Provides GDPR Article 13 information at the point of direct data collection, covering all required elements under Art. 13(1)(a)-(f) and Art. 13(2)(a)-(g), layered notice design, and timing requirements. Activate for Art. 13, direct collection notice, privacy notice at collection, data collection information queries.
GDPR Article 13 requires controllers to provide specific information to data subjects at the time personal data is collected directly from them. This information must be provided at the point of collection, not afterwards. This skill provides the complete checklist of required elements, guidance on layered notice design, and templates for common collection scenarios.
Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with all of the following information:
| Element | Article | Description |
|---|
| Controller identity | Art. 13(1)(a) | Identity and contact details of the controller and, where applicable, of the controller's representative |
| DPO contact | Art. 13(1)(b) | Contact details of the data protection officer, where applicable |
| Purposes and legal basis | Art. 13(1)(c) | The purposes of the processing and the legal basis under Art. 6 |
| Legitimate interests | Art. 13(1)(d) | Where processing is based on Art. 6(1)(f), the legitimate interests pursued by the controller or by a third party |
| Recipients | Art. 13(1)(e) | The recipients or categories of recipients of the personal data, if any |
| International transfers | Art. 13(1)(f) | Where applicable, that the controller intends to transfer data to a third country or international organisation, the existence or absence of an adequacy decision, or reference to appropriate safeguards and means of obtaining a copy or where they have been made available |
In addition to the information referred to in paragraph 1, the controller shall, at the time when personal data are obtained, provide the data subject with the following further information necessary to ensure fair and transparent processing:
| Element | Article | Description |
|---|---|---|
| Retention period | Art. 13(2)(a) | The period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period |
| Data subject rights | Art. 13(2)(b) | The existence of the right to request access, rectification, erasure, restriction, object, and portability |
| Right to withdraw consent | Art. 13(2)(c) | Where processing is based on Art. 6(1)(a) or Art. 9(2)(a), the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal |
| Right to complain | Art. 13(2)(d) | The right to lodge a complaint with a supervisory authority |
| Statutory/contractual requirement | Art. 13(2)(e) | Whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, and whether the data subject is obliged to provide the data and the possible consequences of failure to provide |
| Automated decision-making | Art. 13(2)(f) | The existence of automated decision-making including profiling, meaningful information about the logic, significance, and envisaged consequences |
| Further processing | Art. 13(2)(g) | Where the controller intends to further process for a purpose other than the original, provide information on that other purpose and any relevant further information under Art. 13(2) |
All Art. 13 information must be provided at the time when personal data are obtained — before or at the moment of collection, not after.
Art. 13(1)-(3) shall not apply where and insofar as the data subject already has the information.
The EDPB Guidelines on Transparency (WP260 rev.01) recommend a layered approach for direct collection to balance completeness with usability:
Displayed directly at the point of data collection (e.g., on the form, above the submit button, within the app screen):
Required elements at minimum:
Format guidance:
Linked from Layer 1, containing ALL Art. 13(1)(a)-(f) and Art. 13(2)(a)-(g) elements.
Available on request or via contextual links:
Collection point: Account registration page Data collected: Name, email, password, company name, job title Purpose: Account creation and service provision
Just-in-time notice text:
Meridian Analytics Ltd will use the information you provide to create and manage your account and deliver our analytics services. We may also use your email to send you service-related communications. Read our full privacy notice for details on how we use your data, who we share it with, and your rights.
Collection point: Newsletter subscription form Data collected: Email address, name (optional) Purpose: Marketing communications
Just-in-time notice text:
By subscribing, you consent to Meridian Analytics Ltd sending you marketing emails about our products and services. You can unsubscribe at any time by clicking the link in any email. We will not share your email address with third parties for marketing. Read our full privacy notice.
Collection point: Contact us / support form Data collected: Name, email, company, message content Purpose: Responding to enquiry
Just-in-time notice text:
Meridian Analytics Ltd will use the details you provide to respond to your enquiry. We will retain your message for 3 years to maintain service quality. Read our full privacy notice.
Collection point: Event/webinar registration form Data collected: Name, email, company, dietary requirements (if in-person) Purpose: Event management and follow-up
Just-in-time notice text:
Meridian Analytics Ltd will use your details to manage your event registration and send you event-related communications. If you provide dietary requirements, this information will be processed under your explicit consent and shared only with the catering provider for this event. Read our full privacy notice.
For every new data collection point, verify: