The legal idea of transparency is to give the person an insight into the essential processing circumstances (e.g. processed data categories, processing purposes, data recipients, deletion periods). Knowledge of these circumstances enables the individual to assert further rights with regard to the processing, e.g. the right to erasure or the right to rectification. The GDPR requires the company to provide information before the start of data processing if the data is collected directly from the data subject.

According to the GDPR, it is the so-called "controller" who has to provide the data subject with certain information about the data processing. There may be several controllers that process personal data either in a so-called joint controllership or in a separate controllership. While the controllers of a joint controllership may define that only one controller is responsible for the information, separate controllers have to inform the data subject regardless of the other controller’s information provision.

The GDPR differentiates between the case where personal data are collected “from the data subject” (regulated in Art. 13 GDPR) and the case where personal data “have not been obtained from the data subject” (regulated in Art. 14 GDPR).

Unfortunately, the law does not specify when data is collected “from the data subject”. The lack of any restricting criteria speaks in favor of a broad understanding. However, a too broad understanding risks being unpractical for many modern data processings where the data subject, although undoubtedly being the source of the information, is not aware of the data processing, e.g. when accidently pictured by a hidden camera. Therefore, Art. 13 should be deemed applicable only for those data processings in which the data subject, in a certain context, actively provides data (e.g. by passing the entrance of a supermarket that is filmed by CCTV). Constellations, in which it is the controller, pursuing a legitimate purpose, who approaches the data subject and as such initiates the involvement of the data subject in a data processing should be considered as extrinsic collection.

Transparency obligations are usually implemented by means of so-called data privacy notices. Depending on the data collection context, these can either be issued in digital form (website) or printed out on paper. Verbal information is also possible in principle. However, it should be verifiable that the information is actually provided.

If the extensive data protection obligations cannot be meaningfully (completely) displayed due to the small size of the data collection medium (e.g. smartwatch), a link can be provided to further data protection information, e.g. by means of a QR code.