The European Data Protection Board (EDPB) has again launched a joint European effort this year, with the focus in 2026 on the duty to provide information. As part of the effort, Datatilsynet together with other supervisory authorities in the EU/EEA, have increased focus on how companies comply with the rules on transparency and disclosure under the General Data Protection Regulation (GDPR).
The purpose is to ensure that data subjects receive clear and complete information about how their personal data is processed.
What does the duty to provide information entail?
The duty to provide information is a fundamental principle of the GDPR and follows from Articles 12, 13 and 14. This means that you, as a data controller, must actively inform the data subjects about how you process their personal data.
Article 12 sets out the general requirements for how information must be provided. The information must be easily accessible, concise and formulated in clear and plain language. At the same time, you must ensure that data subjects can easily exercise their rights and that requests are responded to within one month as a general rule.
Articles 13 and 14 regulate when and what information must be provided. If you collect personal data directly from the data subject, the information must be provided at the time of collection. If the personal data originate from other sources, it must be provided as soon as possible and at the latest within one month.
The content requirements mean that you must provide information about, among other things:
- who you are and how you can be contacted
- what information you process
- the purpose of the treatment
- the basis for treatment
- any recipients of the information
- storage period
- the rights of data subjects
- possibility of complaint to Datatilsynet
- the data source (if the information is not collected directly)
How do you put the rules into practice?
In practice, the duty to provide information means that data subjects must be informed about how you as a company processes their personal data.
In recent years, there has been a clear trend in practice for supervisory authorities, including Datatilsynet, places increased demands on transparency og tilgængelighed. This basically means that you must ensure that information is provided in a clear and understandable format so that data subjects (consumers) can easily understand how their personal data is processed. In addition, it is important to focus on the time at which the information is provided. As mentioned above, the starting point is that the information must be provided at the time of collection.
It is also important to be able to document that the information obligation has been fulfilled, including when the information was provided.
Finally, you should be aware that the information must be updated and provided again if the purpose of the processing changes or if the information is used in a new way that the data subject could not reasonably expect.
What should you do now?
Datatilsynet will organize a study on the duty to provide information. With the increased focus of authorities in 2026, it is a good opportunity to review your current practices. Consider whether your information to data subjects is sufficiently clear, comprehensive and accessible – and whether it is provided at the right times.
Correct and well-thought-out fulfillment of the duty to disclose information is not only a legal requirement, but also an important part of creating trust among customers and partners.
If you have any further questions in this area, or if you need help reviewing your current privacy policies, you are always welcome to contact Unitas.