GDPR A13-01: Privacy Notice Requirements for Direct Personal Data Collection
When you collect personal data directly from individuals, GDPR Article 13 mandates you provide transparent, complete privacy information at the moment of collection. Failing to deliver required notices exposes you to significant fines and erodes user trust. This control ensures you document and deliver all mandatory disclosures upfront.
What this means
GDPR Article 13 requires organizations to provide data subjects with specific privacy information at the time personal data is collected directly from them. This includes the controller's identity and contact details, the purposes and legal basis for processing, details about legitimate interests, third-party recipients, any international data transfers, data retention periods, and explicit notice of data subject rights including access, rectification, erasure, and the right to lodge complaints with supervisory authorities. This transparency obligation is foundational to GDPR compliance and must be documented, delivered clearly, and maintained as evidence.
How to comply
- 1.Identify all data collection points where personal data is gathered directly from individuals (forms, registrations, applications, surveys)
- 2.Document the controller's full identity, contact information, and data protection officer details if applicable
- 3.Clearly state all processing purposes and specify the legal basis (consent, contract, legal obligation, vital interests, public task, or legitimate interests)
- 4.If relying on legitimate interests, document the balancing test and make the rationale transparent to data subjects
- 5.List all third-party recipients, categories of recipients, and their processing purposes
- 6.Disclose any international data transfers, recipient countries, and safeguards (standard contractual clauses, adequacy decisions)
- 7.Specify precise retention periods or criteria for determining how long data will be kept
- 8.Clearly communicate data subject rights: access, rectification, erasure, restriction, portability, objection, and automated decision-making rights
- 9.Provide information about the right to withdraw consent and lodge complaints with supervisory authorities
- 10.Create templates or standardized notices covering all scenarios and ensure they are plain language and easily accessible
- 11.Train staff to deliver privacy notices consistently and consistently across all collection channels
- 12.Maintain records of notices delivered, templates used, and updates made in response to legal changes
Evidence auditors look for
- Privacy notice templates used in online forms, account registration, or checkout flows
- Written privacy policies delivered at point of collection with all Article 13 mandatory information
- Signed consent forms that include privacy notice language and data subject rights
- Screenshot evidence of privacy banners or popup notices displayed during data collection
- Email confirmations sent to data subjects at collection that include privacy information
- PDF or document copies of privacy notices provided in print or downloadable format
- Records showing date and version of privacy notice delivered to each data subject
- Documentation of legitimate interest assessments referenced in privacy notices
- Proof of translation if privacy notices are delivered in multiple languages
- Internal procedures or checklists confirming all Article 13 elements are covered in collection processes
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates privacy notice generation and delivery by creating GDPR-compliant templates tailored to your data collection points, tracking notice delivery evidence, and alerting you when privacy policies change so your notices stay compliant—eliminating manual documentation work.
See how GRCWatch handles this control automatically
Start free trial