Download GDPR: Providing Individuals with the Right to be Informed about Data Processing and more Exercises Decision Making in PDF only on Docsity!
Right to be informed
At a glance
Individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the GDPR. You must provide individuals with information including: your purposes for processing their personal data, your retention periods for that personal data, and who it will be shared with. We call this ‘privacy information’. You must provide privacy information to individuals at the time you collect their personal data from them. If you obtain personal data from other sources, you must provide individuals with privacy information within a reasonable period of obtaining the data and no later than one month. There are a few circumstances when you do not need to provide people with privacy information, such as if an individual already has the information or if it would involve a disproportionate effort to provide it to them. The information you provide to people must be concise, transparent, intelligible, easily accessible, and it must use clear and plain language. It is often most effective to provide privacy information to people using a combination of different techniques including layering, dashboards, and just-in-time notices. User testing is a good way to get feedback on how effective the delivery of your privacy information is. You must regularly review, and where necessary, update your privacy information. You must bring any new uses of an individual’s personal data to their attention before you start the processing. Getting the right to be informed correct can help you to comply with other aspects of the GDPR and build trust with people, but getting it wrong can leave you open to fines and lead to reputational damage.
Checklists
What to provide We provide individuals with all the following privacy information: ☐ The name and contact details of our organisation. ☐ The name and contact details of our representative (if applicable). ☐ The contact details of our data protection officer (if applicable). ☐ The purposes of the processing.
☐ The lawful basis for the processing. ☐ The legitimate interests for the processing (if applicable). ☐ The categories of personal data obtained (if the personal data is not obtained from the individual it relates to). ☐ The recipients or categories of recipients of the personal data. ☐ The details of transfers of the personal data to any third countries or international organisations (if applicable). ☐ The retention periods for the personal data. ☐ The rights available to individuals in respect of the processing. ☐ The right to withdraw consent (if applicable). ☐ The right to lodge a complaint with a supervisory authority. ☐ The source of the personal data (if the personal data is not obtained from the individual it relates to). ☐ The details of whether individuals are under a statutory or contractual obligation to provide the personal data (if applicable, and if the personal data is collected from the individual it relates to). ☐ The details of the existence of automated decision-making, including profiling (if applicable). When to provide it ☐ We provide individuals with privacy information at the time we collect their personal data from them. If we obtain personal data from a source other than the individual it relates to, we provide them with privacy information: ☐ within a reasonable of period of obtaining the personal data and no later than one month; ☐ if we plan to communicate with the individual, at the latest, when the first communication takes place; or ☐ if we plan to disclose the data to someone else, at the latest, when the data is disclosed. How to provide it We provide the information in a way that is: ☐ concise; ☐ transparent; ☐ intelligible; ☐ easily accessible; and
You must actively provide this information to individuals in a way that is easy to access, read and understand. You should review your current approach for providing privacy information to check it meets the standards of the GDPR.
What is the right to be informed and why is it important?
The right to be informed covers some of the key transparency requirements of the GDPR. It is about providing individuals with clear and concise information about what you do with their personal data. Articles 13 and 14 of the GDPR specify what individuals have the right to be informed about. We call this ‘privacy information’. Using an effective approach can help you to comply with other aspects of the GDPR, foster trust with individuals and obtain more useful information from them. Getting this wrong can leave you open to fines and lead to reputational damage.
What privacy information should we provide to individuals?
The table below summarises the information that you must provide. What you need to tell people differs slightly depending on whether you collect personal data from the individual it relates to or obtain it from another source.
