The existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability;
- Where the processing is based on point (a) of Article 6(1) or point (a) of Article 9(2), the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
- The right to lodge a complaint with the Commissioner;
- Whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data;
- The existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
- Where the controller intends to further process the personal data for a purpose other than that for which the personal data were collected, the controller shall provide the data subject prior to that further processing with information on that other purpose and with any relevant further information as referred to in paragraph 2.
- Paragraphs 1, 2 and 3 shall not apply where and insofar as the data subject already has the information.
Technical Commentary
Organisations need to make the following information available at the point of collection, where it’s applicable (e.g. international transfers):
- The identity of their Data Protection Officer.
- Contact details of their Data Protection Officer.
- The purpose and legal basis for collecting the data.
- Any legitimate interests.
- The identity of the recipients.
- International transfers of data, including country details and safeguards.
Obligations to Provide Information at When Personal Data Is Obtained
In accordance with the guidance outlined in Article 13, organisations also need to provide the following information:
- Details of the data retention period.
- The specifics of the data subject’s rights, under data protection law.
- Information on how to withdraw consent.
- How to lodge a complaint.
- The source of the data that’s been obtained.
- Any contractual or statutory requirements.
- Details of automated decision-making processes.
EU GDPR Articles 13 (1)(a), (1)(b), (1)(c), (1)(d), (1)(e), (1)(f), (2)(c), (2)(d), (2)(e), (3), (4) and ISO 27701 Clause 7.3.2
Determining Information for PII Principals
Organisations should outline a detailed set of requirements that govern how and when information is to be provided to PII principals.
Examples include:
- The underlying purpose of the data that’s being collected and processed.
- Contact details.
- How and where the PII was obtained.
- Contractual and/or statutory requirements.
- How consent can be removed.
- PII transfers.
- How to log a complaint.
- How the organisation makes decisions on the processing of PII.
- Information retention periods.
Free yourself from a mountain of spreadsheets
Embed, expand and scale your compliance, without the mess. IO gives you the resilience and confidence to grow securely.
EU GDPR Article 13 (3) and ISO 27701 Clause 7.3.3
Providing Information to PII Principals
All information should be provided error-free, and in language that is easily understood (e.g. lacking jargon, not overly technical) by the people who have the ability to read it (see ISO 27702 clause 7.3.2).
Supporting ISO 27701 Clauses
- ISO 27701 7.3.2
EU GDPR Article 13 (2)(c) and ISO 27701 Clause 7.3.4
Providing Mechanism to Modify or Withdraw Consent
Mechanisms should be provided that cater to the rights of any PII principal who is seeking to withdraw consent.
Communication channels should mirror those that were used by the organisation to initially collect the data, and PII principals should be able to restrict the controller from performing certain actions.
Organisations should commit to a published response time for all modification or withdrawal of consent requests, and all such requests should be thoroughly documented.
EU GDPR Article 13 (2)(b) and ISO 27701 Clause 7.3.5
Providing Mechanism to Object to PII Processing
Local and national laws vary between jurisdictions, but on the whole, PII principals should retain the ability to raise objections over how their data has been stored, processed or transferred.
Organisations should:
- Document any legal or regulatory requirements that are related to any objections raised by PII principals.
- Provide data subjects with information on how they may object.
EU GDPR Article 13 (2)(b) and ISO 27701 Clause 7.3.6
Access, Correction And/or Erasure
Organisations should document procedures that allow data subjects to perform three basic functions:
- Access their data.
- Correct their data.
- Delete their data.
Organisations should commit to a published response time for all access, correction or deletion requests, and provide a reason as to why corrections aren’t able to be actioned, where relevant.
If PII has been transferred to a third party, organisations are obliged to relay any requests to them, and confirm acknowledgement (see ISO 27701 clause 7.3.7).
Depending on the jurisdiction, various regional and national rules can apply. As such, organisations should maintain a thorough understanding of any laws or regulations that apply to the access to, correction of or deletion of PII.
Supporting ISO 27701 Clauses
- ISO 27701 7.3.7
Manage all your compliance, all in one place
ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.
EU GDPR Article 13 (2)(f) and ISO 27701 Clause 7.3.10
Automated Decision Making
Organisations should address any legal obligations to PII principals that relate to the automated processing of PII.
Organisations should take into account jurisdictional variances in automated decision making regarding PII – more specifically, allowing PII principals to object and requesting human intervention in place of automated procedures.
EU GDPR Article 13 (2)(a) and ISO 27701 Clause 7.4.7
Organisations need to delete and/or dispose of PII that it no longer requires, or no longer fulfils a specific purpose.
Organisations should operate with retention schedules that outline the exact period of time that PII is retained for, including adherence to any legal, statutory or contractual requirements.
Supporting Controls From ISO 27701
| GDPR Article | ISO 27701 Clause | ISO 27701 Supporting Clauses |
|---|---|---|
| Article 14 (1)(a), (1)(b), (1)(c), (1)(d), (1)(e), (1)(f), (2)(b), (2)(e), (2)(f), (3)(a), (3)(b), (3)(c), (4), (5)(a), (5)(b), (5)(c) and (5)(d) | ISO 27701 7.3.2 | None |
| Article (14)(2)(d) | ISO 27701 7.3.4 | None |
| Article (14)(2)(c) | ISO 27701 7.3.5 | None |
| Article (14)(2)(c) | ISO 27701 7.3.6 | ISO 27701 7.3.7 |
| Article (14)(2)(g) | ISO 27701 7.3.10 | None |
| Article (14)(2)(a) | ISO 27701 7.4.7 | None |
How ISMS.online Helps
ROPA made easy
Our PIMS solution makes data mapping a simple task. It’s easy to record and review it all, adding your organisation’s details to our pre-configured dynamic Records of Processing Activity tool.
Built in Risk Bank
Managing risk is key to a successful PIMS. That’s why we’ve created a built-in risk bank and a range of other practical tools that’ll help with every part of the risk assessment and management process.
Secure space for DRR
Whatever privacy standards or regulation you’re working on, you’ll need to show how well you manage Data Subject Rights Requests (DRR). Our secure DRR space keeps it all in one place, supporting it with automated reporting and insight.
Find out more by booking a demo.
