Right to information. Catalan Data Protection Authority

You have the right to have the entity that wants to process your data inform you about a series of issues relating to the processing.

When the data has been provided by you directly

In this case, they must inform you about:

The identity and contact details of the data controller entity and, where appropriate, of its representative.
Contact details of the data protection officer, if applicable.
Purposes of the processing for which your data is intended and the legal basis for carrying it out. If the legal basis is the legitimate interest, it must be specified.
Recipients or categories of data recipients (third parties to whom your data is communicated), if applicable.
The intention to transfer the data to a third country or an international organisation and the basis for doing so, if applicable.
Term during which the data will be kept, or the criteria to determine it.
The right to request access to your data, rectification or deletion of data, limitation of processing, opposition to processing and portability of data.
When the processing is based on consent, the right to withdraw it at any time.
The right to lodge a complaint with a supervisory authority.
If they collect your data as a legal requirement or for contractual obligations or as a necessary requirement to enter into a contract, and if you are obliged to provide them and about the consequences of not doing so.
The existence of automated decisions, including profiling, and information about the logic applied and its consequences.

If you have not provided the data

In addition to the previous questions, if they have obtained the data by other means, they must inform you of:

The categories of personal data that are processed.
The source from which the data comes and, if applicable, whether it comes from publicly accessible sources.

Clear and concise information

The information must be concise, transparent, understandable and easily accessible, with clear and simple language, especially when the information is addressed to minors. Convoluted formulations and references to legal texts must be avoided. It must also be provided to you in writing or by other means, including electronic ones.

Deadline for reporting the processing

In the event that the information has not been provided by you directly, the entity that processes your data must inform you about the processing:

Within the maximum period of one month since the data were obtained.
In the initial communication with you, if the data has been collected for this purpose.
In the initial communication of the data to another recipient, if this communication is planned.

When you don't need to be informed

The entity does not need to inform you of the processing if you have already been informed beforehand. If the data does not come from you directly, the entity does not have to inform you in the following cases:

If it is impossible or involves a disproportionate effort (in particular, in the case of processing for archival or statistical purposes or scientific or historical research), or makes it impossible or seriously hinders the objectives of the processing.
If there is an express legal provision for the processing.

If there is a legal or professional secrecy obligation.

Highlights

Article 29 Working Party Guidelines on transparency under Regulation 2016/679