GDPR Right to be Informed

GDPR Right to be Informed

There is a need for transparency regarding the gathering and use of data in order to allow EU citizens to exercise their right to the protection of personal data. Therefore, the General Data Protection Regulation (GDPR) gives individuals a right to be informed about the collection and use of their personal data, which leads to a variety of information obligations by the controller.

The law differentiates between two cases: On the one hand, if personal data is directly obtained from the data subject (Art. 13 of the GDPR) and, on the other hand, if this is not the case (Art. 14 of the GDPR).

Where data is obtained directly, the person must be immediately informed, meaning at the time the data is obtained. In terms of content, the controller’s obligation to inform includes his identity, the contact data of the Data Protection Officer (if available), the processing purposes and the legal basis, any legitimate interests pursued, the recipients when transmitting personal data, and any intention to transfer personal data to third countries. In addition, the right to be informed also includes information about the duration of storage, the rights of the data subject, the ability to withdraw consent, the right to lodge a complaint with the authorities and whether the provision of personal data is a statutory or contractual requirement. In addition, the data subject must be informed of any automated decision-making activities, including profiling. Only if the data subject is already aware of the above information it is not necessary to provide these.

If personal data is not obtained from the data subject, he or she must be provided the information within a reasonable period of time, but at latest after a month. In cases where the gathered information is used to directly contact the data subject, he or she has the right to be informed immediately upon being approached. As far as content is concerned, the controller has to provide the same specific information as if the personal data would have been directly obtained from the data subject. The only exception is the information about any obligations to provide the personal data, as the controller does not have the decision-making authority in this case. In addition, the controller has the obligation to inform from what sources the personal data originated, and whether it was publicly available. The data subject has a right to be informed in a precise, transparent, comprehensible and easily accessible form. The obligation to inform can be fulfilled in writing or electronic form. It is explicitly stated that so-called ‘standardised image symbols’ can also be used in order to convey a meaningful overview of the intended processing in an easily comprehended, understandable and clear form.

In the case that the personal data is not gathered from the data subject, in exceptional cases there is no obligation to inform. This applies, if providing the information is either impossible or unreasonably expensive, the gathering and/or transmission is required by law, or if the data must remain confidential due to professional secrecy or other statutory secrecy obligations.

Suitable GDPR articles

Art. 12 GDPR Transparent information, communication and modalities for the exercise of the rights of the data subject Art. 13 GDPR Information to be provided where personal data are collected from the data subject Art. 14 GDPR Information to be provided where personal data have not been obtained from the data subject

Suitable Recitals

(39) Principles of Data Processing (58) The Principle of Transparency (59) Procedures for the Exercise of the Rights of the Data Subjects (60) Information Obligation (61) Time of Information (62) Exceptions to the Obligation to Provide Information (73) Restrictions of Rights and Principles

External Links

 

Authorities

Data Protection Authority UK ► Right to be informed

Data Protection Authority UK ► Privacy notices, transparency and control

Data Protection Authority Ireland ► Rights of Individuals under the General Data Protection Regulation – The right to be informed, Page 5

Article 29 Data Protection Working Party ► WP260 – Guidelines on Transparency

European Commission ► What information must be given to individuals whose data is collected?

EU publications ► Handbook on European data protection law – Right to be informed, page 207

 

Expert contribution

CIPL ► Recommendations for Implementing Transparency, Consent and Legitimate Interest under the GDPR

Bird & Bird ► Information notices

 

For more information, see here:  https://gdpr-info.eu/issues/right-to-be-informed/

 

These materials were obtained directly from the International Government public websites and public websites and are posted here for your review and reference only.  No Claim to Original International Government Works or public websites.  These may not be the most recent versions.  The International Governments and public websties may have more current information.  We make no guarantees or warranties about the accuracy or completeness of this information, or the information linked to.  Please check the linked sources directly.

These materials were obtained directly from the U.S. Federal Government public websites, U.S. State Government public websites, or the International Government public websites and are posted here for your review and reference only. No Claim to Original U.S. Government Works, Original U.S. State Government Works, or Original International Government Works. This information may not be the most recent version. The U.S. Government, U.S. States, or International Governments may have more current information. We make no guarantees or warranties about the accuracy or completeness of this information, or the information linked to. Please check the linked sources directly.