Right To Be Informed (General Data Protection Regulation)

What is the right to be informed under GDPR?

What privacy information should companies provide data subjects?

How does a company comply with the data subject’s right to be informed?

What’s the consequence of failing to provide the privacy disclosure to individuals before processing their personal data?

In this article, we will break down the GDPR concept of the right to be informed so you are equipped with all the proper information.

Are you ready?

Let’s get started!

What is the right to be informed?

The right to be informed relates to the right of individuals to be educated as to why their personal data is needed for processing, how a company will use the data and what will be done with it.

When a company intends to collect personal data from a data subject, it must provide clear and concise information as to the purpose of its data processing activities.

GDPR gives data subjects rights over their personal data so they can remain in control.

The eight GDPR individual rights are:

1. Right to be informed
2. Right of access
3. Right to rectification
4. Right to erasure or right to be forgotten
5. Right to restrict processing
6. Right to data portability 
7. Right to object
8. Rights related to automated decision-making including profiling

Right to be informed as defined under GDPR

Article 13 GDPR and Article 14 GDPR define the individual right to be informed.

This is also called the right to get privacy information.

Companies must provide, at a minimum, the information required under Articles 13 and 14 of GDPR.

Let’s have a look at each of these articles.

Disclosures when personal data is collected from the data subject

When a company needs to collect personal information directly from a data subject, it must observe the requirements of Article 13 GDPR.

Pursuant to Article 13, an organization must ‘inform’ the data subject of the following:

1. Company name and address
2. Contact of data protection officer 
3. Purpose of data processing
4. The lawful basis for processing data
5. Who may receive the personal data
6. Will data be transferred to a third country
7. For how long data will be stored
8. Notification of the data subject rights on their data
9. Notification that consent may be withdrawn
10. Complaint possibility to the supervisory authorities 
11. Notification of any legal or contractual requirements obliging the data subject to give data
12. The existence of any automated decision-making and logic, if any

Disclosures when personal data is collected from a source other than the data subject

When a company receives and processes personal information from a source other than the data subject, it must observe the requirements of Article 14 GDPR.

Pursuant to Article 14 GDPR, an organization must ‘inform’ the data subject of the following:

1. Company name and address
2. Contact of data protection officer 
3. Purpose of data processing
4. The lawful basis for processing data 
5. Who may receive the personal data
6. Will data be transferred to a third country
7. For how long data will be stored
8. Notification of the data subject rights on their data
9. Notification that consent may be withdrawn
10. Complaint possibility to the supervisory authorities 
11. From what source the personal data originates from and if it came from a publicly accessible source 
12. The existence of any automated decision-making and logic, if any

Difference between Article 13 and Article 14 GDPR

The substance of the information companies need to disclose and provide to data subjects pursuant to Article 13 and Article 14 GDPR is the same.

The difference is the following:

1. Article 13 GDPR: the company must notify if the data subject is obligated to provide information that the company must collect further to a legal obligation or contractual obligations
2. Article 14 GDPR: the company must inform the data subject the source of where they obtained the person’s data

Importance of the GDPR right to be informed

GDPR’s right to be informed is important in forcing organizations to be transparent with data subjects.

Gone are the days when companies presented broad and ambiguous information to individuals to extract their personal data and use the data to their advantage or monetize it without regard to the risk to the data subject.

The information right is closely linked to the GDPR principles, particularly the principle of transparency.

How can a company satisfy its duty to inform the data subject?

A company can satisfy its duty to inform the data subject by providing the privacy information required by GDPR at the time of personal data collection.

If a company obtains personal information from another source, it must inform the data subject of its processing activities within a reasonable timeline and not exceeding 30 days.

Companies must also be able to prove that they fulfilled their duty of information with regards to the data subject.

As such, it is recommended that companies ensure the data subject is prompted to take note of the disclosure or can easily access the information.

What are the exceptions to providing privacy information to data subjects?

Generally speaking, to satisfy the data subject’s right to be informed, companies must provide the disclosure of information as required by GDPR.

There are some exceptions to this rule.

In some cases, companies may be exempt from providing the mandatory disclosure.

Here are the exceptions to the rule:

1. The data subject is already informed
2. It’s impossible to notify the individual
3. The effort to notify the individual will be disproportionate 
4. Providing the disclosure will adversely affect the objective of the processing
5. The law requires the disclosure 
6. There is an obligation of professional secrecy by law

In such cases, data can be processed without having to make any specific disclosures to the individuals.

When should a company provide the necessary disclosure to the data subject?

When personal data is collected directly from the data subject, further to the data subject’s right to be informed, the privacy information must be given at the time of data collection.

After the company has collected personal information, if the processing purpose changes, it must provide the necessary disclosures again and obtain the data subject’s consent if the lawful processing is based on consent.

