Obligations of information to the data subject
Obligations of information to the data subject – Information to be provided ex arts. 13-14, GDPR
The main aim of the GDPR is to protect the rights and fundamental freedoms of natural persons. So, it is no wonder that the controller shall be required to describe to data subjects the features of the processing of their personal data. The principles of fair and transparent processing require that the data subject shall be informed of the existence of the processing activity and its purposes. The controller shall provide any other information to the data subject to ensure that data processing is carried out fairly and with transparency and give the data subject a meaningful overview of the intended processing.
Data subjects shall exactly know the details of the processing and be aware of its context and circumstances: in such a manner, they shall be in a position to decide whether to provide their personal data. Data subjects shall also be informed whether they are obliged to provide their data and of the consequences, where they do not provide such data.
This obligation is not new, being set out in the legislation in force before the GDPR but further information on processing is to be added.
There is still a distinction between where data are provided by the data subject and where they have not been obtained from the data subject.
As a rule of thumb, where data are collected directly from the data subject, information shall be provided at the time when data are collected, not forgetting to inform the data subject if the controller intends to process data for other purposes than the ones for which data are collected. These purposes shall be indicated before the processing begins. It is a good practice that all purposes of the processing shall be specified when collecting data. There may then be a residual condition which obliges the controller to inform the data subject about new purposes of processing adding any relevant information on these new purposes.
On the other hand, the GDPR (but also the previous legislation) allows not to provide information to the data subject, if the data subject has already knowledge of such information.
Where data are not obtained from the data subject, the controller shall also specify the origin of data and the categories of data. When it is not possible to specify the source, because data have been collected from several sources, general information shall be provided. If data are obtained from third parties, information shall be provided within a reasonable time and, anyway, at the latest within one month. Information can be provided at the first communication with the data subject or, if a disclosure to third parties is envisaged, before the disclosure takes place.
How to provide information
Information shall be provided in a clear, plain language, easily accessible and concisely, and, where appropriate, visualisation shall be used. Information shall be provided in writing but also orally, such as when data are collected via phone, concisely, and full information is to be provided by redirecting the data subject to a website or by using other instruments which allow the data subject to know all the details required by the GDPR. Such information can be provided in electronic form, for example, when addressed to the public, on a website. This is of particular relevance in situations where the proliferation of actors and the technological complexity of practice make it difficult for the data subject to know and understand whether, by whom and for what purposes personal data are being collected (such as in the case of on-line advertising).
The GDPR makes provisions for the use of standardised icons to be provided in combination with such information in an easy, legible, intelligible manner and, if used on-line, machine-readable. Commission’s delegated acts shall be adopted to define these icons and the procedures to provide them.
In the context of information, there shall be a specific reference to the rights that data subjects can exercise to control the processing activities concerning their data.