Transparency Requirements (Articles 12-14) – A Comprehensive Guide for CIPP/E Exam Preparation
Why Are Transparency Requirements Important?
Transparency is one of the foundational principles of the General Data Protection Regulation (GDPR). It is explicitly enshrined in Article 5(1)(a), which states that personal data must be processed lawfully, fairly, and in a transparent manner in relation to the data subject. Articles 12-14 operationalize this principle by setting out the specific obligations controllers must follow when providing information to data subjects.
Without robust transparency requirements, individuals would have no meaningful way to understand how their data is being collected, used, shared, or stored. Transparency empowers data subjects to exercise their other rights under the GDPR (such as access, rectification, erasure, and objection). It also builds trust between organizations and individuals, fosters accountability, and supports the broader goals of data protection law across the European Economic Area (EEA).
For CIPP/E exam purposes, transparency requirements are a high-priority topic because they cut across many areas of data protection law and are frequently tested in scenario-based questions.
What Are the Transparency Requirements Under Articles 12-14?
The transparency requirements are spread across three key articles:
Article 12 – Transparent Information, Communication, and Modalities for the Exercise of Data Subject Rights
Article 12 sets out the overarching rules governing how controllers must communicate with data subjects. Key provisions include:
• Concise, transparent, intelligible, and easily accessible form: All information provided to data subjects must be presented in clear and plain language, particularly when addressed to a child.
• Appropriate form: Information must be provided in writing or by other means, including electronic means where appropriate. When requested by the data subject, the information may be provided orally, provided the identity of the data subject is verified.
• Free of charge: Information must generally be provided free of charge. However, where requests are manifestly unfounded or excessive (particularly if repetitive), the controller may charge a reasonable fee or refuse to act.
• Timeframes: Controllers must respond to data subject requests without undue delay and in any event within one month of receipt. This may be extended by a further two months where necessary (taking into account the complexity and number of requests), but the data subject must be informed of the extension and the reasons within one month.
• Inability to identify the data subject: If the controller cannot identify the data subject, it must inform them accordingly and is not required to comply with Articles 15-20 unless the data subject provides additional information enabling identification.
• Facilitation of rights: Controllers must facilitate the exercise of data subject rights and cannot refuse to act on a request unless the controller demonstrates that it is unable to identify the data subject.
Article 13 – Information to Be Provided Where Personal Data Are Collected From the Data Subject
Article 13 applies when personal data are collected directly from the data subject. At the time the data is obtained, the controller must provide the following information:
Mandatory disclosures (Article 13(1)):
• The identity and contact details of the controller (and, where applicable, the controller's representative)
• Contact details of the Data Protection Officer (DPO), where applicable
• The purposes of processing and the legal basis for processing
• Where processing is based on legitimate interests (Article 6(1)(f)), the legitimate interests pursued by the controller or a third party
• The recipients or categories of recipients of the personal data
• Where applicable, the fact that the controller intends to transfer personal data to a third country or international organization, the existence or absence of an adequacy decision, and appropriate safeguards (including how to obtain a copy of them)
Additional disclosures necessary to ensure fair and transparent processing (Article 13(2)):
• The period for which the personal data will be stored, or if not possible, the criteria used to determine that period (the retention period)
• The existence of data subject rights: the right to request access, rectification, erasure, restriction of processing, to object to processing, and the right to data portability
• Where processing is based on consent (Article 6(1)(a)) or explicit consent (Article 9(2)(a)), the right to withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal
• The right to lodge a complaint with a supervisory authority
• Whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, and the possible consequences of failing to provide such data
• The existence of automated decision-making, including profiling (referred to in Article 22(1) and (4)), and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject
Timing under Article 13: Information must be provided at the time when personal data are obtained from the data subject.
Article 14 – Information to Be Provided Where Personal Data Have Not Been Obtained From the Data Subject
Article 14 applies when personal data are collected indirectly (i.e., not directly from the data subject but from other sources such as third parties, publicly available sources, data brokers, etc.). The information requirements are largely similar to Article 13, but with notable differences:
Additional or different requirements under Article 14:
• The controller must inform the data subject of the categories of personal data concerned (since the data subject may not know what data has been collected about them)
• The controller must inform the data subject of the source from which the personal data originated, and if applicable, whether it came from publicly accessible sources
Timing under Article 14: Information must be provided:
• Within a reasonable period after obtaining the data, but at the latest within one month
• If the data will be used for communication with the data subject, at the latest at the time of the first communication
• If disclosure to another recipient is envisaged, at the latest when the data is first disclosed
Exemptions under Article 14(5): The obligation to provide information under Article 14 does not apply where and insofar as:
• The data subject already has the information
• The provision of such information proves impossible or would involve a disproportionate effort (particularly for processing for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes, subject to appropriate safeguards). In such cases, the controller must take appropriate measures to protect the data subject's rights and freedoms, including making the information publicly available
• Obtaining or disclosure is expressly laid down by EU or Member State law to which the controller is subject and which provides appropriate measures to protect the data subject's legitimate interests
• The personal data must remain confidential subject to an obligation of professional secrecy regulated by EU or Member State law
How Do the Transparency Requirements Work in Practice?