When personal data is obtained from a source other than the data subject, then the company must:

1. Provide the privacy information to the data subject within a reasonable period of time but no later than 30 days
2. If the company will use the personal data to communicate with the data subject, the disclosure must be made at the moment of the first communication
3. If the company intends to transfer the information to a third party, it must provide the disclosure to the data subject by when they intend to disclose the data

Drafting privacy information

To draft a company’s privacy information, the first step is to understand what personal information is needed for what purpose.

When an organization can specifically define what data is needed, for how long and for what purpose, it can provide clear and concise information to the data subject about the processing activity.

The idea is to let data subjects know what information is needed and what’s going to be done with it. 

The actual drafting of the privacy information should follow the GDPR guidelines.

It must be clear, easy to understand, intelligible and using plain language.

The privacy information should be drafted in such a way that an average person can understand it.

Avoiding legal or technical jargon, avoiding long-winded texts and an overwhelming level of detail will generally work to a company’s advantage.

Different ways of informing data subjects

The Information Commissioner’s Office of UK outlines a few interesting ways and methods to provide the privacy disclosure to data subjects.

ICO lists the following:

• “A layered approach – short notices containing key privacy information that have additional layers of more detailed information.
• Dashboards – preference management tools that inform people how you use their data and allow them to manage what happens with it.
• Just-in-time notices – relevant and focused privacy information delivered at the time you collect individual pieces of information about people.
• Icons – small, meaningful, symbols that indicate the existence of a particular type of data processing.
• Mobile and smart device functionalities – including pop-ups, voice alerts and mobile device gestures.”

Companies can be innovative and use technology and available means to comply with GDPR while improving the user experience.

What’s the consequence of failing to provide privacy information?

Article 83 GDPR empowers the supervisory authorities to issue administrative fines in the event of non-compliance or the infringement of GDPR.

Depending on the nature of the infringement, GDPR classifies it in two categories.

One category is for serious infringement to GDPR whereby the fines can reach the greater of €20,000,000 or 4% of a company’s global annual turnover. 

The other category is for less serious infringement cases where fines can reach the greater of €10,000,000 or 2% of a company’s global annual turnover.

Failure to provide the privacy disclosure to a data subject is considered a serious breach of GDPR (Article 83(5)(b) GDPR) and as such will expose a company to the greater of €20,000,000 or 4% of a company’s global annual turnover.

As a result, the GDPR fines for infringing Article 13 and 14 can be quite costly!

GDPR Official Text

GDPR Text Source: EUR-Lex

Official GDPR Text: General Data Protection Regulation 

Article 13 GDPR

1.  Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with all of the following information:

(a) the identity and the contact details of the controller and, where applicable, of the controller’s representative;

(b) the contact details of the data protection officer, where applicable;

(c) the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;

(d) where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third party;

(e) the recipients or categories of recipients of the personal data, if any;

(f) where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available.

2.  In addition to the information referred to in paragraph 1, the controller shall, at the time when personal data are obtained, provide the data subject with the following further information necessary to ensure fair and transparent processing:

(a) the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;

(b) the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability;

(c) where the processing is based on point (a) of Article 6(1) or point (a) of Article 9(2), the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;

(d) the right to lodge a complaint with a supervisory authority;

(e) whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data;

(f) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

3.  Where the controller intends to further process the personal data for a purpose other than that for which the personal data were collected, the controller shall provide the data subject prior to that further processing with information on that other purpose and with any relevant further information as referred to in paragraph 2.

4.  Paragraphs 1, 2 and 3 shall not apply where and insofar as the data subject already has the information

GDPR recitals related to Article 13

Recital 60. The principles of fair and transparent processing require that the data subject be informed of the existence of the processing operation and its purposes. The controller should provide the data subject with any further information necessary to ensure fair and transparent processing taking into account the specific circumstances and context in which the personal data are processed. Furthermore, the data subject should be informed of the existence of profiling and the consequences of such profiling. Where the personal data are collected from the data subject, the data subject should also be informed whether he or she is obliged to provide the personal data and of the consequences, where he or she does not provide such data. That information may be provided in combination with standardised icons in order to give in an easily visible, intelligible and clearly legible manner, a meaningful overview of the intended processing. Where the icons are presented electronically, they should be machine-readable.

Recital 61. The information in relation to the processing of personal data relating to the data subject should be given to him or her at the time of collection from the data subject, or, where the personal data are obtained from another source, within a reasonable period, depending on the circumstances of the case. Where personal data can be legitimately disclosed to another recipient, the data subject should be informed when the personal data are first disclosed to the recipient. Where the controller intends to process the personal data for a purpose other than that for which they were collected, the controller should provide the data subject prior to that further processing with information on that other purpose and other necessary information. Where the origin of the personal data cannot be provided to the data subject because various sources have been used, general information should be provided.

