How to Demonstrate Compliance With GDPR Article 13

GDPR Compliance Software

Book a demo

business,colleagues,working,at,a,busy,open,plan,office

GDPR Article 13 deals with the often extensive amount of information that needs to be provided to data subjects, by controllers, both at point of collection and throughout the processing operation.

GDPR Article 13 Legal Text

EU GDPR Version

Information to be provided where personal data are collected from the data subject

  1. Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with all of the following information:
    • The identity and the contact details of the controller and, where applicable, of the controller’s representative;
    • The contact details of the data protection officer, where applicable;
    • The purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
    • Where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third party;
    • The recipients or categories of recipients of the personal data, if any;
    • Where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available.

  2. In addition to the information referred to in paragraph 1, the controller shall, at the time when personal data are obtained, provide the data subject with the following further information necessary to ensure fair and transparent processing:
    • The period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
    • The existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability;
    • Where the processing is based on point (a) of Article 6(1) or point (a) of Article 9(2), the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
    • The right to lodge a complaint with a supervisory authority;
    • Whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data;
    • The existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

  3. Where the controller intends to further process the personal data for a purpose other than that for which the personal data were collected, the controller shall provide the data subject prior to that further processing with information on that other purpose and with any relevant further information as referred to in paragraph 2.
  4. Paragraphs 1, 2 and 3 shall not apply where and insofar as the data subject already has the information.
We can’t think of any company whose service can hold a candle to ISMS.online.
Vivian Kroner
ISO 27001, 27701 and GDPR lead implementer Aperian Global
100% of our users pass certification first time
Book your demo

UK GDPR Version

Article 13: Information to be provided where personal data are collected from the data subject

  1. Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with all of the following information:
    • The identity and the contact details of the controller and, where applicable, of the controller’s representative;
    • The contact details of the data protection officer, where applicable;
    • The purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
    • Where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third party;
    • The recipients or categories of recipients of the personal data, if any;
    • Where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation and the existence or absence of relevant adequacy regulations under section 17A of the 2018 Act, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available.

  2. In addition to the information referred to in paragraph 1, the controller shall, at the time when personal data are obtained, provide the data subject with the following further information necessary to ensure fair and transparent processing:
    • The period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
    • The existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability;
    • Where the processing is based on point (a) of Article 6(1) or point (a) of Article 9(2), the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
    • The right to lodge a complaint with the Commissioner;
    • Whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data;
    • The existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

  3. Where the controller intends to further process the personal data for a purpose other than that for which the personal data were collected, the controller shall provide the data subject prior to that further processing with information on that other purpose and with any relevant further information as referred to in paragraph 2.
  4. Paragraphs 1, 2 and 3 shall not apply where and insofar as the data subject already has the information.

Technical Commentary

Organisations need to make the following information available at the point of collection, where it’s applicable (e.g. international transfers):

  1. The identity of their Data Protection Officer.
  2. Contact details of their Data Protection Officer.
  3. The purpose and legal basis for collecting the data.
  4. Any legitimate interests.
  5. The identity of the recipients.
  6. International transfers of data, including country details and safeguards.

Obligations to Provide Information at When Personal Data Is Obtained

In accordance with the guidance outlined in Article 13, organisations also need to provide the following information:

  • Details of the data retention period.
  • The specifics of the data subject’s rights, under data protection law.
  • Information on how to withdraw consent.
  • How to lodge a complaint.
  • The source of the data that’s been obtained.
  • Any contractual or statutory requirements.
  • Details of automated decision-making processes.

See our platform
in action

Book a tailored hands-on session
based on your needs and goals
Book your demo

ISMS.online will save you time and money

Get your quote

EU GDPR Articles 13 (1)(a), (1)(b), (1)(c), (1)(d), (1)(e), (1)(f), (2)(c), (2)(d), (2)(e), (3), (4) and ISO 27701 Clause 7.3.2

Determining Information for PII Principals

Organisations should outline a detailed set of requirements that govern how and when information is to be provided to PII principals.

Examples include:

  • The underlying purpose of the data that’s being collected and processed.
  • Contact details.
  • How and where the PII was obtained.
  • Contractual and/or statutory requirements.
  • How consent can be removed.
  • PII transfers.
  • How to log a complaint.
  • How the organisation makes decisions on the processing of PII.
  • Information retention periods.

EU GDPR Article 13 (3) and ISO 27701 Clause 7.3.3

Providing Information to PII Principals

All information should be provided error-free, and in language that is easily understood (e.g. lacking jargon, not overly technical) by the people who have the ability to read it (see ISO 27702 clause 7.3.2).

