Transparency is one of the central pillars of the General Data Protection Regulation (GDPR). The Regulation does not allow organisations to collect or process personal data in silence, obscurity, or ambiguity. Instead, it requires that individuals be properly informed about who is processing their data, why it is being processed, how long it will be retained, and what rights they can exercise in relation to that processing.

These transparency obligations are codified principally in Articles 13 and 14 GDPR, which together implement the right to be informed. Article 13 applies where personal data is collected directly from the data subject, while Article 14 governs situations where personal data is obtained indirectly, from third-party or other sources. Although closely related, the two articles impose different timing, content, and contextual requirements.

For businesses, Articles 13 and 14 are not merely documentation requirements. Failures of transparency can invalidate consent, undermine reliance on other lawful bases, trigger regulatory complaints, and expose organisations to enforcement even where the underlying processing might otherwise have been lawful. Supervisory authorities consistently treat transparency as a threshold issue: if individuals are not properly informed, the processing starts on the wrong legal footing.

This page explains the scope, content, and practical implications of Articles 13 and 14, and how organisations should structure their transparency practices to meet GDPR expectations.

The Legal and Conceptual Foundation of Transparency

Article 5(1)(a) GDPR establishes that personal data must be processed lawfully, fairly, and transparently. Articles 13 and 14 are the primary mechanisms through which this transparency principle is operationalised. They ensure that individuals are not left to infer or guess how their personal data is used, and that data practices are not hidden behind inaccessible or unclear notices.

Supervisory authorities emphasise that transparency is not satisfied by mere technical availability of information. Information must be clear, accessible, and intelligible, and presented in plain language, taking account of the intended audience. Where processing affects children, additional care must be taken to ensure that disclosures can be understood by a child audience.

Article 13 GDPR: Transparency Where Data Is Collected Directly

When Article 13 Applies

Article 13 applies whenever personal data is collected directly from the data subject. This includes common business scenarios such as website registration forms, customer onboarding, employment and recruitment processes, account creation in digital services, and in-store registrations or event sign-ups.

In these contexts, the organisation has a direct interaction with the individual and is therefore required to provide transparency at the time the personal data is obtained.

Mandatory Information under Article 13

Article 13 sets out a detailed list of information that controllers must provide. Controllers must inform the data subject of the identity and contact details of the controller (and representative, where applicable), the contact details of the data protection officer where one is appointed, the purposes of the processing and the legal basis relied upon, any legitimate interests pursued where legitimate interest is the legal basis, the recipients or categories of recipients of the personal data, and details of any intended international transfers including safeguards relied upon.

In addition, to ensure fair and transparent processing, controllers must also provide the applicable retention period or criteria used to determine it, a description of the data subject’s rights (access, rectification, erasure, restriction, portability, and objection), information on the right to withdraw consent where consent is relied upon, the right to lodge a complaint with a supervisory authority, whether the provision of data is a statutory or contractual requirement and the consequences of failure to provide it, and information about automated decision-making including profiling where applicable.

These disclosures are mandatory. Omitting or downplaying them—by skeleton notices or vague statements—does not satisfy Article 13.

Timing of Article 13 Disclosures

Article 13 requires that all required information be provided at the time the personal data is obtained. In practice, this means before submission of a web form, at or before account creation, and during recruitment or onboarding processes. Post-collection disclosures are not sufficient. Supervisory authorities repeatedly stress that transparency must exist before or at the moment individuals are asked to part with their personal data.

Article 14 GDPR: Transparency Where Data Is Obtained Indirectly

When Article 14 Applies

Article 14 applies where personal data has not been obtained from the data subject. This includes situations where data is sourced from third-party providers or data brokers, obtained from publicly accessible sources, shared within corporate groups, or generated through referrals or indirect relationships.

Article 14 reflects the fact that in such cases, individuals may have no prior awareness that data concerning them is being processed. As a result, the GDPR imposes detailed disclosure obligations designed to remedy that imbalance.

Mandatory Information under Article 14

The content requirements of Article 14 largely mirror those of Article 13, with several important additions reflecting the indirect nature of the data collection. Controllers must inform the data subject of the identity and contact details of the controller (and representative), the contact details of the data protection officer where applicable, the purposes of processing and the legal basis relied upon, the categories of personal data concerned, the recipients or categories of recipients of the data, and details of international transfers and safeguards where applicable.

