The GDPR establishes information as a right of data subjects and reinforces the information the controller must make available to them to increase transparency about how their personal data will be processed.
The information should be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child. Especially convoluted descriptions and those which include references to legal texts should be avoided.
Information should be provided in writing, or by other means, including, where appropriate, electronically.
Standardised icons designed by the European Union may be used in combination with the information in order to give a meaningful overview of the intended processing.
Information that must be provided when the data are obtained from the data subject:
- Identity and contact details of the controller and, where applicable, of the controller's representative.
- Contact details of the data protection officer.
- Purposes of and legal basis for the processing.
- Legitimate interests pursued that provide a legal basis for processing, where applicable.
- Recipients or categories of recipients of the personal data, if any.
- Whether the controller intends to transfer the personal data to a recipient in a third country or international organisation, and the basis for doing so, where applicable.
- Period for which the personal data will be stored, or the criteria used to determine that period.
- Existence of the right to request access to and rectification or erasure of the data or restriction of processing concerning the data subject, and to object to processing, as well as the right to data portability.
- The right to withdraw consent at any time,
- Whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and the possible consequences of failure to do so.
- Right to lodge a complaint with a supervisory authority
- The existence of automated decision-making, including profiling, and meaningful information about the logic involved, as well as the consequences of such processing for the data subject.
Where the personal data have not been obtained from the data subject, in addition to the information listed above the controller must provide the data subject with the following
- The categories of personal data concerned.
- The source from which the personal data originate, and if applicable, whether it came from publicly accessible sources.
If the data have not been obtained from the data subject, the information must be provided:
- Within one month at the latest from when the data were collected.
- In the first communication to the data subject, if the data were collected for that purpose.
- In the first communication of the data to another recipient, if such disclosure is envisaged.
The data subject need not be informed if he or she already has the information; if the data have not been obtained from the data subject; or in the following cases:
- If the provision of such information proves impossible or would involve a disproportionate effort (in particular for processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes), or is likely to render impossible or seriously impair the achievement of the objectives of that processing.
- If there is an express legal prevision for the processing (collection or disclosure of the data).
- Where the personal data must remain confidential subject to an obligation of professional or statutory secrecy.