Supporting ISO 27701 Clauses

  • ISO 27701 7.3.2

EU GDPR Article 13 (2)(c) and ISO 27701 Clause 7.3.4

Providing Mechanism to Modify or Withdraw Consent

Mechanisms should be provided that cater to the rights of any PII principal who is seeking to withdraw consent.

Communication channels should mirror those that were used by the organisation to initially collect the data, and PII principals should be able to restrict the controller from performing certain actions.

Organisations should commit to a published response time for all modification or withdrawal of consent requests, and all such requests should be thoroughly documented.

Discover our platform

Book a tailored hands-on session
based on your needs and goals
Book your demo

Simple. Secure. Sustainable.

See our platform in action with a tailored hands-on session based on your needs and goals.

Book your demo
img

EU GDPR Article 13 (2)(b) and ISO 27701 Clause 7.3.5

Providing Mechanism to Object to PII Processing

Local and national laws vary between jurisdictions, but on the whole, PII principals should retain the ability to raise objections over how their data has been stored, processed or transferred.

Organisations should:

  1. Document any legal or regulatory requirements that are related to any objections raised by PII principals.
  2. Provide data subjects with information on how they may object.

EU GDPR Article 13 (2)(b) and ISO 27701 Clause 7.3.6

Access, Correction And/or Erasure

Organisations should document procedures that allow data subjects to perform three basic functions:

  1. Access their data.
  2. Correct their data.
  3. Delete their data.

Organisations should commit to a published response time for all access, correction or deletion requests, and provide a reason as to why corrections aren’t able to be actioned, where relevant.

If PII has been transferred to a third party, organisations are obliged to relay any requests to them, and confirm acknowledgement (see ISO 27701 clause 7.3.7).

Depending on the jurisdiction, various regional and national rules can apply. As such, organisations should maintain a thorough understanding of any laws or regulations that apply to the access to, correction of or deletion of PII.

Supporting ISO 27701 Clauses

  • ISO 27701 7.3.7

EU GDPR Article 13 (2)(f) and ISO 27701 Clause 7.3.10

Automated Decision Making

Organisations should address any legal obligations to PII principals that relate to the automated processing of PII.

Organisations should take into account jurisdictional variances in automated decision making regarding PII – more specifically, allowing PII principals to object and requesting human intervention in place of automated procedures.

See ISMS.online
in action

Book a tailored hands-on session
based on your needs and goals
Book your demo

Since migrating we’ve been able to reduce the time spent on administration.
Jodie Korber
Managing Director Lanrex
100% of our users pass certification first time
Book your demo

EU GDPR Article 13 (2)(a) and ISO 27701 Clause 7.4.7

Organisations need to delete and/or dispose of PII that it no longer requires, or no longer fulfils a specific purpose.

Organisations should operate with retention schedules that outline the exact period of time that PII is retained for, including adherence to any legal, statutory or contractual requirements.

Supporting Controls From ISO 27701

GDPR ArticleISO 27701 ClauseSupporting Clauses
Article 14 (1)(a), (1)(b), (1)(c), (1)(d), (1)(e), (1)(f), (2)(b), (2)(e), (2)(f), (3)(a), (3)(b), (3)(c), (4), (5)(a), (5)(b), (5)(c) and (5)(d)ISO 27701 7.3.2None
Article (14)(2)(d)ISO 27701 7.3.4None
Article (14)(2)(c)ISO 27701 7.3.5None
Article (14)(2)(c)ISO 27701 7.3.6ISO 27701 7.3.7
Article (14)(2)(g)ISO 27701 7.3.10None
Article (14)(2)(a)ISO 27701 7.4.7None

How ISMS.online Helps

ROPA made easy

Our PIMS solution makes data mapping a simple task. It’s easy to record and review it all, adding your organisation’s details to our pre-configured dynamic Records of Processing Activity tool.

Built in Risk Bank

Managing risk is key to a successful PIMS. That’s why we’ve created a built-in risk bank and a range of other practical tools that’ll help with every part of the risk assessment and management process.

Secure space for DRR

Whatever privacy standards or regulation you’re working on, you’ll need to show how well you manage Data Subject Rights Requests (DRR). Our secure DRR space keeps it all in one place, supporting it with automated reporting and insight.

Find out more by booking a demo.

It helps drive our behaviour in a positive way that works for us
& our culture.

Emmie Cooney
Operations Manager, Amigo

Book your demo

Explore ISMS.online's platform with a self-guided tour - Start Now