There is a need for transparency regarding the gathering and use of data in order to allow EU citizens to exercise their right to the protection of personal data. Therefore, the General Data Protection Regulation (GDPR) gives individuals the right to be informed about the collection and use of their personal data, which leads to a variety of information obligations by the controller.
The law differentiates between two cases: On the one hand, if personal data is directly obtained from the data subject (Art. 13 of the GDPR) and, on the other hand, if this is not the case (Art. 14 of the GDPR).
Where data is obtained directly, the person must be immediately informed, meaning at the time the data is obtained. In terms of content, the controller’s obligation to inform includes his identity, the contact data of the Data Protection Officer (if available), the processing purposes and the legal basis, any legitimate interests pursued, the recipients when transmitting personal data, and any intention to transfer personal data to third countries. In addition, the right to be informed also includes information about the duration of storage, the rights of the data subject, the ability to withdraw consent, the right to lodge a complaint with the authorities and whether the provision of personal data is a statutory or contractual requirement. In addition, the data subject must be informed of any automated decision-making activities, including profiling. Only if the data subject is already aware of the above information it is not necessary to provide these.
If personal data is not obtained from the data subject, he or she must be provided with the information within a reasonable period of time, but at the latest after a month. In cases where the gathered information is used to directly contact the data subject, he or she has the right to be informed immediately upon being approached. As far as content is concerned, the controller has to provide the same specific information as if the personal data would have been directly obtained from the data subject. The only exception is the information about any obligations to provide the personal data, as the controller does not have the decision-making authority in this case. In addition, the controller has the obligation to inform from what sources the personal data originated, and whether it was publicly available. The data subject has a right to be informed in a precise, transparent, comprehensible and easily accessible form. The obligation to inform can be fulfilled in writing or electronic form. It is explicitly stated that so-called ‘standardised image symbols’ can also be used in order to convey a meaningful overview of the intended processing in an easily comprehended, understandable and clear form.
In the case that the personal data is not gathered from the data subject, in exceptional cases there is no obligation to inform. This applies, if providing the information is either impossible or unreasonably expensive, the gathering and/or transmission is required by law, or if the data must remain confidential due to professional secrecy or other statutory secrecy obligations.