Information to be provided
Where personal data relating to a data subject are collected from the data subject, the controller must, at the time when personal data are obtained, provide the data subject with certain information.
What information must be provided?
The controller must provide the data subject with the following information:
- the identity and the contact details of the controller and, where applicable, of the controller’s representative
- the contact details of the data protection officer, where applicable
- the purposes of the processing for which the personal data are intended
- the legal basis for the processing
- the legitimate interests pursued by the controller or by a third party (if this is the legal basis)
- the recipients or categories of recipients of the personal data
- where applicable, the fact that the controller intends to transfer personal data to a third country or international organization and the existence or absence of an adequacy decision
In case of the existence of a joint controller agreement, the controllers must make available to the data subject the essence of the agreement.
The following additional information is to be provided to ensure fair and transparent processing:
- the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period
- the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability
- the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal
- the right to lodge a complaint with a supervisory authority
- whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data
- the existence of automated decision-making, including profiling and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
"Every data processing operation needs a specific purpose. Where a controller intends to further process personal data for a purpose other than that for which the personal data were collected, the controller must inform the data subject on that other purpose."
When must the information be provided?
The information must be provided at the time when personal data are obtained. Data is considered to be “obtained” insofar as contact has been made with the data subject in any conceivable way and personal data has been collected in the process. The data can be obtained consciously and through the data subject’s own efforts (e.g. by entering and submitting a form) or generated by the data controller itself (e.g. image recordings).
"The data subject does not need to be informed insofar as he or she already has the information."
Where and how must such information be provided?
According to Article 12 of the GDPR, the information must be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language.
Easy accessibility refers to the external presentation of the information, which will vary depending on the type of communication.
Are data collected directly in the offline world (for example, on business premises), the information can be provided on an information sheet or by reference to a notice board.
Right to object
The data subject has the right to object at any time to processing of personal data concerning him or her. The controller then may no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims.
The controller must provide the information to the data subject in a concise, transparent, intelligible, and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child. The information must be provided in writing, or by other means, including, where appropriate, by electronic means. When requested by the data subject, the information may be provided orally, if the identity of the data subject is proven by other means.
Offline, the information can be provided on a separate information sheet or by reference to a notice board if the data is collected directly (for example, on business premises).
In the case of personal contact – e.g., by filling out a form – an information sheet can be enclosed., if the form refers to the additional sheet.
In the case of a telephone call in which data is collected, certain information must be provided directly in the conversation, and additional information can be referred to the website or a subsequent mailing.
Yes, controllers must give information on the processing procedures of their processors.
The fine for violating information obligations can be up to €20 million or up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
In addition, according to Article 77 of the GDPR the data subject has the right to lodge a complaint with a supervisory authority.
Instead of or in addition to the complaint with a supervisory authority, the data subject may also file a lawsuit.
A company’s external image is the ultimate attack surface. Depending on how well or poorly the information is designed, everyone knows whether the company values data protection or not. There are several reasons, why it is important to fulfill information obligations:
- Legal Compliance: Complying with the information obligation is a legal requirement, and failure to meet this obligation can result in significant fines and penalties. By providing clear and transparent information to data subjects, controllers demonstrate their commitment to legal compliance and mitigate the risk of non-compliance.
- Trust and reputation: Transparency builds trust between entrepreneurs and their customers, clients, and partners. By being open and transparent about how personal data is processed, entrepreneurs can establish a positive reputation as trustworthy and responsible custodians of data. This can lead to increased customer loyalty, brand reputation, and competitive advantage.
- Customer expectations: In today’s digital landscape, individuals are increasingly concerned about the privacy and security of their personal data. Meeting the information obligation is crucial for meeting customer expectations regarding data protection.
- Competitive Advantage: Demonstrating transparency and compliance with data protection regulations give companies a competitive advantage. In a market where data privacy is a growing concern, organizations who prioritize and effectively communicate their data protection practices can differentiate themselves from competitors.
- Business Relationships: Controllers often collaborate with other organizations, such as subcontractors or third-party service providers. The information obligation extends to these business relationships as well. Clearly communicating data processing activities to these entities through contracts or agreements ensures that they understand and comply with data protection requirements. This helps organizations manage the risk of non-compliant data processing by their partners.
- Data Governance and Accountability: The information obligation promotes good data governance practices within organizations. By being aware of and documenting data processing activities, controllers can better manage and control personal data within their organization.
Yes, according to the GDPR, the information obligations also apply to data acquisition or data purchasing. When a company acquires personal data from third parties or data providers, information obligations must be fulfilled.
The information must be provided in a way that is easily accessible to the data subject.
The language used for fulfilling the information obligation depends on various factors, such as the target audience of the information and the jurisdiction in which the data subjects reside.
If the data subjects primarily speak a particular language, it is advisable to provide the information in that language to ensure effective communication and understanding.
If the data subjects are located in a specific country where an official language is recognized, providing the information in that official language would be appropriate. Additionally, if a company operates in multiple countries and targets data subjects from different linguistic backgrounds, it may be necessary to provide translations or multilingual versions of the information to accommodate the needs of various language groups.
For example, if you provide a website in different languages, then you must provide the data protection information in all these languages too.
When requested by the data subject, the information may be provided orally, provided that the identity of the data subject is proven by other means.
No, the information obligation under the GDPR cannot be waived by the data subject. The GDPR places a strong emphasis on transparency and ensuring that data subjects are informed about the processing of their personal data.