Additional disclosures include the applicable retention period or criteria, any legitimate interests pursued where relevant, the same catalogue of data subject rights, the right to withdraw consent where applicable, the right to lodge a complaint with a supervisory authority, the source of the personal data including whether it originated from publicly accessible sources, and information about automated decision-making and profiling where applicable. The obligation to identify the source of the data is distinctive to Article 14 and frequently overlooked in practice.

Timing of Article 14 Disclosures

Article 14 provides more nuanced timing rules, recognising that immediate disclosure may not always be feasible in indirect collection scenarios. The required information must be provided within a reasonable period after obtaining the personal data and at the latest within one month, at the time of the first communication with the data subject if the data is used to communicate, or at the latest when the data is first disclosed to another recipient. Organisations may not indefinitely postpone transparency by relying on internal or logistical complexity.

Key Differences Between Articles 13 and 14

While Articles 13 and 14 share a common transparency objective, their triggering conditions and emphases differ. Article 13 assumes a direct relationship and immediate knowledge by the data subject. Article 14 addresses situations of potential invisibility, requiring disclosure even where no direct interaction has occurred. Article 14 places explicit emphasis on identifying the source of the data. Timing under Article 14 is more flexible but still strictly defined.

Supervisory authorities expect organisations to be able to clearly articulate which article applies to each processing activity and why.

Exceptions and Limitations to Article 14

Article 14 includes limited exceptions where providing information would be impossible, involve disproportionate effort, or risk seriously impairing the objectives of the processing. These exceptions are interpreted narrowly by regulators.

In particular, “disproportionate effort” does not mean inconvenience, cost, or technical difficulty alone. Organisations relying on this exception must implement appropriate measures to protect data subject rights, such as making information publicly available, and must document their assessment. Over-reliance on Article 14 exemptions is a recurring focus of regulatory enforcement.

Transparency and Lawful Bases for Processing

Transparency is not independent of the lawful basis analysis under Article 6 GDPR. Supervisory authorities frequently emphasise that consent cannot be valid if required information is withheld or obscured, legitimate interest balancing is undermined if the individual is not properly informed, and contractual necessity must be clearly explained to be relied upon. In practice, deficiencies in Articles 13 or 14 disclosures can render the entire processing operation unlawful, even if a lawful basis exists in theory.

Form, Language, and Accessibility of Transparency Notices

Articles 12 through 14 GDPR work together to impose qualitative requirements on transparency. Information must be concise, transparent, intelligible, easily accessible, and written in clear and plain language.

Layered notices, visualisation tools, and contextual disclosures are encouraged where they improve understanding. Conversely, dense legal text, vague phrasing, or buried disclosures undermine transparency, even if all required elements are technically present. Where processing targets or affects children, information must be presented in a manner that a child can reasonably understand.

Transparency as a Continuous Obligation

Transparency is not a one-time event. Where processing purposes, legal bases, recipients, or international transfer arrangements change, controllers must update their disclosures accordingly. Articles 13(3) and 14(4) require additional information to be provided where processing evolves in a way incompatible with prior disclosures. Failure to update notices in line with operational reality is frequently cited as a transparency failure during regulatory investigations.

Enforcement and Regulatory Expectations

Supervisory authorities consistently regard transparency failures as foundational compliance breaches. Articles 13 and 14 are commonly invoked in enforcement actions because they are easy for individuals to assess, directly linked to fairness and trust, and central to the exercise of other data subject rights. In practice, regulators often begin investigations by examining transparency materials before analysing deeper technical or organisational controls.

Conclusion

Transparency under Articles 13 and 14 GDPR is not a peripheral formality. It is a core legal obligation that shapes the legitimacy of all personal data processing. For businesses, achieving compliance requires more than publishing a generic privacy notice. It requires accurate mapping of data sources, clear articulation of purposes and legal bases, rigorous disclosure of recipients, retention, and rights, and continuous alignment between documentation and practice.

Organisations that approach transparency strategically—embedding it into data governance, product design, and vendor relationships—are far better positioned to meet regulatory expectations and maintain trust with individuals and regulators alike.