What information do we need to provide? Personal data
collected from
individuals
Personal data
obtained from other
sources
The name and contact details of your
organisation
The name and contact details of your
representative
The contact details of your data protection
officer
The purposes of the processing ✓✓✓✓ ✓✓✓✓
The lawful basis for the processing ✓✓✓✓ ✓✓✓✓
The legitimate interests for the processing ✓✓✓✓ ✓✓✓✓
The categories of personal data obtained ✓✓✓✓
The recipients or categories of recipients of
the personal data
The details of transfers of the personal data
to any third countries or international
organisations
The retention periods for the personal data ✓✓✓✓ ✓✓✓✓
The rights available to individuals in respect of
the processing
The right to withdraw consent ✓✓✓✓ ✓✓✓✓
The right to lodge a complaint with a
supervisory authority
The source of the personal data ✓✓✓✓
The details of whether individuals are under a
statutory or contractual obligation to provide
the personal data
The details of the existence of automated
decision-making, including profiling
When should we provide privacy information to individuals?
When you collect personal data from the individual it relates to, you must provide them with privacy information at the time you obtain their data. When you obtain personal data from a source other than the individual it relates to, you need to provide the individual with privacy information: within a reasonable period of obtaining the personal data and no later than one month; if you use data to communicate with the individual, at the latest, when the first communication takes place; or if you envisage disclosure to someone else, at the latest, when you disclose the data. You must actively provide privacy information to individuals. You can meet this requirement by putting the information on your website, but you must make individuals aware of it and give them an easy way to access it. When collecting personal data from individuals, you do not need to provide them with any information that they already have. When obtaining personal data from other sources, you do not need to provide individuals with privacy information if: the individual already has the information; providing the information to the individual would be impossible; providing the information to the individual would involve a disproportionate effort; providing the information to the individual would render impossible or seriously impair the achievement of the objectives of the processing; you are required by law to obtain or disclose the personal data; or you are subject to an obligation of professional secrecy regulated by law that covers the personal data.
The right to be informed in practice
If you sell personal data to (or share it with) other organisations: As part of the privacy information you provide, you must tell people who you are giving their information to, unless you are relying on an exception or an exemption. You can tell people the names of the organisations or the categories that they fall within; choose the option that is most meaningful. It is good practice to use a dashboard to let people manage who their data is sold to, or shared with, where they have a choice. If you buy personal data from other organisations: You must provide people with your own privacy information, unless you are relying on an exception or an exemption. If you think that it is impossible to provide privacy information to individuals, or it would involve a disproportionate effort, you must carry out a DPIA to find ways to mitigate the risks of the processing. If your purpose for using the personal data is different to that for which it was originally obtained, you must tell people about this, as well as what your lawful basis is for the processing. Provide people with your privacy information within a reasonable period of buying the data, and no later than one month. If you obtain personal data from publicly accessible sources : You still have to provide people with privacy information, unless you are relying on an exception or an exemption. If you think that it is impossible to provide privacy information to individuals, or it would involve a disproportionate effort, you must carry out a DPIA to find ways to mitigate the risks of the processing. Be very clear with individuals about any unexpected or intrusive uses of personal data, such as combining information about them from a number of different sources. Provide people with privacy information within a reasonable period of obtaining the data, and no later than one month. If you apply Artificial Intelligence (AI) to personal data: Be upfront about it and explain your purposes for using AI. If the purposes for processing are unclear at the outset, give people an indication of what you are going to do with their data. As your processing purposes become clearer, update your privacy information and actively communicate this to people. Inform people about any new uses of personal data before you actually start the processing. If you use AI to make solely automated decisions about people with legal or similarly significant effects, tell them what information you use, why it is relevant and what the likely impact is going to be. Consider using just-in-time notices and dashboards which can help to keep people informed and let them control further uses of their personal data.
Further Reading
Relevant provisions in the GDPR – See Articles 12-14, and Recitals 58 and 60-62
External link
In more detail – ICO guidance We have published detailed guidance on the right to be informed. In more detail – European Data Protection Board The European Data Protection Board (EDPB), which has replaced the Article 29 Working Party (WP29), includes representatives from the data protection authorities of each EU member state. It adopts guidelines for complying with the requirements of the GDPR. WP29 adopted guidelines on Transparency , which have been endorsed by the EDPB.
