Article 13: Information to be provided where personal data are collected from the data subject

Article 13 is a front-door control. It governs what you tell individuals when you collect their personal data directly from them, such as account registration, newsletter sign-ups, online checkout, job applications, event registrations, support interactions, and in-product telemetry prompts that ask users to enter information. The core operational question for a CCO, Compliance Officer, or GRC lead is simple: “At the exact point of collection, did we provide the required privacy information, and can we prove it?”

Regulators and auditors typically test Article 13 by sampling real collection journeys and comparing what a user saw to what your privacy notice and records of processing say you do. If your privacy notice is accurate but your forms, scripts, and product screens lag behind, you have a control failure. The fix is not more policy text; it’s inventory, standard language blocks, change management, and durable evidence.

This page gives requirement-level guidance you can execute quickly: who owns what, the workflow triggers that require an Article 13 notice, what to retain as proof, and how to avoid common implementation traps in digital products and third-party data collection flows.

Regulatory text

Excerpt (provided): “Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with all of the following information:” (Regulation (EU) 2016/679, Article 13)

What the operator must do (from this excerpt):

• Identify when you are “obtaining” personal data from the data subject. That includes any intake where the individual directly provides data, whether online or offline. (Regulation (EU) 2016/679, Article 13)
• Ensure the Article 13 information is provided at that moment. Treat “time when obtained” as a hard trigger in product, marketing ops, HR, and support workflows. (Regulation (EU) 2016/679, Article 13)
• Execute as the controller. Article 13 is a controller obligation; processors typically support by implementing the controller’s instructions and providing tooling for notice display and logging. Validate your role per processing activity to avoid gaps. (Regulation (EU) 2016/679)

Implementation note: The excerpt points to “all of the following information,” which in the full Article 13 includes multiple required disclosures. Use the full text to build your notice checklist and templates. (Regulation (EU) 2016/679, Article 13)

Plain-English interpretation (what Article 13 is asking for)

If you collect personal data directly from a person, you must tell them, right then, what’s happening with their data in a clear, accessible way. In practice, that means:

• A user should not have to hunt for your privacy details after submitting a form.
• A call center script should include the required privacy points before or as data is taken.
• A mobile app should present the right notice for the specific data capture screen, not only in a generic settings page.

Who it applies to (entity + operational context)

Applies to you if:

• You act as a controller and you collect personal data directly from the individual through any channel. (Regulation (EU) 2016/679, Article 13)

Common in-scope operational contexts:

• Marketing: lead forms, newsletter sign-ups, gated content downloads
• Sales: demo requests, contact forms, event badge scans
• Product: account creation, profile fields, user-generated content submissions
• HR: recruiting portals, employee onboarding
• Support: phone support intake, chat widgets, ticket submission
• Offline: paper forms, in-person registrations, recorded calls where identifiers are collected

Third party touchpoints to watch:

• Collection through a third party’s embedded widget (chat, scheduling, payment) on your site
• Co-branded campaigns where another party hosts the form
• Lead-sharing arrangements (even though Article 14 may also become relevant later, Article 13 still applies if your flow collects directly)

What you actually need to do (step-by-step)

1) Decide scope and roles per collection journey

Create a register of:

• Each collection journey (name it so engineers and auditors can find it)
• Controller/processor role for that journey
• Systems involved (CMS, CRM, marketing automation, app, call center tool)
• Data categories collected and purpose(s)

This prevents “we thought the third party handled notice” failures. Keep the decision record. (Regulation (EU) 2016/679)

2) Build an “Article 13 notice checklist” for your templates

Translate “all of the following information” into a checklist based on the full Article 13 text. Maintain it as a controlled document referenced by:

• Web form notice template
• App screen notice template
• Call script notice template
• Paper form language block

Anchor it to your processing reality: purposes, recipients categories, retention logic, and rights handling. (Regulation (EU) 2016/679, Article 13)

3) Inventory every point-of-collection and map the right notice

Create a touchpoint inventory table and assign a notice:

Channel	Touchpoint	System owner	Notice location	Proof method
Web	Newsletter signup	Marketing Ops	Inline under submit + link	Screenshot + version log
App	Profile completion	Product	Screen-level disclosure	Release artifact + UI capture
Phone	Support intake	Support Ops	Script before collecting	Script version + QA checklist
Events	Badge scan	Field Marketing	Posted notice + follow-up link	Photo + workflow record

Your goal: no collection path without an assigned notice pattern.

4) Implement delivery controls (make it hard to ship without the notice)

Operational controls that work:

• Web/App release gate: privacy review required for new/changed data fields on user-facing collection forms.
• Form builder guardrails: required “privacy notice component” must be present before publish.
• Call center QA: periodic call monitoring includes “privacy disclosure delivered” checkpoint.
• Offline templates control: only approved form templates can be printed/used.

Tie these to your SDLC, marketing campaign launch checklist, and contact-center SOP. (Regulation (EU) 2016/679, Article 13)

5) Make notices consistent with your processing records

Misalignment is a common audit hangup: your notice says one thing, while your internal processing reality differs. Establish a review workflow:

• Privacy/GRC reviews notice templates against your records of processing and current data sharing.
• Product/Marketing confirms what data is collected and where it flows.
• Legal signs off when purposes, sharing, or cross-border disclosures change.

