This series provides more detailed insight into the General Data Protection Regulation, which was published on 4 May 2016 and must be complied with by 25 May 2018.

This issue focuses on the provision of information to data subjects. The provision of accurate and clear information is one of the data controller's main obligations. The GDPR aims to enhance the transparency of data processing for data subjects and therefore extends the categories of information to be provided to them. This information can be communicated by means of a privacy policy or other document. However, to ensure lawful data processing, information may need to be provided by means of a layered approach (e.g. a notice in addition to a privacy policy).

Skip to the end for an overview of the main takeaways and to do's.

General principles on the provision of information to data subjects

  • Information must be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language. The intended public (eg children) should be taken into account.

  • Information may be provided in writing or by electronic means. When requested by the data subject, the information may be provided orally provided the identity of the data subject is proven by other means.

  • The information may be provided with standardized icons. However, the GDPR does not provide for such icons.

Information to be provided when personal data are collected directly from the data subject

The following information must be provided when personal data are collected directly from the data subject:

  • the identity and contact details of the controller and, where applicable, the controller's representative;

  • the contact details of the data protection officer, where applicable;

  • the purposes of the processing for which the personal data are collected as well as the legal basis for the processing;

  • where the processing is based on a legitimate interest, the legitimate interests pursued by the controller or third party;

  • the recipients or categories of recipients of the personal data, if any;

  • where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the Commission or, for transfers based on other safeguards (such as standard contractual clauses or binding corporate rules), reference to the appropriate or suitable safeguards and the means to obtain a copy of them or where they have been made available; if the transfer is based on a legitimate interest of the controller, this information should also be included;

  • the period for which the personal data will be stored or, if this information is not known, the criteria used to determine this period;

  • the data subject's right to request from the controller access to and the rectification or erasure of personal data or a restriction on processing concerning the data subject or to object to the processing (including the right to object to processing for direct marketing purposes) as well as the right of data portability;

  • where the processing is based on consent, the data subject's right to withdraw consent at any time, without affecting the lawfulness of any processing based on consent carried out prior thereto:

  • the right to lodge a complaint with a supervisory authority;

  • whether the provision of personal data is a statutory or contractual requirement or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and the possible consequences for failure to do so;

  • the existence of automated decision-making, including profiling, and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

The information must be provided upon collection of the personal data. Please note that information regarding the right to object to the processing for direct marketing purposes must be presented clearly and separately from all other information.

Information to be provided when personal data are not collected directly from the data subject

In addition to the information listed above, the data controller must also indicate from which source the personal data originate and, if applicable, whether they originate from publicly accessible sources.

The information must be provided:

  • within a reasonable period after obtaining the personal data and in any case no later than one month, having regard to the specific circumstances in which the personal data are processed;

  • if the personal data are to be used to communicate with the data subject, no later than the time of the first communication; or

  • if disclosure of the personal data to another recipient is envisaged, no later than the first such disclosure.

Information to be provided in the event of further processing

If the controller intends to further process the personal data for a purpose other than that for which the data were initially collected, it must first provide the data subject with information about the purpose of the further processing along with any other relevant information.

Exceptions to the duty to inform

Where personal data are collected from the data subject, the data controller is released from its duty to inform if the data subject is already in possession of the information in question.

Where personal data are not collected directly from the data subject, the data controller is released from its duty to inform if:

  • the data subject is already in possession of the information;

  • the provision of information proves impossible or would involve disproportionate efforts, in particular in the context of processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to the conditions and safeguards referred to in Article 89 (1) GDPR such as data minimization, or insofar as the information obligation is likely to render impossible or seriously impair achievement of the objectives of the processing; in such cases the controller shall take appropriate measures to protect the data subject's rights and freedoms and legitimate interests, including making the information publicly available;

  • obtaining or disclosure of the information is expressly laid down by EU or Member State law to which the controller is subject and which provides appropriate measures to protect the data subject's legitimate interests; or

  • where the personal data must remain confidential pursuant to a duty of professional secrecy regulated by EU or Member State law, including a statutory duty of secrecy.

Takeaways and to do's

Please click here to view table

Relevant provisions

Recitals 58, 60, 61, 62 and 70Articles 13 and 14