--- title: "EU GDPR Transparency Notices: Articles 12, 13 and 14" canonical_url: "https://www.sorena.io/artifacts/eu/general-data-protection-regulation/transparency-notices" source_url: "https://www.sorena.io/artifacts/eu/general-data-protection-regulation/transparency-notices" author: "Sorena AI" description: "Source-grounded GDPR guide to privacy notices under Articles 12, 13 and 14: direct collection, third-party data sources, recipients, transfers, retention, rights, and lawful basis." published_at: "2026-05-09" updated_at: "2026-05-09" keywords: - "EU GDPR" - "GDPR transparency notices" - "Article 12 GDPR" - "Article 13 GDPR" - "Article 14 GDPR" - "privacy notices" - "data subject rights" - "GDPR" - "Transparency Notices" - "Article 12" - "Article 13" - "Article 14" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # EU GDPR Transparency Notices: Articles 12, 13 and 14 Source-grounded GDPR guide to privacy notices under Articles 12, 13 and 14: direct collection, third-party data sources, recipients, transfers, retention, rights, and lawful basis. *Artifact Guide* *EU* ## EU GDPR Transparency Notices Build privacy notices around the actual Article 12, 13 and 14 fields: who controls the processing, why data is used, legal basis, recipients, transfers, retention, rights, and data sources. Use one notice record per processing purpose so legal, product, marketing, HR, support, procurement, and data-governance teams keep the public notice aligned with the data flow. GDPR transparency notices are not generic privacy-policy pages. Articles 12, 13 and 14 require controllers to give people clear, accessible information about the processing, including the controller identity, purposes, lawful basis, recipients, international transfers, retention, rights, and complaint route. Article 13 applies when personal data is collected from the person; Article 14 applies when the data comes from another source. ## Write the notice in Article 12 language Article 12 sets the form of the notice. The controller must provide Article 13 and 14 information in a concise, transparent, intelligible and easily accessible form, using clear and plain language. If the information is addressed to a child, the language standard is especially important. Do not bury the notice inside terms, support articles, or sales copy. The person should be able to find the controller identity, purpose, lawful basis, retention position, recipients, transfer information, and rights without reading unrelated material. - Use a short first layer that names the controller, purpose, data categories, lawful basis, rights, and links to the full notice. - Keep one complete notice available in writing or by electronic means so every required Article 13 or 14 field is in one place. - Use concrete verbs: collect, use, share, store, delete, disclose, transfer, and retain. - Avoid vague retention wording unless the notice also gives the criteria used to determine the period. - Make rights instructions practical enough for a person to request access, rectification, erasure, restriction, objection, portability, withdrawal of consent, or complaint review. Sources for this answer: - [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Article 12 requires Article 13 and 14 information to be concise, transparent, intelligible, easily accessible, and in clear plain language. ## Use Article 13 when data is collected from the person For forms, account sign-up, checkout, job applications, support chats, newsletter sign-ups, events, cookies that collect personal data, and other direct collection points, Article 13 information is due at the time the personal data is obtained. The notice should describe the processing purpose by purpose. If the same person gives data for account creation, billing, fraud prevention, analytics, marketing, and support, each purpose needs its own lawful basis, recipient position, retention position, and rights context. - Identify the controller and, where applicable, the controller's representative. - Give the DPO contact details where a DPO applies. - State the purposes of processing and the legal basis for each purpose. - If relying on legitimate interests under Article 6(1)(f), identify the interests pursued by the controller or a third party. - Name the recipients or categories of recipients, if any, such as payment providers, hosting providers, CRM providers, professional advisers, group entities, or public authorities where disclosure applies. - For transfers to a third country or international organisation, state whether there is an adequacy decision or refer to the Article 46, Article 47, or Article 49 safeguard and how the person can obtain a copy or find it. - State the storage period or the criteria used to determine it. - Explain the rights to access, rectification, erasure, restriction, objection, and portability, plus consent withdrawal where consent is the