Duty to Inform

The duty to inform requires you as a data controller to inform data subjects about how you process their personal data. GDPR Articles 13 and 14 specify which information you must provide, and when.

Back to Dictionary

What is the duty to inform?

The duty to inform is a central part of the transparency principle in the GDPR. It ensures that data subjects know what happens with their personal data and can exercise their rights.

The GDPR distinguishes between two situations:

Article 13: Data is collected directly from the data subject (e.g. via a form, sign-up or purchase).
Article 14: Data is received from a third party (e.g. from a data provider, public register or another organisation).

The requirements are nearly identical, but under Article 14 you must also disclose the source of the data.

What must you disclose?

The following information must be provided as a minimum:

The identity of the data controller and contact details
Contact details of the DPO (if you have one)
The purpose of the processing and the legal basis
Where legitimate interest applies: the specific interest
Recipients or categories of recipients
Whether data is transferred to third countries and the transfer mechanism used
The retention period or the criteria used to determine it
The data subject\’s rights (access, rectification, erasure, restriction, portability, objection)
The right to withdraw consent (if applicable)
The right to lodge a complaint with the Danish Data Protection Agency
Whether automated decision-making or profiling takes place

When and how?

Timing:

Article 13 (direct collection): At the time of collection.
Article 14 (from third parties): Within a reasonable period, at the latest within one month, at first contact with the data subject, or upon disclosure.

Form: The GDPR requires that information is provided in a "concise, transparent, intelligible and easily accessible form, using clear and plain language" (Article 12). You must avoid legal jargon that data subjects do not understand.

In practice, most organisations combine a general privacy policy with short, context-specific notices at each collection point (e.g. "By signing up, we process your name and email for...").

Duty to inform in practice

Practical steps for implementing the duty to inform:

Prepare a clear and up-to-date privacy policy covering all processing activities
Use "layered notices": brief summaries at collection points with a link to the full privacy policy
Ensure the privacy policy is easily accessible (visible in the footer, next to forms, etc.)
Update it when processing activities change and inform data subjects of material changes
Adapt the language to the target audience (use plain language, avoid legalese)

The duty to inform is one of the most frequently breached GDPR provisions. The Danish Data Protection Agency regularly checks whether privacy policies meet the requirements.

Non-compliance can result in fines of up to EUR 20 million or 4% of global annual turnover.

Frequently Asked Questions about Duty to Inform

What is the duty to inform?

The duty to inform is your obligation as a data controller to inform data subjects about how you process their personal data. It covers the purpose, legal basis, recipients, retention period and the data subject's rights.

When must the duty to inform be fulfilled?

If you collect data directly from the data subject, you must inform them at the time of collection. If you receive data from a third party, you must inform within a reasonable period, at the latest within one month, at first contact or upon disclosure.

Where must the information be provided?

There are no formal requirements in the GDPR, but the information must be provided in a concise, transparent, intelligible and easily accessible form. In practice, a privacy policy on the website combined with short notices at specific collection points is typically used.

What happens if you do not comply with the duty to inform?

Non-compliance with the duty to inform can result in fines of up to EUR 20 million or 4% of global annual turnover. The Data Protection Agency can also issue orders and warnings. It is one of the most common violations found by supervisory authorities.