---
name: direct-collection-notice
title: Providing Direct Collection Information
description: Provides GDPR Article 13 information at the point of direct data collection, covering all required elements under Art. 13(1)(a)-(f) and Art. 13(2)(a)-(g), layered notice design, and timing requirements. Activate for Art. 13, direct collection notice, privacy notice at collection, data collection information queries.
author: mukul975
author_url: https://github.com/mukul975/Privacy-Data-Protection-Skills/tree/main/skills/privacy/direct-collection-notice
license: Apache-2.0
version: 0.1.0
execution_mode: open
jurisdiction: general
practice: data-protection
language: en
---

# Providing Direct Collection Information

## Overview

GDPR Article 13 requires controllers to provide specific information to data subjects at the time personal data is collected directly from them. This information must be provided at the point of collection, not afterwards. This skill provides the complete checklist of required elements, guidance on layered notice design, and templates for common collection scenarios.

## Legal Foundation

### GDPR Article 13 — Information to Be Provided Where Personal Data Are Collected from the Data Subject

#### Art. 13(1) — First Layer (Mandatory at Point of Collection)

Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with all of the following information:

| Element | Article | Description |
|---------|---------|-------------|
| Controller identity | Art. 13(1)(a) | Identity and contact details of the controller and, where applicable, of the controller's representative |
| DPO contact | Art. 13(1)(b) | Contact details of the data protection officer, where applicable |
| Purposes and legal basis | Art. 13(1)(c) | The purposes of the processing and the legal basis under Art. 6 |
| Legitimate interests | Art. 13(1)(d) | Where processing is based on Art. 6(1)(f), the legitimate interests pursued by the controller or by a third party |
| Recipients | Art. 13(1)(e) | The recipients or categories of recipients of the personal data, if any |
| International transfers | Art. 13(1)(f) | Where applicable, that the controller intends to transfer data to a third country or international organisation, the existence or absence of an adequacy decision, or reference to appropriate safeguards and means of obtaining a copy or where they have been made available |

#### Art. 13(2) — Second Layer (Necessary for Fair Processing)

In addition to the information referred to in paragraph 1, the controller shall, at the time when personal data are obtained, provide the data subject with the following further information necessary to ensure fair and transparent processing:

| Element | Article | Description |
|---------|---------|-------------|
| Retention period | Art. 13(2)(a) | The period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period |
| Data subject rights | Art. 13(2)(b) | The existence of the right to request access, rectification, erasure, restriction, object, and portability |
| Right to withdraw consent | Art. 13(2)(c) | Where processing is based on Art. 6(1)(a) or Art. 9(2)(a), the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal |
| Right to complain | Art. 13(2)(d) | The right to lodge a complaint with a supervisory authority |
| Statutory/contractual requirement | Art. 13(2)(e) | Whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, and whether the data subject is obliged to provide the data and the possible consequences of failure to provide |
| Automated decision-making | Art. 13(2)(f) | The existence of automated decision-making including profiling, meaningful information about the logic, significance, and envisaged consequences |
| Further processing | Art. 13(2)(g) | Where the controller intends to further process for a purpose other than the original, provide information on that other purpose and any relevant further information under Art. 13(2) |

### Timing (Art. 13(1) First Sentence)

All Art. 13 information must be provided **at the time when personal data are obtained** — before or at the moment of collection, not after.

### Exemption (Art. 13(4))

Art. 13(1)-(3) shall not apply where and insofar as the data subject already has the information.

## Layered Notice Design for Direct Collection

### Principle

The EDPB Guidelines on Transparency (WP260 rev.01) recommend a layered approach for direct collection to balance completeness with usability:

### Layer 1: Just-In-Time Notice

Displayed directly at the point of data collection (e.g., on the form, above the submit button, within the app screen):

**Required elements at minimum:**
1. Controller identity (name)
2. Each specific purpose for which data is being collected
3. Any processing that may be unexpected or objectionable
4. Link to the full privacy notice (Layer 2)

**Format guidance:**
- Maximum 150 words
- Visible without scrolling on the collection interface
- No click-through required to see the core information
- Use icons where appropriate (per Art. 12(7))

### Layer 2: Full Privacy Notice

Linked from Layer 1, containing ALL Art. 13(1)(a)-(f) and Art. 13(2)(a)-(g) elements.

### Layer 3: Detailed Supplementary Information

Available on request or via contextual links:
- Full legitimate interest assessments
- Complete international transfer mechanism documentation
- Detailed automated decision-making logic explanations

## Collection Scenario Templates

### Scenario 1: Online Registration Form

**Collection point:** Account registration page
**Data collected:** Name, email, password, company name, job title
**Purpose:** Account creation and service provision

**Just-in-time notice text:**
> Meridian Analytics Ltd will use the information you provide to create and manage your account and deliver our analytics services. We may also use your email to send you service-related communications. Read our full privacy notice for details on how we use your data, who we share it with, and your rights.

### Scenario 2: Newsletter Signup

**Collection point:** Newsletter subscription form
**Data collected:** Email address, name (optional)
**Purpose:** Marketing communications

**Just-in-time notice text:**
> By subscribing, you consent to Meridian Analytics Ltd sending you marketing emails about our products and services. You can unsubscribe at any time by clicking the link in any email. We will not share your email address with third parties for marketing. Read our full privacy notice.

### Scenario 3: Contact Form / Support Request

**Collection point:** Contact us / support form
**Data collected:** Name, email, company, message content
**Purpose:** Responding to enquiry

**Just-in-time notice text:**
> Meridian Analytics Ltd will use the details you provide to respond to your enquiry. We will retain your message for 3 years to maintain service quality. Read our full privacy notice.

### Scenario 4: Event Registration

**Collection point:** Event/webinar registration form
**Data collected:** Name, email, company, dietary requirements (if in-person)
**Purpose:** Event management and follow-up

**Just-in-time notice text:**
> Meridian Analytics Ltd will use your details to manage your event registration and send you event-related communications. If you provide dietary requirements, this information will be processed under your explicit consent and shared only with the catering provider for this event. Read our full privacy notice.

## Compliance Checklist

For every new data collection point, verify:

- [ ] Art. 13(1)(a): Controller name and contact details displayed
- [ ] Art. 13(1)(b): DPO contact details accessible (directly or via link to full notice)
- [ ] Art. 13(1)(c): Each purpose and legal basis stated
- [ ] Art. 13(1)(d): Legitimate interests specified (if Art. 6(1)(f) relied upon)
- [ ] Art. 13(1)(e): Recipients identified (directly or via link to full notice)
- [ ] Art. 13(1)(f): International transfer information provided (if applicable)
- [ ] Art. 13(2)(a): Retention period or criteria stated
- [ ] Art. 13(2)(b): Data subject rights listed with exercise mechanism
- [ ] Art. 13(2)(c): Right to withdraw consent stated (if consent-based)
- [ ] Art. 13(2)(d): Right to complain to ICO stated
- [ ] Art. 13(2)(e): Whether provision is required and consequences of non-provision
- [ ] Art. 13(2)(f): Automated decision-making disclosure (if applicable)
- [ ] Information provided at or before the moment of collection
- [ ] Layered approach: just-in-time notice + link to full notice
- [ ] Language is clear, plain, and appropriate for the audience
- [ ] Notice is visible without requiring additional clicks or scrolling