Recital 62. However, it is not necessary to impose the obligation to provide information where the data subject already possesses the information, where the recording or disclosure of the personal data is expressly laid down by law or where the provision of information to the data subject proves to be impossible or would involve a disproportionate effort. The latter could in particular be the case where processing is carried out for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes. In that regard, the number of data subjects, the age of the data and any appropriate safeguards adopted should be taken into consideration.

Article 14 GDPR

1.  Where personal data have not been obtained from the data subject, the controller shall provide the data subject with the following information:

(a) the identity and the contact details of the controller and, where applicable, of the controller’s representative;

(b) the contact details of the data protection officer, where applicable;

(c) the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;

(d) the categories of personal data concerned;

(e) the recipients or categories of recipients of the personal data, if any;

(f) where applicable, that the controller intends to transfer personal data to a recipient in a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards and the means to obtain a copy of them or where they have been made available.

2.  In addition to the information referred to in paragraph 1, the controller shall provide the data subject with the following information necessary to ensure fair and transparent processing in respect of the data subject:

(a) the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;

(b) where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third party;

(c)  the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject and to object to processing as well as the right to data portability;

(d) where processing is based on point (a) of Article 6(1) or point (a) of Article 9(2), the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;

(e) the right to lodge a complaint with a supervisory authority;

(f) from which source the personal data originate, and if applicable, whether it came from publicly accessible sources;

(g) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

3.  The controller shall provide the information referred to in paragraphs 1 and 2:

(a) within a reasonable period after obtaining the personal data, but at the latest within one month, having regard to the specific circumstances in which the personal data are processed;

(b) if the personal data are to be used for communication with the data subject, at the latest at the time of the first communication to that data subject; or

(c) if a disclosure to another recipient is envisaged, at the latest when the personal data are first disclosed.

4.  Where the controller intends to further process the personal data for a purpose other than that for which the personal data were obtained, the controller shall provide the data subject prior to that further processing with information on that other purpose and with any relevant further information as referred to in paragraph 2.

5.  Paragraphs 1 to 4 shall not apply where and insofar as:

(a)  the data subject already has the information;

(b) the provision of such information proves impossible or would involve a disproportionate effort, in particular for processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to the conditions and safeguards referred to in Article 89(1) or in so far as the obligation referred to in paragraph 1 of this Article is likely to render impossible or seriously impair the achievement of the objectives of that processing. In such cases the controller shall take appropriate measures to protect the data subject’s rights and freedoms and legitimate interests, including making the information publicly available;

(c) obtaining or disclosure is expressly laid down by Union or Member State law to which the controller is subject and which provides appropriate measures to protect the data subject’s legitimate interests; or

where the personal data must remain confidential subject to an obligation of professional secrecy regulated by Union or Member State law, including a statutory obligation of secrecy.

GDPR recitals related to Article 14

Recital 60. The principles of fair and transparent processing require that the data subject be informed of the existence of the processing operation and its purposes. The controller should provide the data subject with any further information necessary to ensure fair and transparent processing taking into account the specific circumstances and context in which the personal data are processed. Furthermore, the data subject should be informed of the existence of profiling and the consequences of such profiling. Where the personal data are collected from the data subject, the data subject should also be informed whether he or she is obliged to provide the personal data and of the consequences, where he or she does not provide such data. That information may be provided in combination with standardised icons in order to give in an easily visible, intelligible and clearly legible manner, a meaningful overview of the intended processing. Where the icons are presented electronically, they should be machine-readable.

Recital 61. The information in relation to the processing of personal data relating to the data subject should be given to him or her at the time of collection from the data subject, or, where the personal data are obtained from another source, within a reasonable period, depending on the circumstances of the case. Where personal data can be legitimately disclosed to another recipient, the data subject should be informed when the personal data are first disclosed to the recipient. Where the controller intends to process the personal data for a purpose other than that for which they were collected, the controller should provide the data subject prior to that further processing with information on that other purpose and other necessary information. Where the origin of the personal data cannot be provided to the data subject because various sources have been used, general information should be provided.

Recital 62. However, it is not necessary to impose the obligation to provide information where the data subject already possesses the information, where the recording or disclosure of the personal data is expressly laid down by law or where the provision of information to the data subject proves to be impossible or would involve a disproportionate effort. The latter could in particular be the case where processing is carried out for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes. In that regard, the number of data subjects, the age of the data and any appropriate safeguards adopted should be taken into consideration.

Additional resources on the right to be informed

1. Right to be informed by the Information Commissioner’s Office of UK
2. Privacy notices, transparency and control by the Information Commissioner’s Office of UK
3. Rights of Individuals Under GDPR – The Right To Be Informed by the Data Protection Commission of Ireland 
4. Working Party’s Guidelines on Transparency 

What information must be given to individuals whose data is collected? By the European Commission