GDPR Focus: Article-by-Article Analysis of EU Data Protection Law and Regulation

GDPR Transparency Obligations: Articles 12-14 Explained

by

admin
in

What You Must Tell People—and Why It Matters

The Article 12, GDPR requires that all information provided to data subjects be:

  • Concise, transparent, intelligible, and easily accessible
  • Written in clear and plain language, especially when addressed to children

“The controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 and any communication under Articles 15 to 22 and 34 relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child.”

This sets the tone for how organizations must communicate privacy information. That means no legal jargon, no buried disclosures.

Read Article 12 – EUR-Lex Official Text

Article 13: When You Collect Data Directly

If you’re collecting personal data directly from the individual (meaning from the data subject), Article 13 says you must inform them of:

  • Your identity and contact details — meaning the identity and contact details of the controller (and, if applicable, their representative), as well as the contact details of the Data Protection Officer (if applicable)
  • The purpose and legal basis for processing
  • Recipients of the data or categories of recipients of the data
  • Data retention period, or criteria used to determine it
  • Whether providing data is mandatory, and consequences of not doing so
  • Rights of the data subject, including:
    • Access
    • Rectification
    • Erasure
    • Restriction
    • Objection
    • Data portability
  • Right to withdraw consent (if processing is based on consent)
  • Right to lodge a complaint with a supervisory authority
  • Existence of automated decision-making, including profiling, and meaningful information about the logic and consequences
  • This must be done at the time of collection. Read Article 13 – EUR-Lex Official Text

Article 14: When You Collect Data Indirectly

If the data is not collected directly from the individual (e.g., third-party sources), the controller must provide the data subject with:

  • Similar disclosures as required under Article 13 (identity, purpose, legal basis, rights, etc.)
  • The source of the personal data
  • Whether it came from publicly accessible sources
  • This information must be provided within a reasonable period, no later than one month. Read Article 14 – EUR-Lex Official Tex

What You Must Tell Data Subjects

Under the General Data Protection Regulation (GDPR), organizations are legally equired to inform individuals about how their personal data is collected and used. This isn’t optional—it’s spelled out in the regulation.

Articles 13 and 14 list the specific details that must be shared, including:

  • Who is collecting the data (the controller)
  • Why the data is being collected (purpose)
  • What legal basis is being used
  • Who the data will be shared with
  • How long it will be stored
  • What rights the individual has (access, correction, deletion, etc.)

Read Article 13, Read Article 14

This is the legal baseline. Whether it’s a website collecting email addresses or a company processing employee data, these rules apply.

What Happens If You Don’t Comply

Failure to meet these transparency obligations can result in:

Article 83 of the GDPR sets out the general conditions for imposing administrative fines, but it does not specifically mention “transparency requirements” as the sole trigger for the highest tier of fines.

The €20 million or 4% of global turnover penalty applies to serious infringements, including:

  • Violations of basic principles for processing (Article 5)
  • Lawfulness of processing (Article 6)
  • Conditions for consent (Article 7)
  • Special categories of data (Article 9)
  • Data subjects’ rights (Articles 12–22)
  • Transfers to third countries (Articles 44–49)
  • Orders from supervisory authorities

Dopamine Takeaway: Make It Clear or Pay the Price

Transparency isn’t just a legal checkbox—it’s a trust signal. When users understand what’s happening with their data, they’re more likely to engage, opt-in, and stay loyal. But if you hide behind vague language or skip disclosures, regulators won’t hesitate.

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *