This is some text inside of a div block.

What is Article 13 GDPR of the EU?

Our digitized world offers many advantages to society, but of course there are also many aspects to consider when taking advantage of digital offerings. In particular, the use of the internet has become very important in our everyday life and it is impossible to imagine working and private life without it.

If you use the Internet as a medium, data is collected for many actions, whereby in many cases the user is not aware of data collection and this is rather invisible. These data collections are one of the reasons why the General Data Protection Regulation (GDPR) exists in the first place. In order to secure certain information rights for data subjects, Article 13 of the GDPR must be observed in particular, as this regulates the given information rights when personal data is collected.

The intention behind Article 13 GDPR

If one speaks of Article 13 of the GDPR, one deals with the most important obligation, which exists from a data protection point of view. The article deals with the issue of information obligations that must be guaranteed by those who collect and process personal data. The intention of Article 13 is to create the greatest possible transparency for the data subject as to the form in which his or her personal data is handled. In most cases, the article is therefore aimed at the group of end consumers. The implementation of the article should give them the opportunity to get an overview at any time as to whether data has been collected, what data has been collected and what is happening or has happened with the data and information. In general, the question should also be answered as to why the data was recorded in the first place.

Compliance with Article 13 is of great importance for companies, as compliance with the regulations requires a high level of transparency and thus gives the customer an important sense of security. On the other hand, the company protects itself from high fines that can be imposed in the event of non-compliance. If a failure to comply with information obligations becomes public, this means a significant loss of image for a company, which can be accompanied by major financial losses. Article 13 of the GDPR is therefore equally important for data subjects and companies.

What about the implementation of Article 13 GDPR?

Article 13 of the GDPR does not clearly describe the implementation, but the time of implementation has been clearly defined - if data and information is collected from a person, the data and information must be able to be communicated on request at the time of collection. An important point here is that all relevant information must be actively transmitted. If the data is only published anywhere on the website, this is not sufficient. A direct reference to the information collected is therefore mandatory.

In order to be able to precisely assess this information obligation, Article 12 (1) of the GDPR should also be observed. This deals with the content and its form of transmission, which is precise, understandable, transparent, easily accessible and kept in clear and simple language. Particular attention is paid to statements that refer to children.

Of course, these requirements are not clearly formulated, but the objective is defined in such a way that the information should be kept as simple as possible, so that even ordinary people receive the desired data in a comprehensible form. At the same time, care must be taken to ensure that the information is easily accessible. Article 12 (1) of the GDPR specifies the written form for this process, but also allows other transmission methods and, at the request of the person concerned, even authorizes the oral form of transmission.

If you observe these specifications, you are free in the further design of the information and can adapt it individually. As you can see, the guidelines are also very general here and it is therefore not easy to draw a clear line as to what is permitted and what is not.

What mandatory information is required under Art. 13 of the GDPR?

If a data subject wishes to obtain information in accordance with Article 13 GDPR, the notification is clearly regulated. Basically, there is some information that must be given according to the law.

When do you have to comply with Article 13 GDPR?

  • Name of the person concerned
  • Contact details
  • the purpose of processing the personal data
  • the legal basis on which the processing is based
  • the period during which the personal data will be stored
  • If it is not possible to specify the duration – the criteria for determining the storage duration
  • a note from the person responsible about the right to information about personal data
  • an indication of the right to erasure or rectification of the personal data
  • an indication of the possibility of restricting the processing of personal data
  • an indication of the right to object to the processing of personal data
  • a notice of the right to data portability
  • an indication of the valid right of appeal to a supervisory authority

At the same time, the person responsible must state whether the provision of the personal data has a legal or contractual basis. Furthermore, it must be stated whether the provision of the data is necessary for the conclusion of a contract and whether the person concerned is obliged to provide the personal data. The consequences of not providing the personal data must also be listed. If there is automated decision-making in which profiling is integrated, meaningful information regarding the logic used, its scope and its effects must be provided.

Article 13 GDPR also deals with information that only has to be provided by the person responsible in some situations. These are marked in Article 13 GDPR with the word "if necessary":

  • the name of the representative of the controller
  • the contact details of the representative of the person responsible
  • the contact details of the data protection officer
  • the recipients of the personal data
  • the categories of recipients of the personal data
  • a declaration of intent to transfer data to a third country or an international organization
  • the absence or possession of an adequacy decision by the Commission
  • For transfers - a reference to any appropriate or reasonable safeguards
  • the possibility of obtaining a copy or a place of availability of the copies

In addition, two cases must be mentioned in which information only has to be provided if the data collection relates to another article of the General Data Protection Regulation. These are marked in the introductory sentence with the word "if":

  • If the processing of the data relates to Article 6 Paragraph 1 lit. F. This means that the interests of the person responsible outweigh the claims of the person concerned

When do you have to comply with Article 13 GDPR?

An important question that arises when dealing with Article 13 GDPR is when you have to comply with its specifications and when you do not have to comply with the specifications. This question is easy to explain, as the article clearly defines that the article only applies when personal data are collected from data subjects. The core here are the terms "data subject" and "personal data", which are clearly defined in the regulation.

Studying Article 13 of the GDPR, one will recognize that a "data subject" is one who can be identified in some way. If one speaks of "personal data", then information is described which relates to a name, a location, an identification number. At the same time, one or more characteristics that relate to the physical, genetic, physiological, psychological, cultural, economic or social identity of the person concerned must be named.

Examples can be mentioned here:

  • the tax number
  • the ID number
  • a religious attitude
  • the E-Mail adress
  • account information
  • the political sentiment
  • the sexual orientation
  • Health data

These examples do not cover the entire range, as there are many possible applications. But as examples of the given intention, these provide a good basis for thinking about further use cases. In principle, Article 13 of the GDPR applies if comparable data is collected from identifiable persons. 

Consequences of violations of Article 13 GDPR

For all those affected, the fundamental question naturally arises as to what the consequences are if Article 13 of the GDPR is violated. If you look at the regulations according to Articles 77-84 of the GDPR, you will find that a wide variety of consequences can take effect.

Considering a common scenario, a possible complaint against a breach is to be lodged with a competent supervisory authority. According to Article 77 of the GDPR, every data subject can exercise this right. The complaint will be evaluated by the supervisory authority. In principle, the supervisory authorities have the power to impose fines. This power is dealt with and granted in Article 83 of the GDPR. The fines are imposed by the supervisory authorities and determined individually on a case-by-case basis. Various characteristics and factors are taken into account in the assessment, including, for example, the type of violation, the severity and time frame of the violation, intent, negligence and previous violations. Other types of possible violations can be viewed under Article 83(2). The fines are classified by the supervisory authority into the categories effective, dissuasive and proportionate.

Fines often represent a financial risk for companies, as violations of Article 13 GDPR according to Para. 2 lit b. can be punished with up to 20.000.000 euros. Another possibility is to impose a fine of four percent of the worldwide annual turnover (last financial year). For many companies, not only is the image damage to be considered, but also a high financial burden represents a high financial risk for the company.

According to Article 82 of the GDPR, a simple claim for damages is another possibility to punish the violation of Article 13 GDPR if a person suffers immaterial or material damage. The type and scope of compensation can be defined according to § 249 ff. BGB.

In general, Article 13 of the GDPR is a crucial article for companies, as violations involve high fines and these are severely punished. Basically, when considering the article, a possible image damage should always be considered, which can also show further financial risks in addition to the fines.

back to all articles
Follow us on social media for even more data protection news!