basis. - Explain the right to lodge a complaint with a supervisory authority. - Say whether providing the data is statutory, contractual, or necessary to enter into a contract, and describe the consequences of not providing it. - Disclose automated decision-making, including profiling, where Article 22 information is required. Sources for this answer: - [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Article 13 lists the notice information required when personal data is collected from the data subject. ## Use Article 14 when data comes from another source Article 14 applies when the controller did not obtain the personal data from the person. Common examples include data bought from a broker, received from a partner, generated by another group company, collected from public sources, or supplied by an employer, customer, referrer, or fraud-prevention service. The Article 14 notice overlaps with Article 13, but it adds two points that are easy to miss: categories of personal data concerned, and the source from which the personal data originates, including whether it came from publicly accessible sources. - Provide the controller identity, representative information where applicable, and DPO contact details where applicable. - State purposes and legal basis, including the specific legitimate interest where Article 6(1)(f) is used. - List the categories of personal data concerned because the person did not provide the data directly. - State recipients or categories of recipients, if any. - Give the transfer position for third countries or international organisations, including adequacy or safeguards where applicable. - State the storage period or retention criteria. - Explain rights to access, rectification, erasure, restriction, objection, portability, consent withdrawal where relevant, and complaint to a supervisory authority. - Identify the source of the data and say whether it came from publicly accessible sources where that applies. - Disclose automated decision-making, including profiling, where Article 22 information is required. - Deliver the information within a reasonable period after obtaining the data and at the latest within one month, or earlier if first communication or first disclosure happens before then. Sources for this answer: - [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Article 14 covers notice content, source disclosure, and timing where personal data was not obtained from the data subject. ## Keep recipients, transfers, and safeguards specific A transparency notice should not describe sharing only with a broad partner label. Articles 13 and 14 require recipients or categories of recipients if any, and separate information where the controller intends to transfer personal data to a third country or international organisation. For international transfers, the notice should say whether the transfer relies on an adequacy decision or on another safeguard. Where Article 46, Article 47, or the second subparagraph of Article 49(1) is relevant, the notice must refer to the safeguards and say how to obtain a copy or where they are available. - Use named recipients where the recipient is stable and meaningful to the person; use precise categories where names change often. - Separate processors, independent controllers, joint controllers, group entities, public authorities, and professional advisers where those categories are used. - Do not list speculative recipient categories that are not used in the actual processing flow. - For transfers, record the destination country or international organisation, the transfer mechanism, and where the safeguard can be reviewed. - Keep the public notice aligned with processor terms, transfer impact records, SCC records, and the record of processing activities. Sources for this answer: - [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Articles 13 and 14 require recipient information and transfer information; Chapter V sets the general GDPR transfer rule. - [European Commission - Standard Contractual Clauses](https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en?ref=sorena.io) - Commission source for standard contractual clauses as a GDPR transfer safeguard for EU-to-third-country transfers. ## Make retention, lawful basis, and rights testable A privacy notice is easier to maintain when each processing purpose has a matching internal record. The public notice should not promise a basis, retention period, recipient list, or transfer safeguard that the record of processing, contract file, data map, or product implementation cannot support. Review the notice when a purpose changes, a new recipient receives data, a new data source is added, data moves to a third country, retention rules change, or automated decision-making is introduced. Articles 13 and 14 also require further-purpose information before further processing for a different purpose. - For each