Transparency & Privacy Notices (Articles 13–14)

Transparency is part of the very first principle in Article 5, and Article 12 spells out how it must be delivered: in a concise, transparent, intelligible, and easily accessible form, using clear and plain language, especially when addressed to a child. The everyday tool for meeting this duty is the privacy notice, sometimes called a privacy policy or fair-processing notice. Domain three tests the transparency principle, the required components of a notice, and the idea of layering.

So this lecture is about what you must tell people, when, and how. Get the content list straight, because the exam likes to ask which item belongs in a notice and which does not.

Article 13 applies when you collect personal data directly from the data subject, for example through a sign-up form. You must give the information at the time you collect the data. The core items include: the identity and contact details of the controller, and of its representative and data protection officer where applicable; the purposes of the processing and the lawful basis for each, and if you rely on legitimate interests, what those interests are; the recipients or categories of recipients of the data; and whether you intend to transfer the data outside the EU, and on what safeguard.

That basis-and-recipients combination is the spine of any notice, and the exam expects you to know it lives in Article 13 for direct collection.

Article 14 applies when you obtain personal data from somewhere other than the data subject, for example buying a marketing list or receiving data from a partner. It requires broadly the same information as Article 13, plus two extra items the exam loves: the categories of personal data concerned, and the source from which the data originated. Because the person was not present at collection, the timing rule differs: you must provide the information within a reasonable period, at the latest within one month, or at first communication with them, or before disclosure to another recipient, whichever is earliest.

Article 14 also has exemptions Article 13 lacks, for instance where providing the information proves impossible or would involve disproportionate effort, or where obtaining or disclosing the data is required by law. Remember: directly collected, Article 13; obtained from elsewhere, Article 14.

Beyond identity, purposes, basis, and recipients, both Articles 13 and 14 require a further set of items, and these complete the checklist the exam draws from. You must state the retention period, or, if you cannot give a fixed period, the criteria used to determine it. You must list the data subject rights, access, rectification, erasure, restriction, objection, and portability, and how to exercise them.

You must mention the right to withdraw consent where consent is the basis, and the right to lodge a complaint with a supervisory authority. And you must disclose the existence of any automated decision-making, including profiling, under Article 22, with meaningful information about the logic involved and the consequences. If an exam question asks which item must appear in a notice, it is almost certainly on this combined list.

The Body of Knowledge specifically asks about layered privacy notices, so let's be clear on why they exist. A single, exhaustive notice can run to thousands of words that nobody reads, which actually undermines transparency. A layered notice solves this by presenting the most important points, who you are, what you do, and the person's key rights, in a short top layer, with links or expandable sections leading to the full detail underneath.

The person gets the headline immediately and can drill into the specifics if they want. Regulators, including the EDPB's transparency guidance, endorse layering as good practice precisely because it serves the clarity that Article 12 demands. The purpose of layering is comprehension, not hiding information, and the exam may test that distinction.

So transparency comes down to telling people clearly what you do with their data. Article 12 sets the style: concise, intelligible, plain language. Article 13 governs notices when you collect data directly from the person, provided at the time of collection.

Article 14 governs data obtained from a third party, provided within a month, with the extra items of the data categories and the source, plus its own exemptions. Both share a full content checklist, identity, purposes, basis, recipients, transfers, retention, rights, and automated decisions. And layered notices put the headlines up front to aid comprehension.

Next, we tackle one of the hardest topics on the exam, international data transfers and the Schrems saga. First, go test yourself on transparency and notices.