Category: Compliance & AML · Reviewed by Tim Roche, Director · PI & Commercial · Last reviewed June 2026
The UK GDPR rules that require a controller, at the point of collection (Article 13) or within a reasonable period of obtaining data from a source other than the data subject (Article 14), to provide a defined set of information about its processing — typically delivered through a privacy notice.
Articles 13 and 14 UK GDPR set the controller’s transparency duty. They specify the information that must be provided to the data subject so that the data subject understands the processing, who is responsible for it, and how to exercise their rights. Article 13 applies where the data is collected directly from the data subject; Article 14 applies where the data is obtained from another source.
UK GDPR, Articles 13 and 14 (read with Article 12 — transparent communication). Data Protection Act 2018, Schedule 2 (limited exemptions).
The transparency duty is usually discharged through a published privacy notice. The notice must cover: controller identity and contact; DPO contact (where applicable); purposes and lawful basis of processing; legitimate interests where relied on; recipients or categories of recipient; international transfers and safeguards; retention period or criteria; data subject rights and the right to lodge a complaint with the ICO; whether the provision of data is statutory or contractual and the consequences of not providing it; existence of automated decision-making including profiling and the logic involved. Article 14 imposes a duty to inform the data subject within a reasonable period (no later than one month after obtaining the data, or earlier if used to communicate or share with a third party).
Limited exemptions to Article 14 (data not obtained from the data subject) apply where notification is impossible or would involve disproportionate effort. For insurance, the Article 14 issue commonly arises with named drivers, additional insured persons, beneficiaries, and claims-related third parties — care should be taken that notice is provided through the primary policyholder where direct contact is not practical.
Apex’s website privacy notice provides Article 13 transparency at the point of customer onboarding. For named drivers added to a motor policy mid-term, the Article 14 obligation is typically discharged through the policyholder providing a copy of the privacy notice to the named driver, with the policy documents explicitly drawing attention to this.
UK GDPR, Articles 12, 13, 14. Data Protection Act 2018, Schedule 2. ICO guidance on Right to be informed.
By Matt Bartlett, Director, on 2026-06-11.
This entry is part of the Apex Insurance Wiki. Last reviewed by Matt Bartlett on 2026-06-11. Apex Insurance Brokers Limited, FCA FRN 724952, Companies House 07014570. Not regulated advice — consult your broker on your specific position.
Apex Insurance Brokers serves UK professional services firms and commercial businesses. Call 0117 325 0027, email hello@apexinsurancebrokers.co.uk, or request a quotation.
Get a quote