In practice, organizations fulfill their transparency obligations primarily through privacy notices (also called privacy policies or fair processing notices). These notices must be:
• Written in clear and plain language, avoiding legal jargon
• Easily accessible – for example, provided via a link on a website homepage, within an app, or handed directly to the individual
• Layered where appropriate – many organizations use a layered approach, providing a short-form notice at the point of collection with a link to a more detailed privacy notice
• Regularly reviewed and updated to reflect any changes in processing activities
The European Data Protection Board (EDPB, formerly the Article 29 Working Party) has issued detailed guidance on transparency (WP260 rev.01), which provides practical recommendations including the use of:
• Layered notices
• Dashboards
• Icons (Article 12(7) foresees the possibility of standardized icons)
• Just-in-time notices
• Videos and other multimedia tools
Controllers must also consider the audience: when processing data of children, the language and presentation must be adapted to be understandable by a child.
Key Distinctions to Remember for the Exam
1. Article 13 vs. Article 14: The most critical distinction is the source of the data. Article 13 applies when data is collected directly from the data subject; Article 14 applies when data is obtained from another source.
2. Timing differences: Under Article 13, information must be provided at the time of collection. Under Article 14, information must be provided within a reasonable period (up to one month), at the time of first communication, or at the time of first disclosure to another recipient – whichever comes first.
3. Categories of data: Article 14 requires disclosure of the categories of personal data, which is not explicitly required under Article 13 (because the data subject already knows what data they are providing).
4. Source of data: Article 14 requires the controller to disclose the source of the personal data. This is logically unnecessary under Article 13.
5. Exemptions: Article 14(5) provides specific exemptions that do not exist under Article 13. In particular, the disproportionate effort exemption is only available under Article 14, not Article 13.
6. Article 12 is procedural: Article 12 does not list specific information to be provided but rather sets the manner, form, and modalities for communication with data subjects.
Exam Tips: Answering Questions on Transparency Requirements (Articles 12-14)
Tip 1: Identify the source of data collection first.
When presented with a scenario, immediately determine whether data was collected directly from the data subject (Article 13) or from another source (Article 14). This is often the key to selecting the correct answer. For example, if a company purchases a mailing list from a data broker, Article 14 applies. If a customer fills out an online form, Article 13 applies.
Tip 2: Know the timing rules precisely.
The exam frequently tests the timing of information provision. Remember:
- Article 13: At the time of collection
- Article 14: Within a reasonable period (max one month), at the time of first communication, or at the time of first disclosure – whichever is earliest
- Article 12 response timeframe: One month, extendable by two more months
Tip 3: Memorize the unique elements of Article 14.
Focus on what Article 14 requires that Article 13 does not: (a) categories of personal data and (b) the source of the data. These are common exam traps.
Tip 4: Remember the Article 14(5) exemptions.
Know the four exemptions: (a) data subject already has the information, (b) impossible or disproportionate effort, (c) EU/Member State law requires obtaining or disclosure, (d) professional secrecy obligation. The disproportionate effort exemption is commonly tested, especially in contexts involving research or statistical processing.
Tip 5: Understand the Article 12 modalities.
Questions may test your knowledge of the form of communication: concise, transparent, intelligible, easily accessible, clear and plain language. Know that the default is written/electronic form, oral provision is possible upon request (with identity verification), and information must generally be provided free of charge.
Tip 6: Know the fee and refusal provisions.
Under Article 12(5), controllers may charge a reasonable fee or refuse to act on requests that are manifestly unfounded or excessive. The burden of proof lies with the controller to demonstrate this. This is a frequently tested nuance.
Tip 7: Be aware of the children's provision.
Where services are offered directly to a child, Article 12(1) requires that information be provided in language that is clear and easily understandable to a child. Questions may present scenarios involving minors to test this knowledge.
Tip 8: Link transparency to other GDPR provisions.
Transparency obligations connect to: the fairness principle (Article 5(1)(a)), the accountability principle (Article 5(2)), DPO contact details (Article 37-39), international transfers (Chapter V), automated decision-making (Article 22), and data subject rights (Articles 15-22). The exam may test your ability to see these connections.
Tip 9: Know the role of the EDPB guidance.
The EDPB's Guidelines on Transparency (WP260 rev.01) are influential in interpreting Articles 12-14. Be familiar with the concept of layered notices, the quality of information requirement, and the recommendation that controllers use multiple channels to deliver transparency information.
Tip 10: Practice with scenarios.
Transparency questions on the CIPP/E exam are often scenario-based. Practice identifying: (a) which article applies, (b) what specific information must be provided, (c) when it must be provided, and (d) whether any exemptions apply. Work through the logic step by step.
Summary Table for Quick Revision
Article 12: HOW to communicate – form, modalities, timeframes, free of charge, clear and plain language
Article 13: WHAT to communicate when data is collected FROM the data subject – at the time of collection
Article 14: WHAT to communicate when data is NOT obtained from the data subject – within one month or at first communication/disclosure
Mastering these three articles and their interrelationships will give you a strong foundation for answering transparency-related questions on the CIPP/E exam with confidence.
