Skip main navigation

Providing information to data subjects

In this article Dr Bo Zhao explains what kind of information need to be provided to data subjects.
Organisers
© University of Groningen

When personal data are collected from data subjects, Article 13 and Article 14 determine that the controller needs to provide sufficient information to data subjects, whether the data is obtained directly from data subjects or indirectly from somewhere else.

Obtaining the data directly

When collecting personal data directly from data subjects, the controller has to provide the following information to data subjects at the moment of the obtaining the data:

  • The controller’s identity and contact details;
  • The contact details of the data protection officer (if applicable);
  • The purposes and legal basis for data processing;
  • The recipients of the personal data;
  • The fact that the controller intends to transfer personal data outside the EU (if applicable).

Furthermore, to ensure fair and transparent processing, the controller needs to provide the following information:

  • The reason why the data subject needs to provide personal data (this could be a statutory or contractual requirement or a requirement to enter into a contract), if the data subject is obliged to do so and what the consequences are for not not providing the data;
  • Data storage period;
  • The rights of data subjects (right to access, rectification, erasure, restriction of processing, objection to processing, data portability, the right to withdraw consent; the right to lodge a complaint with a supervisory authority);
  • The existence of automated decision making (including profiling);
  • Any other purposes (if the controller intends to further process the personal data for a purpose other than that for which the data was originally collected).

Obtaining the data indirectly

When obtaining personal data not directly from data subjects, the controller also has to provide sufficient information to data subjects. The information provided is similar to the information required for data directly obtaining data from data subjects (above). The major difference is that the source of obtaining such personal data needs to be identified to data subjects, for example, if personal data are obtained from publicly accessible sources.

However, the controller does not need to provide the required information, where it indirectly obtains personal data, on the condition that:

  • The data subject already has the information;
  • It is impossible to do so or incurs a disproportionate effort (for example in the context of processing for public interest, scientific or historical research purposes or statistical purposes);
  • The obligation makes impossible or seriously impairs the achievement of the processing objectives;
  • EU or Member State law provides appropriate measures to protect the legitimate interest of data subjects;
  • Personal data must remain confidential subject to an obligation of professional secrecy under EU or Member State law.
© University of Groningen
This article is from the free online

Understanding the GDPR

Created by
FutureLearn - Learning For Life

Our purpose is to transform access to education.

We offer a diverse selection of courses from leading universities and cultural institutions from around the world. These are delivered one step at a time, and are accessible on mobile, tablet and desktop, so you can fit learning around your life.

We believe learning should be an enjoyable, social experience, so our courses offer the opportunity to discuss what you’re learning with others as you go, helping you make fresh discoveries and form new ideas.
You can unlock new opportunities with unlimited access to hundreds of online short courses for a year by subscribing to our Unlimited package. Build your knowledge with top universities and organisations.

Learn more about how FutureLearn is transforming access to education