6) Capture durable evidence of what was shown “at the time obtained”

You need more than “we have a privacy policy link.” Retain evidence that the right notice was provided at collection time. Options:

• Versioned screenshots of forms and app screens (with dates and release identifiers)
• HTML/page snapshots and change tickets for web forms
• Stored call scripts with effective dates and training completion records
• For third-party forms/widgets: contractual requirement that the collection experience includes your notice, plus periodic validation screenshots

7) Monitor and remediate exceptions

Set up an exception workflow:

• Report missing notices, broken links, or outdated language
• Triage based on exposure (high-volume intake, sensitive categories, new markets)
• Fix quickly and document the remediation

Daydream can help by turning the requirement into a mapped control set with owners, trigger events, and a recurring evidence packet so you can answer audits without scrambling.

Required evidence and artifacts to retain

Keep an “Article 13 evidence packet” per major collection channel:

• Role-and-scope register (controller/processor per journey; systems; data categories) (Regulation (EU) 2016/679)
• Article 13 notice checklist and approved templates (controlled versions) (Regulation (EU) 2016/679, Article 13)
• Touchpoint inventory mapping journey → notice pattern → owner
• Proof of notice delivery (screenshots, page captures, script versions, photos of offline signage/forms)
• Change management records (tickets/PRs showing review and approval for new data fields or new forms)
• QA results (spot checks, call monitoring checklists, campaign launch reviews)
• Exception log with remediation actions and dates

Common exam/audit questions and hangups

Expect these questions and prepare crisp evidence:

• “Show us where a user sees the notice when signing up.” Provide the live path plus a versioned screenshot and the release ticket.
• “Is the notice present on every collection form?” Show the inventory and sampling results.
• “What changed in the notice when you added a new purpose or new recipient?” Show change control records.
• “Who approves new collection fields?” Demonstrate the release gate and named approvers.
• “How do you handle collection through third parties?” Show the contractual clause, the implemented UX, and periodic validation evidence.

Hangup: teams rely on a general privacy policy footer link and cannot prove the notice was presented at collection time.

Frequent implementation mistakes and how to avoid them

1. Single generic privacy policy for every collection scenario
   Fix: maintain channel- and use-case templates with a centralized checklist tied to Article 13. (Regulation (EU) 2016/679, Article 13)

2. Notice exists, but not “at the time obtained” (buried post-submit or in settings)
   Fix: require inline placement at the moment the user submits data or the agent begins capture. (Regulation (EU) 2016/679, Article 13)

3. No owner for marketing and growth experiments
   Fix: add privacy signoff to campaign and experiment launch checklists; make the form component mandatory.

4. Third-party widgets collect data without your notice
   Fix: contractually require notice placement and validate in production; retain screenshots and version history.

5. Evidence is ad hoc
   Fix: store evidence packets on a recurring cadence with clear naming: journey, notice version, effective date, approver.

Enforcement context and risk implications

No public enforcement cases were provided in the supplied source catalog, so this page does not list case citations. Practically, Article 13 failures increase regulatory and litigation exposure because they undermine transparency. They also create downstream risk: consent validity questions, complaint volume, and audit failures during due diligence with enterprise customers.

Practical 30/60/90-day execution plan

First 30 days: stabilize and stop the bleeding

• Assign an accountable owner (Privacy/GRC) and channel owners (Product, Marketing Ops, Support Ops, HR).
• Build the touchpoint inventory for the highest-volume collection flows.
• Implement a temporary release gate: any new form or new required field needs privacy review.
• Capture baseline evidence (screenshots/scripts) for top journeys.

Days 31–60: standardize and instrument

• Publish the Article 13 checklist and standard templates per channel (web/app/phone/offline). (Regulation (EU) 2016/679, Article 13)
• Integrate required notice components into form builders and design systems.
• Add QA checks: periodic sampling of live journeys and call monitoring checkpoints.
• Start an exception log with defined remediation SLAs (internally defined).

Days 61–90: make it durable and auditable

• Expand inventory coverage to all business units and regions.
• Align notices with records of processing and third-party sharing reality.
• Formalize evidence packet cadence and storage location.
• Use Daydream to keep owners, triggers, approvals, and evidence collection consistent across teams as workflows evolve.

Frequently Asked Questions

Does Article 13 apply if we only collect a business email address on a B2B “contact us” form?

Yes, if it is personal data relating to an individual and you collect it from them, you must provide the Article 13 information at the time you obtain it. (Regulation (EU) 2016/679, Article 13)

Can we satisfy Article 13 by linking to our privacy policy in the website footer?

Footer-only links are a common control gap because they do not reliably show the user received the information at collection time. Place the notice (or a clearly presented link to the relevant notice) directly at the form or screen where data is submitted. (Regulation (EU) 2016/679, Article 13)

What counts as “at the time when personal data are obtained” for call centers?

Operationally, treat it as before or during the intake where the agent starts collecting identifiers. Keep the script version history and QA evidence that the disclosure step occurs in practice. (Regulation (EU) 2016/679, Article 13)

We use a third-party scheduling tool embedded on our site. Who is responsible for the notice?

If you are the controller for that collection, you remain responsible for providing Article 13 information at collection time. Require notice placement in the embedded experience and retain validation evidence. (Regulation (EU) 2016/679, Article 13)

How do we handle multiple purposes in one form (marketing plus account creation)?

Map each purpose to the disclosure content required by your Article 13 checklist and present it in a way users can understand at submission. If you split purposes (for example, optional marketing), align your notices and any preference capture to that structure. (Regulation (EU) 2016/679, Article 13)

What evidence is strongest in an audit?

Auditors respond well to versioned artifacts tied to production change control: screenshots with effective dates, the ticket approving the change, and a maintained inventory that shows every collection touchpoint has an assigned notice. (Regulation (EU) 2016/679, Article 13)