Providing information to data subjects

When personal data are collected from data subjects, Article 13 and Article 14 determine that the controller needs to provide sufficient information to data subjects, whether the data is obtained directly from data subjects or indirectly from somewhere else.

Obtaining the data directly

When collecting personal data directly from data subjects, the controller has to provide the following information to data subjects at the moment of the obtaining the data:

• The controller’s identity and contact details;
• The contact details of the data protection officer (if applicable);
• The purposes and legal basis for data processing;
• The recipients of the personal data;
• The fact that the controller intends to transfer personal data outside the EU (if applicable).

Furthermore, to ensure fair and transparent processing, the controller needs to provide the following information:

• The reason why the data subject needs to provide personal data (this could be a statutory or contractual requirement or a requirement to enter into a contract), if the data subject is obliged to do so and what the consequences are for not not providing the data;
• Data storage period;
• The rights of data subjects (right to access, rectification, erasure, restriction of processing, objection to processing, data portability, the right to withdraw consent; the right to lodge a complaint with a supervisory authority);
• The existence of automated decision making (including profiling);
• Any other purposes (if the controller intends to further process the personal data for a purpose other than that for which the data was originally collected).

Obtaining the data indirectly

When obtaining personal data not directly from data subjects, the controller also has to provide sufficient information to data subjects. The information provided is similar to the information required for data directly obtaining data from data subjects (above). The major difference is that the source of obtaining such personal data needs to be identified to data subjects, for example, if personal data are obtained from publicly accessible sources.

However, the controller does not need to provide the required information, where it indirectly obtains personal data, on the condition that:

• The data subject already has the information;
• It is impossible to do so or incurs a disproportionate effort (for example in the context of processing for public interest, scientific or historical research purposes or statistical purposes);
• The obligation makes impossible or seriously impairs the achievement of the processing objectives;
• EU or Member State law provides appropriate measures to protect the legitimate interest of data subjects;
• Personal data must remain confidential subject to an obligation of professional secrecy under EU or Member State law.