purpose, store the Article 6 lawful basis and any Article 9 or Article 10 condition needed for special-category, criminal-conviction, or offence data. - For consent, include how the person can withdraw consent and keep the notice wording consistent with the consent interface. - For legitimate interests, name the specific interest rather than using a generic phrase. - For retention, state a fixed period where possible; otherwise state objective criteria such as account status, contract duration, legal limitation period, dispute hold, or statutory retention requirement. - For rights, explain any workflow channel and make objection, portability, consent withdrawal, and complaint language visible where those rights are relevant to the processing. - For Article 14 data, keep a source register that distinguishes partner-provided data, customer-provided third-party data, public-source data, purchased data, and internally inferred data. Sources for this answer: - [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Articles 13 and 14 require legal basis, retention, rights, source, and further-purpose information in privacy notices. *Recommended next step* *Placement: before sources* ## Use this guide to check every public privacy notice against Articles 12, 13 and 14 Sorena can help map each notice section to the underlying purpose, lawful basis, recipient, transfer safeguard, retention rule, rights workflow, and data source. - [Open Research Copilot for EU GDPR](/solutions/research-copilot.md): Ask source-linked questions about GDPR notice content, Article 13 direct collection, Article 14 source disclosures, transfers, retention, and data subject rights. - [Talk through implementation](/contact.md): Review your GDPR transparency notices against processing purposes, data sources, recipients, transfers, retention rules, and rights workflows. ## Primary sources - [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Binding GDPR source for Article 12 communication standards, Article 13 direct-collection notice content, Article 14 indirect-source notice content, retention criteria, rights, recipients, and transfer disclosures. - Quote: "concise, transparent, intelligible and easily accessible" - [European Commission - Standard Contractual Clauses](https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en?ref=sorena.io) - Commission source for standard contractual clauses as a GDPR transfer safeguard for data transfers from the EU to third countries. - Quote: "Standard contractual clauses" ## Related Topic Guides - [Does the EU GDPR apply outside the EU under Article 3?](/artifacts/eu/general-data-protection-regulation/faq/territorial-scope.md): A grounded GDPR Article 3 territorial-scope FAQ covering EU establishment, offering goods or services, monitoring behavior in the EU, and Article 27 representatives. - [EU GDPR Applicability Test for Products, Vendors, and Data Flows](/artifacts/eu/general-data-protection-regulation/applicability-test.md): A concrete GDPR scope test for personal data, controller and processor roles, EU establishment, EU targeting or monitoring, special-category and child data, transfers, vendors, and evidence. - [EU GDPR Article 30 RoPA Intake Workflow](/artifacts/eu/general-data-protection-regulation/ropa-intake-workflow.md): Use this GDPR Article 30 RoPA intake workflow to capture controller and processor fields, owners, transfers, retention, security measures, and evidence before a processing activity goes live. - [EU GDPR Article 6 Legal Bases FAQ](/artifacts/eu/general-data-protection-regulation/faq/legal-bases.md): FAQ on the six Article 6 GDPR lawful bases, consent caveats, legitimate interests, public-task and legal-obligation limits, and Article 9 special-category data. - [EU GDPR Automated Decision-Making and Profiling: Article 22 Scope, Safeguards, and Evidence](/artifacts/eu/general-data-protection-regulation/automated-decision-making-and-profiling.md): source-linked GDPR guide for automated decision-making and profiling: Article 22 scope, profiling definition, transparency, lawful basis, DPIA triggers, human review rights, and evidence. - [EU GDPR Breach Notification 72 Hours: Article 33 and 34 workflow](/artifacts/eu/general-data-protection-regulation/breach-notification-72-hours.md): Source-grounded EU GDPR breach notification workflow covering awareness, 72-hour supervisory authority notices, processor escalation, high-risk data-subject communication, delay reasons, and evidence logs. - [EU GDPR Breach Notification Workflow: 72-hour clock, risk assessment, and records](/artifacts/eu/general-data-protection-regulation/breach-notification-workflow.md): A concrete EU GDPR breach notification workflow for detecting and triaging incidents, starting the awareness clock, assessing risk, notifying authorities or data subjects, and keeping Article 33 records. - [EU GDPR Checklist: scope, lawful