The GDPR highlights the need for transparency in the way an organization uses the individual’s data. For that matter, it establishes what information should be supplied to the data subjects, as well as when and how. This will depend on whether the controller obtained the data directly from the data subject or from another entity.

Information to be provided by the controller at the time the data has been obtained directly from a data subject:

  • controller’s identity and contact details (where applicable: controller’s EU representative)
  • DPO’s contact details (Data Protection Officer)
  • the purposes of the processing
  • legal basis for the processing
  • legitimate interest (if the processing is based on a legitimate interest)
  • recipients of the personal data (or categories of recipients)
  • intention of transferring data to a third country or international organization, including existence/absence of an adequacy decision, or reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available
  • period of data retention (if not possible: criteria used to determine that period)
  • existence of the data subjects’ rights (access, rectification, erasure, restriction of processing, objection to processing, portability, withdrawal of consent, lodging a complaint with a supervisory authority)
  • whether the provision of personal data is a statutory, contractual or demanded requirement, as well as possible consequences of failure to provide such data
  • the existence of automated decision-making (including profiling)

Where the data has not been obtained directly from a data subject, in addition to the above, the controller needs to inform the data subjects within reasonable time about the categories of personal data concerned and the source from which the personal data originates (if applicable: whether it came from a publicly-accessible source). If the personal data is used for communication with data subjects, this information must be provided during the first communication to these data subjects.

The information must always be communicated in a concise, transparent, intelligible and easily-accessible form, using clear and plain language. Normally, it should be provided in writing (also by electronic means) or, if requested so by a data subject, orally.