Providing Direct Collection Information

Providing Direct Collection Information

Overview

GDPR Article 13 requires controllers to provide specific information to data subjects at the time personal data is collected directly from them. This information must be provided at the point of collection, not afterwards. This skill provides the complete checklist of required elements, guidance on layered notice design, and templates for common collection scenarios.

Legal Foundation

GDPR Article 13 — Information to Be Provided Where Personal Data Are Collected from the Data Subject

Art. 13(1) — First Layer (Mandatory at Point of Collection)

Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with all of the following information:

Art. 13(2) — Second Layer (Necessary for Fair Processing)

In addition to the information referred to in paragraph 1, the controller shall, at the time when personal data are obtained, provide the data subject with the following further information necessary to ensure fair and transparent processing:

Timing (Art. 13(1) First Sentence)

All Art. 13 information must be provided at the time when personal data are obtained — before or at the moment of collection, not after.

Exemption (Art. 13(4))

Art. 13(1)-(3) shall not apply where and insofar as the data subject already has the information.

Layered Notice Design for Direct Collection

Principle

The EDPB Guidelines on Transparency (WP260 rev.01) recommend a layered approach for direct collection to balance completeness with usability:

Layer 1: Just-In-Time Notice

Displayed directly at the point of data collection (e.g., on the form, above the submit button, within the app screen):

Required elements at minimum:

1. Controller identity (name)
2. Each specific purpose for which data is being collected
3. Any processing that may be unexpected or objectionable
4. Link to the full privacy notice (Layer 2)

Format guidance:

• Maximum 150 words
• Visible without scrolling on the collection interface
• No click-through required to see the core information
• Use icons where appropriate (per Art. 12(7))

Layer 2: Full Privacy Notice

Linked from Layer 1, containing ALL Art. 13(1)(a)-(f) and Art. 13(2)(a)-(g) elements.

Layer 3: Detailed Supplementary Information

Available on request or via contextual links:

• Full legitimate interest assessments
• Complete international transfer mechanism documentation
• Detailed automated decision-making logic explanations

Collection Scenario Templates

Scenario 1: Online Registration Form

Collection point: Account registration page Data collected: Name, email, password, company name, job title Purpose: Account creation and service provision

Just-in-time notice text:

Meridian Analytics Ltd will use the information you provide to create and manage your account and deliver our analytics services. We may also use your email to send you service-related communications. Read our full privacy notice for details on how we use your data, who we share it with, and your rights.

Scenario 2: Newsletter Signup

Collection point: Newsletter subscription form Data collected: Email address, name (optional) Purpose: Marketing communications

Just-in-time notice text:

By subscribing, you consent to Meridian Analytics Ltd sending you marketing emails about our products and services. You can unsubscribe at any time by clicking the link in any email. We will not share your email address with third parties for marketing. Read our full privacy notice.

Scenario 3: Contact Form / Support Request

Collection point: Contact us / support form Data collected: Name, email, company, message content Purpose: Responding to enquiry

Just-in-time notice text:

Meridian Analytics Ltd will use the details you provide to respond to your enquiry. We will retain your message for 3 years to maintain service quality. Read our full privacy notice.

Scenario 4: Event Registration

Collection point: Event/webinar registration form Data collected: Name, email, company, dietary requirements (if in-person) Purpose: Event management and follow-up

Just-in-time notice text:

Meridian Analytics Ltd will use your details to manage your event registration and send you event-related communications. If you provide dietary requirements, this information will be processed under your explicit consent and shared only with the catering provider for this event. Read our full privacy notice.

Compliance Checklist

For every new data collection point, verify:

• [ ] Art. 13(1)(a): Controller name and contact details displayed
• [ ] Art. 13(1)(b): DPO contact details accessible (directly or via link to full notice)
• [ ] Art. 13(1)(c): Each purpose and legal basis stated
• [ ] Art. 13(1)(d): Legitimate interests specified (if Art. 6(1)(f) relied upon)
• [ ] Art. 13(1)(e): Recipients identified (directly or via link to full notice)
• [ ] Art. 13(1)(f): International transfer information provided (if applicable)
• [ ] Art. 13(2)(a): Retention period or criteria stated
• [ ] Art. 13(2)(b): Data subject rights listed with exercise mechanism
• [ ] Art. 13(2)(c): Right to withdraw consent stated (if consent-based)
• [ ] Art. 13(2)(d): Right to complain to ICO stated
• [ ] Art. 13(2)(e): Whether provision is required and consequences of non-provision
• [ ] Art. 13(2)(f): Automated decision-making disclosure (if applicable)
• [ ] Information provided at or before the moment of collection
• [ ] Layered approach: just-in-time notice + link to full notice
• [ ] Language is clear, plain, and appropriate for the audience
• [ ] Notice is visible without requiring additional clicks or scrolling