basis, DSARs, DPIA, RoPA, transfers](/artifacts/eu/general-data-protection-regulation/checklist.md): Use this GDPR checklist to review scope, lawful basis, notices, DSAR handling, DPIAs, RoPA, processor contracts, SCC transfers, breach notification, retention, security, and evidence. - [EU GDPR Children and Special-Category Data Guide](/artifacts/eu/general-data-protection-regulation/children-and-special-categories.md): source-linked GDPR guide for Article 8 children's consent, Article 9 special-category data, DPIA triggers, transparency, safeguards, and evidence records. - [EU GDPR Compliance Checklist: scope, rights, DPIA, RoPA, transfers](/artifacts/eu/general-data-protection-regulation/compliance.md): Practical EU GDPR compliance guide for mapping scope, lawful basis, notices, data-subject rights, DPIAs, RoPA, processor terms, breaches, transfers, retention, security, and penalties. - [EU GDPR Controller, Processor, and Joint Controller Roles](/artifacts/eu/general-data-protection-regulation/controller-processor-and-joint-controller-roles.md): source-linked GDPR guide for classifying controllers, processors, and joint controllers, with Article 28 contract checks, Article 26 transparency, and vendor evidence. - [EU GDPR Data Subject Rights and DSAR Workflow](/artifacts/eu/general-data-protection-regulation/data-subject-rights-and-dsar-workflow.md): source-linked GDPR DSAR workflow for intake, identity checks, request scope, the one-month response clock, extensions, refusals, processor escalation, and evidence. - [EU GDPR deadlines and compliance calendar](/artifacts/eu/general-data-protection-regulation/deadlines-and-compliance-calendar.md): source-linked GDPR calendar entries for applicability, DSAR response timing, breach notification, DPIA review, prior consultation, transfer reviews, and retention checks. - [EU GDPR DPIA and Prior Consultation Workflow](/artifacts/eu/general-data-protection-regulation/dpia-and-prior-consultation-workflow.md): Screen high-risk processing, run a GDPR Article 35 DPIA, record mitigation, and identify when Article 36 prior consultation is required. - [EU GDPR DPIA and risk management under Articles 35 and 36](/artifacts/eu/general-data-protection-regulation/dpia-and-risk-management.md): EU GDPR DPIA guide covering Article 35 triggers and contents, CNIL and DPC PIA methods, residual risk, mitigation records, and prior consultation limits. - [EU GDPR DSAR Exceptions: refusal, extensions, identity checks](/artifacts/eu/general-data-protection-regulation/faq/dsar-exceptions.md): FAQ on when EU GDPR controllers may extend, charge for, narrow, redact, or refuse a data subject access request under Articles 12 and 15. - [EU GDPR DSAR Workflow: Intake, Clock, Rights, and Evidence](/artifacts/eu/general-data-protection-regulation/dsar-workflow.md): Run a GDPR DSAR workflow for intake, identity checks, rights scoping, one-month response timing, extensions, refusals, processor handoffs, and evidence records. - [EU GDPR FAQ: scope, lawful basis, rights, DPIA, breaches, transfers](/artifacts/eu/general-data-protection-regulation/faq.md): Direct EU GDPR FAQ answers on scope, controller and processor roles, lawful basis, data subject rights, DPIAs, breach notification, international transfers, and Article 83 fine tiers. - [EU GDPR International Transfers and SCCs: Chapter V evidence guide](/artifacts/eu/general-data-protection-regulation/international-transfers-and-sccs.md): source-linked guide to GDPR Chapter V transfers, adequacy decisions, SCCs, transfer impact assessments, supplementary measures, and EU-US DPF checks. - [EU GDPR Lawful Basis and Consent Guide](/artifacts/eu/general-data-protection-regulation/lawful-basis-and-consent.md): Focused GDPR guide to Article 6 lawful bases, consent conditions, legitimate interests, special category data, withdrawal, and evidence records. - [EU GDPR Lawful Basis and LIA Workflow for Article 6(1)(f)](/artifacts/eu/general-data-protection-regulation/lawful-basis-and-lia-workflow.md): Assess GDPR legitimate interests with a purpose, necessity, balancing, Article 21 objection, and evidence-record workflow grounded in Article 6(1)(f). - [EU GDPR Lead Supervisory Authority and One-Stop-Shop](/artifacts/eu/general-data-protection-regulation/lead-authority-and-one-stop-shop.md): How GDPR main establishment, cross-border processing, Article 56 lead authority competence, and Article 60 cooperation fit together. - [EU GDPR LIA Template for Article 6(1)(f)](/artifacts/eu/general-data-protection-regulation/lia-template.md): Use this EU GDPR legitimate interests assessment template to document Article 6(1)(f) purpose, necessity, balancing, safeguards, objection rights, and evidence. - [EU GDPR penalties and fines: Article 83 tiers and evidence](/artifacts/eu/general-data-protection-regulation/penalties-and-fines.md): EU GDPR penalties and fines guide covering Article 83 fine tiers, assessment