GDPR Article 13 checklist: the disclosures most privacy policies miss

GDPR Article 13 lists the information a controller must provide to the data subject at the moment personal data is collected directly. It is more specific than "have a privacy policy." Each item on the list is a separate disclosure obligation, and missing any of them is a breach regardless of how thorough the rest of the document is.

GDPR Article 13(1) checklist

Article 13(1) requires the controller to provide the following information at the time of collection.

• Identity and contact details of the controller, and where applicable, the controller's representative.
• Contact details of the Data Protection Officer where one is appointed.
• Purposes of processing and the legal basis for each purpose.
• Where processing is based on legitimate interests under Article 6(1)(f), the specific legitimate interests pursued.
• Recipients or categories of recipients of the personal data.
• Where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation.

GDPR Article 13(2) checklist

Article 13(2) layers six further disclosures on top.

• Retention period or the criteria used to determine it.
• The right to access, rectify, erase, restrict, port, and object.
• The right to withdraw consent at any time, where processing is based on consent.
• The right to lodge a complaint with a supervisory authority.
• Whether the data subject is obliged to provide the data and the consequences of failing to do so.
• The existence of automated decision-making, including profiling, and meaningful information about the logic involved.

Four disclosures we see missing most often

1. Legitimate interest specifics

Stores relying on legitimate interests (typical for fraud prevention or product analytics) state the basis but rarely state the specific legitimate interests. "To improve our services" is not specific. The Article 29 Working Party guidance, carried forward by the EDPB, is that the interests pursued must be identifiable to a level that allows the data subject to weigh them.

2. Recipients of personal data

Article 13(1)(e) requires recipients or categories. "Third-party service providers" is a category that EDPB guidance has called insufficient. A defensible disclosure names the categories with enough specificity that a reader can identify the kinds of processors involved (payment processor, email service provider, analytics provider, customer support platform).

3. Retention period or criteria

"As long as necessary" is not a criterion. A criterion is something a reader can evaluate. "For 90 days after order fulfilment for customer support purposes, for 7 years after invoice issuance for tax record-keeping obligations" is a criterion.

4. Right to lodge a complaint

Article 13(2)(d) requires disclosure of the right to lodge a complaint with a supervisory authority. The relevant DPA depends on the controller's establishment and the affected data subjects. EU stores often omit this entirely or reference "the relevant data protection authority" without naming one.