What is the Right to be Informed?

Defined in Article 13 and Article 14, the Right to be Informed is one of the data subject rights covered in Chapter 3 of the General Data Protection Regulation (GDPR).

Right of be Informed Summary

  • Individual data subjects have the right to be informed about the collection and use of their personal data
  • Information an organization provides data subjects must be readily accessible, delivered in clear and plain language
  • If an organization plans to further process the personal data for reasons other than the purposes the data initially was obtained, the organization needs to inform the data subject prior to any additional processing
  • Clear distinctions, and obligations, between personal data collected directly (Article 13) and personal data collected indirectly (Article 14) from the data subject
  • Closely related to the lawfulness, fairness and transparency principle and the purpose limitation principle

Business Considerations for Organizations to Understand

Right to be informed applies to:

  • personal data you sell or process in transactions with other organizations
  • personal data you buy or process in acquisitions from organizations
  • publicly accessible personal data you process
  • personal data processed using Artificial Intelligence and other treatments and sources

If personal data is collected directly from the data subject, the organization must inform the data subject at the time of the collection. If personal data is collected from other sources, not directly from the data subject, the organization must inform the data subject within a reasonable amount of time, but no later than one month from when the data was collected.

The privacy information an organization needs to provide data subjects is dependent upon the manner in which the personal data was collected. The table below indicates information to provide data subjects based upon whether or not the personal data was collected directly from the individual or indirectly. Checks indicate an affirmative determination from the organization regarding privacy information the organization will provide the data subject using one or more of the organization’s techniques.

Privacy InformationDirectly Collected Personal DataIndirectly Collected Personal Data
Organization’s name and contact information
Name and contact details of representative (if applicable)
Name and contact details of DPO (if applicable)
Purpose of the processing
Lawful basis for the processing
Legitimate interests for the processing
Categories of personal data obtained
Recipients or categories of recipients of the personal data
Details of transfers of the personal data to any third countries or international organizations
Retention periods for the personal data
Data subject rights available to individuals in respect of the processing
Right to withdraw consent
Right to lodge complaints to a supervisory authority
Source of the personal data
Details of whether individuals are under a statutory or contractual obligation to provide the personal data
Details of the existence of automated decision-making, including profiling

 

How should you provide privacy information to data subjects?

There are numerous techniques an organization can provide data subjects with privacy information, such as:

  • Layered — usually short notices containing key privacy information that expand into additional layers containing detailed information
  • Dashboards — management tools informing data subjects how their information is used, with preference controls to manage what data they allow the organization to process
  • Just-in-time notices — relevant and targeted privacy information delivered at the time personal data is collected from the data subject
  • Icons — small, meaningful, symbols that indicate the existence of a particular type of data processing
  • Mobile and smart device functionalities — includes pop-ups, voice alerts and mobile device gestures

Depending on the context and resources, organizations can choose to deliver privacy information using a single technique multiple techniques among those above. However, a multi-technique approach is preferred and often is the most effective method to employ in providing privacy information to data subjects.