factors, Article 58 powers, and evidence records for controllers and processors. - [EU GDPR Processor Contracts and Vendor Management | Article 28 Evidence Guide](/artifacts/eu/general-data-protection-regulation/processor-contracts-and-vendor-management.md): EU GDPR Article 28 guide for processor contracts, sub-processor controls, controller-processor role boundaries, vendor evidence, and SCC transfer clauses where applicable. - [EU GDPR Record of Processing Activities Template: Article 30 RoPA Fields](/artifacts/eu/general-data-protection-regulation/record-of-processing-activities-template.md): Build a GDPR Article 30 record of processing activities with separate controller and processor fields for purposes, data categories, recipients, transfers, erasure time limits, and security measures. - [EU GDPR Requirements: scope, rights, security, DPIA, RoPA, and transfers](/artifacts/eu/general-data-protection-regulation/requirements.md): Overview of core EU GDPR requirements covering scope, principles, lawful basis, notices, data-subject rights, processors, RoPA, security, breaches, DPIAs, and international transfers. - [EU GDPR Retention and Erasure Schedule](/artifacts/eu/general-data-protection-regulation/retention-and-erasure-schedule.md): Build an EU GDPR retention and erasure schedule around storage limitation, Article 17 erasure grounds, Article 12 rights handling, Article 19 recipient notices, and Article 30 RoPA fields. - [EU GDPR SCC Transfer Impact Assessment FAQ](/artifacts/eu/general-data-protection-regulation/faq/scc-transfer-impact-assessment.md): source-linked FAQ on when SCC transfer impact assessments are needed, what Clause 14 records, and when supplementary safeguards or transfer suspension are required. - [EU GDPR Transfer TIA and SCC Workflow](/artifacts/eu/general-data-protection-regulation/transfer-tia-and-scc-workflow.md): A GDPR workflow for checking adequacy, selecting SCC modules, documenting transfer impact assessments, and recording supplementary measures for third-country transfers. - [EU GDPR vs Brazil LGPD: GDPR-led comparison and source gaps](/artifacts/eu/general-data-protection-regulation/gdpr-vs-lgpd.md): Compare EU GDPR duties with Brazil LGPD only where the available sources support the comparator, with GDPR rows for lawful basis, rights, breach, transfers, roles, and evidence. - [EU GDPR vs California CCPA: grounded GDPR comparison limits](/artifacts/eu/general-data-protection-regulation/gdpr-vs-ccpa.md): Compare GDPR implementation duties with source-limited California CCPA/CPRA context, showing where the available grounding supports a claim and where it does not. - [EU GDPR vs ePrivacy Directive: personal data, cookies, consent, and communications](/artifacts/eu/general-data-protection-regulation/gdpr-vs-eprivacy.md): Compare the EU GDPR and ePrivacy Directive for personal data processing, consent and lawful basis, cookies and terminal access, electronic communications, and parallel compliance. - [EU GDPR vs UK GDPR: source-limited compliance comparison](/artifacts/eu/general-data-protection-regulation/gdpr-vs-uk-gdpr.md): Compare EU GDPR obligations with source-limited UK GDPR transfer notes grounded in EU GDPR sources, covering scope, lawful basis, rights, accountability, records, DPIAs, security, and transfers. - [GDPR processor vs controller: role boundaries and evidence](/artifacts/eu/general-data-protection-regulation/faq/processor-vs-controller.md): Decide whether a party is a GDPR controller, processor, or joint controller using purpose-and-means tests, Article 28 terms, Article 26 arrangements, and Article 30 records. - [GDPR vs EU AI Act: privacy controls for AI systems](/artifacts/eu/general-data-protection-regulation/gdpr-vs-ai-act.md): Compare GDPR privacy duties with the EU AI Act only where the GDPR source pack supports the point: lawful basis, notices, DPIA, ADM, RoPA, rights, and source limits. - [GDPR vs EU Data Act: personal data safeguards and source limits](/artifacts/eu/general-data-protection-regulation/gdpr-vs-data-act.md): Compare GDPR obligations with the EU Data Act only where the available GDPR grounding supports the fact pattern, with clear safeguards for personal data, rights, transfers, and accountability. - [When does the EU GDPR require a DPIA?](/artifacts/eu/general-data-protection-regulation/faq/dpia-threshold.md): Answer the EU GDPR DPIA threshold question with Article 35 triggers, high-risk criteria, supervisory-authority list checks, and DPIA content requirements. - [When does the GDPR 72-hour breach notification clock start?](/artifacts/eu/general-data-protection-regulation/faq/breach-awareness-clock.md): GDPR breach-awareness FAQ covering the Article 33 clock, processor escalation, delayed or phased notifications, risk assessment, and records to keep. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/eu/general-data-protection-regulation/transparency-notices